From 55e400ac8868564b76f5d1d910f6f463485fc7e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Duval?= Date: Mon, 27 Sep 2021 16:14:17 +0200 Subject: [PATCH] usb_disk: fix SMAP violation for B_GET_MEDIA_STATUS ioctl should fix #17283. To be tested. Change-Id: If594129a6e16b50c314efa2a7bb1d18e01cdad15 Reviewed-on: https://review.haiku-os.org/c/haiku/+/4505 Tested-by: Commit checker robot Reviewed-by: waddlesplash (cherry picked from commit 407f08de2918062ba13df638ae294461f2a50efb) Reviewed-on: https://review.haiku-os.org/c/haiku/+/4576 Reviewed-by: Alex von Gluck IV Reviewed-by: Adrien Destugues --- .../kernel/drivers/disk/usb/usb_disk/usb_disk.cpp | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/src/add-ons/kernel/drivers/disk/usb/usb_disk/usb_disk.cpp b/src/add-ons/kernel/drivers/disk/usb/usb_disk/usb_disk.cpp index 4660a87d1f..00ae1b2744 100644 --- a/src/add-ons/kernel/drivers/disk/usb/usb_disk/usb_disk.cpp +++ b/src/add-ons/kernel/drivers/disk/usb/usb_disk/usb_disk.cpp @@ -18,6 +18,7 @@ #include #include +#include #include #include "scsi_sense.h" @@ -1794,18 +1795,24 @@ usb_disk_ioctl(void *cookie, uint32 op, void *buffer, size_t length) case B_GET_MEDIA_STATUS: { err_act action = err_act_ok; + status_t ready; for (uint32 tries = 0; tries < 3; tries++) { - status_t ready = usb_disk_test_unit_ready(lun, &action); + ready = usb_disk_test_unit_ready(lun, &action); if (ready == B_OK || ready == B_DEV_NO_MEDIA || (action != err_act_retry && action != err_act_many_retries)) { - *(status_t *)buffer = ready; + if (IS_USER_ADDRESS(buffer)) { + if (user_memcpy(buffer, &ready, sizeof(status_t)) != B_OK) + return B_BAD_ADDRESS; + } else if (is_called_via_syscall()) { + return B_BAD_ADDRESS; + } else + *(status_t *)buffer = ready; break; } snooze(500000); } - TRACE("B_GET_MEDIA_STATUS: 0x%08" B_PRIx32 "\n", - *(status_t *)buffer); + TRACE("B_GET_MEDIA_STATUS: 0x%08" B_PRIx32 "\n", ready); return B_OK; }