| 1 | According to the include/linux/watchdog.h WDIOC_SETOPTIONS is |
| 2 | classified as 'read from device' ioctl call: |
| 3 | #define WDIOC_SETOPTIONS _IOR(WATCHDOG_IOCTL_BASE, 4, int) |
| 4 | |
| 5 | However, the driver 'mpcore_wdt' performs 'copy_from_user' only if |
| 6 | _IOC_WRITE is set, thus the local variable 'uarg' which is used in |
| 7 | WDIOC_SETOPTIONS handling remains uninitialized. |
| 8 | |
| 9 | The proper way to fix this is to bind WDIOC_SETOPTIONS to _IOW, |
| 10 | but this will break compatibility. |
| 11 | So adding additional condition for performing 'copy_from_user'. |
| 12 | |
| 13 | Signed-off-by: Vitaly Kuzmichev <vkuzmichev@mvista.com> |
| 14 | --- |
| 15 | drivers/watchdog/mpcore_wdt.c | 3 ++- |
| 16 | 1 files changed, 2 insertions(+), 1 deletions(-) |
| 17 | |
| 18 | --- a/drivers/watchdog/mpcore_wdt.c |
| 19 | +++ b/drivers/watchdog/mpcore_wdt.c |
| 20 | @@ -236,7 +236,8 @@ static long mpcore_wdt_ioctl(struct file |
| 21 | if (_IOC_DIR(cmd) && _IOC_SIZE(cmd) > sizeof(uarg)) |
| 22 | return -ENOTTY; |
| 23 | |
| 24 | - if (_IOC_DIR(cmd) & _IOC_WRITE) { |
| 25 | + if ((_IOC_DIR(cmd) & _IOC_WRITE) |
| 26 | + || cmd == WDIOC_SETOPTIONS) { |
| 27 | ret = copy_from_user(&uarg, (void __user *)arg, _IOC_SIZE(cmd)); |
| 28 | if (ret) |
| 29 | return -EFAULT; |
| 30 | |
