From 83626b01275d0228516b4d97da008328fc37c934 Mon Sep 17 00:00:00 2001 From: Linus Torvalds Date: Sat, 24 Jun 2006 17:47:09 -0700 Subject: Revert "[PATCH] usb: drivers/usb/core/devio.c dereferences a userspace pointer" This reverts commit 786dc1d3d7333f269e17d742886eac2188a2d9cc. As Al so eloquently points out, the patch is crap. The old code was fine, the new code was bogus. It never dereferenced a user pointer, the "->" operator was to an array member, which gives the _address_ of the member (in user space), not an actual dereference at all. Signed-off-by: Linus Torvalds --- drivers/usb/core/devio.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c index 3f8e06279c92..bcbeaf7101d1 100644 --- a/drivers/usb/core/devio.c +++ b/drivers/usb/core/devio.c @@ -1078,9 +1078,7 @@ static int proc_submiturb(struct dev_state *ps, void __user *arg) if (copy_from_user(&uurb, arg, sizeof(uurb))) return -EFAULT; - return proc_do_submiturb(ps, &uurb, - (struct usbdevfs_iso_packet_desc __user *)uurb.iso_frame_desc, - arg); + return proc_do_submiturb(ps, &uurb, (((struct usbdevfs_urb __user *)arg)->iso_frame_desc), arg); } static int proc_unlinkurb(struct dev_state *ps, void __user *arg) @@ -1205,9 +1203,7 @@ static int proc_submiturb_compat(struct dev_state *ps, void __user *arg) if (get_urb32(&uurb,(struct usbdevfs_urb32 *)arg)) return -EFAULT; - return proc_do_submiturb(ps, &uurb, - (struct usbdevfs_iso_packet_desc __user *)uurb.iso_frame_desc, - arg); + return proc_do_submiturb(ps, &uurb, ((struct usbdevfs_urb32 __user *)arg)->iso_frame_desc, arg); } static int processcompl_compat(struct async *as, void __user * __user *arg) -- cgit v1.2.1