[CHECKER] aacraid user pointer use

[Hollis Blanchard (hollisb@us.ibm.com)]

Stanford checker said:
---------------------------------------------------------
[BUG] at least bad programming practice. file_opetations.ioctl ->
aac_cfg_ioctl -> aac_do_ioctl -> close_getadapter_fib ->
aac_close_fib_context. All other functions called by aac_do_ioctl assume
arg is a user pointer. It is unknown what will happen.

/home/junfeng/linux-2.5.63/drivers/scsi/aacraid/ 
commctrl.c:277:aac_close_fib_context:
ERROR:TAINTED:277:277: dereferencing tainted ptr 'fibctx' [Callstack:
/home/junfeng/linux-2.5.63/drivers/scsi/sg.c:1002:aac_cfg_ioctl((tainted
3)) ->
/home/junfeng/linux-2.5.63/drivers/scsi/aacraid/ 
linit.c:671:aac_do_ioctl((tainted
2)) ->
/home/junfeng/linux-2.5.63/drivers/scsi/aacraid/ 
commctrl.c:421:close_getadapter_fib((tainted
1)) ->
/home/junfeng/linux-2.5.63/drivers/scsi/aacraid/ 
commctrl.c:348:aac_close_fib_context((tainted
1))]

	while (!list_empty(&fibctx->fibs)) {
		struct list_head * entry;
		/*
		 *	Pull the next fib from the fibs
		 */

Error --->
		entry = fibctx->fibs.next;
		list_del(entry);
		fib = list_entry(entry, struct hw_fib, header.FibLinks);
		fibctx->count--;
---------------------------------------------------------

As it turns out, the driver is fine. It is dereferencing a  
user-supplied pointer (fibctx), but it keeps a list of valid structures  
and has already made sure fibctx is one of them before using it. This  
is in contrast to the PCMCIA code, which uses a magic number to verify  
(as discussed yesterday) rather than keeping a list of all valid  
pointers.

The attached aacraid patch may help the checker, and should be  
functionally equivalent... but isn't necessary.

--
Hollis Blanchard
IBM Linux Technology Center

Attachment: aacraid-userptr.diff
Description: Binary data