Hi,
In the raw1394 driver the failure handling for
a __copy_to_user call is missing.
With friendly regards,
Takis
--
K.U.Leuven, Mechanical Eng., Mechatronics & Robotics Research Group
http://people.mech.kuleuven.ac.be/~pissaris/
diff -pruN linux-2.6.11/drivers/ieee1394/raw1394.c linux-2.6.11-pi/drivers/ieee1394/raw1394.c
--- linux-2.6.11/drivers/ieee1394/raw1394.c 2005-03-02 11:44:26.000000000 +0100
+++ linux-2.6.11-pi/drivers/ieee1394/raw1394.c 2005-03-02 11:47:38.000000000 +0100
@@ -443,7 +443,8 @@ static ssize_t raw1394_read(struct file
req->req.error = RAW1394_ERROR_MEMFAULT;
}
}
- __copy_to_user(buffer, &req->req, sizeof(req->req));
+ if (__copy_to_user(buffer, &req->req, sizeof(req->req)))
+ return -EFAULT;
free_pending_request(req);
return sizeof(struct raw1394_request);
