Revert "[PATCH] usb: drivers/usb/core/devio.c dereferences a userspace pointer"
This reverts commit 786dc1d3d7333f269e17d742886eac2188a2d9cc.
As Al so eloquently points out, the patch is crap. The old code was fine,
the new code was bogus.
It never dereferenced a user pointer, the "->" operator was to an array
member, which gives the _address_ of the member (in user space), not an
actual dereference at all.
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
index 3f8e062..bcbeaf7 100644
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -1078,9 +1078,7 @@
if (copy_from_user(&uurb, arg, sizeof(uurb)))
return -EFAULT;
- return proc_do_submiturb(ps, &uurb,
- (struct usbdevfs_iso_packet_desc __user *)uurb.iso_frame_desc,
- arg);
+ return proc_do_submiturb(ps, &uurb, (((struct usbdevfs_urb __user *)arg)->iso_frame_desc), arg);
}
static int proc_unlinkurb(struct dev_state *ps, void __user *arg)
@@ -1205,9 +1203,7 @@
if (get_urb32(&uurb,(struct usbdevfs_urb32 *)arg))
return -EFAULT;
- return proc_do_submiturb(ps, &uurb,
- (struct usbdevfs_iso_packet_desc __user *)uurb.iso_frame_desc,
- arg);
+ return proc_do_submiturb(ps, &uurb, ((struct usbdevfs_urb32 __user *)arg)->iso_frame_desc, arg);
}
static int processcompl_compat(struct async *as, void __user * __user *arg)