[PATCH] scsi: 3ware: fix a missing-check bug

In twl_chrdev_ioctl(), the ioctl driver command is firstly copied from the userspace pointer 'argp' and saved to the kernel object 'driver_command'. Then a security check is performed on the data buffer size indicated by 'driver_command', which is 'driver_command.buffer_length'. If the security che

[PATCH] scsi: 3w-xxxx: fix a missing-check bug

In tw_chrdev_ioctl(), the length of the data buffer is firstly copied from the userspace pointer 'argp' and saved to the kernel object 'data_buffer_length'. Then a security check is performed on it to make sure that the length is not more than 'TW_MAX_IOCTL_SECTORS * 512'. Otherwise, an error code

[PATCH] scsi: 3w-9xxx: fix a missing-check bug

In twa_chrdev_ioctl(), the ioctl driver command is firstly copied from the userspace pointer 'argp' and saved to the kernel object 'driver_command'. Then a security check is performed on the data buffer size indicated by 'driver_command', which is 'driver_command.buffer_length'. If the security che

[PATCH] scsi: sg: fix a missing-check bug

In sg_write(), the opcode of the command is firstly copied from the userspace pointer 'buf' and saved to the kernel variable 'opcode', using the __get_user() function. The size of the command, i.e., 'cmd_size' is then calculated based on the 'opcode'. After that, the whole command, including the op

Re: [PATCH v5 0/6] firmware_loader: cleanups for v4.18

"Luis R. Rodriguez" writes: > So we can nuke CONFIG_WANXL_BUILD_FIRMWARE now? I'm uncertain I understand why do you want it, or maybe what are you trying to do at all. And what use would wanxlfw.S (the assembly source) have if the option is removed? >> It's more about delivering the .S source

Re: [PATCH 38/40] ide: remove ide_driver_proc_write

Christoph Hellwig writes: > The driver proc file hasn't been writeable for a long time, so this is > just dead code. It is possible to chmod this file to get at the write method. Not that I think anyone does. It looks like this code was merged in 2.3.99-pre1 with permissions S_IFREG|S_IRUGO so

Re: [PATCH 34/40] atm: simplify procfs code

Christoph Hellwig writes: > Use remove_proc_subtree to remove the whole subtree on cleanup, and > unwind the registration loop into individual calls. Switch to use > proc_create_seq where applicable. Can you please explain why you are removing the error handling when you are unwinding the regis

Re: [PATCH 11/40] ipv6/flowlabel: simplify pid namespace lookup

Christoph Hellwig writes: > The shole seq_file sequence already operates under a single RCU lock pair, > so move the pid namespace lookup into it, and stop grabbing a reference > and remove all kinds of boilerplate code. This is wrong. Move task_active_pid_ns(current) from open to seq_start act

Re: [PATCH] qlogic_stub: Fixup NULL argument to host_reset()

/commits/Hannes-Reinecke/qlogic_stub-Fixup-NULL-argument-to-host_reset/20180505-172602 base: https://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git for-next config: parisc-allmodconfig (attached as .config) compiler: hppa-linux-gnu-gcc (Debian 7.2.0-11) 7.2.0 reproduce: wget https