diff options
Diffstat (limited to 'fs/xfs/xfs_ioctl.c')
| -rw-r--r-- | fs/xfs/xfs_ioctl.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c index d42738deec6d..e4a4f82ea13f 100644 --- a/fs/xfs/xfs_ioctl.c +++ b/fs/xfs/xfs_ioctl.c | |||
| @@ -403,6 +403,7 @@ xfs_attrlist_by_handle( | |||
| 403 | { | 403 | { |
| 404 | int error = -ENOMEM; | 404 | int error = -ENOMEM; |
| 405 | attrlist_cursor_kern_t *cursor; | 405 | attrlist_cursor_kern_t *cursor; |
| 406 | struct xfs_fsop_attrlist_handlereq __user *p = arg; | ||
| 406 | xfs_fsop_attrlist_handlereq_t al_hreq; | 407 | xfs_fsop_attrlist_handlereq_t al_hreq; |
| 407 | struct dentry *dentry; | 408 | struct dentry *dentry; |
| 408 | char *kbuf; | 409 | char *kbuf; |
| @@ -435,6 +436,11 @@ xfs_attrlist_by_handle( | |||
| 435 | if (error) | 436 | if (error) |
| 436 | goto out_kfree; | 437 | goto out_kfree; |
| 437 | 438 | ||
| 439 | if (copy_to_user(&p->pos, cursor, sizeof(attrlist_cursor_kern_t))) { | ||
| 440 | error = -EFAULT; | ||
| 441 | goto out_kfree; | ||
| 442 | } | ||
| 443 | |||
| 438 | if (copy_to_user(al_hreq.buffer, kbuf, al_hreq.buflen)) | 444 | if (copy_to_user(al_hreq.buffer, kbuf, al_hreq.buflen)) |
| 439 | error = -EFAULT; | 445 | error = -EFAULT; |
| 440 | 446 | ||
| @@ -1379,10 +1385,11 @@ xfs_ioc_getbmap( | |||
| 1379 | unsigned int cmd, | 1385 | unsigned int cmd, |
| 1380 | void __user *arg) | 1386 | void __user *arg) |
| 1381 | { | 1387 | { |
| 1382 | struct getbmapx bmx; | 1388 | struct getbmapx bmx = { 0 }; |
| 1383 | int error; | 1389 | int error; |
| 1384 | 1390 | ||
| 1385 | if (copy_from_user(&bmx, arg, sizeof(struct getbmapx))) | 1391 | /* struct getbmap is a strict subset of struct getbmapx. */ |
| 1392 | if (copy_from_user(&bmx, arg, offsetof(struct getbmapx, bmv_iflags))) | ||
| 1386 | return -EFAULT; | 1393 | return -EFAULT; |
| 1387 | 1394 | ||
| 1388 | if (bmx.bmv_count < 2) | 1395 | if (bmx.bmv_count < 2) |