From: Felipe W Damasio Check the return of copy_from_user in a few places to not use buggy structures if copy_from_user != 0. Found by smatch. drivers/cdrom/sjcd.c | 22 +++++++++++++--------- 1 files changed, 13 insertions(+), 9 deletions(-) diff -puN drivers/cdrom/sjcd.c~sjcd-usercopy-checks drivers/cdrom/sjcd.c --- 25/drivers/cdrom/sjcd.c~sjcd-usercopy-checks 2003-10-12 17:20:10.000000000 -0700 +++ 25-akpm/drivers/cdrom/sjcd.c 2003-10-12 17:20:10.000000000 -0700 @@ -839,8 +839,9 @@ static int sjcd_ioctl(struct block_devic CDROM_AUDIO_NO_STATUS; } - copy_from_user(&sjcd_msf, (void *) arg, - sizeof(sjcd_msf)); + if (copy_from_user(&sjcd_msf, (void *) arg, + sizeof(sjcd_msf))) + return (-EFAULT); sjcd_playing.start.min = bin2bcd(sjcd_msf.cdmsf_min0); @@ -890,9 +891,9 @@ static int sjcd_ioctl(struct block_devic sizeof(toc_entry))) == 0) { struct sjcd_hw_disk_info *tp; - copy_from_user(&toc_entry, (void *) arg, - sizeof(toc_entry)); - + if (copy_from_user(&toc_entry, (void *) arg, + sizeof(toc_entry))) + return (-EFAULT); if (toc_entry.cdte_track == CDROM_LEADOUT) tp = &sjcd_table_of_contents[0]; else if (toc_entry.cdte_track < @@ -945,8 +946,10 @@ static int sjcd_ioctl(struct block_devic sizeof(subchnl))) == 0) { struct sjcd_hw_qinfo q_info; - copy_from_user(&subchnl, (void *) arg, - sizeof(subchnl)); + if (copy_from_user(&subchnl, (void *) arg, + sizeof(subchnl))) + return (-EFAULT); + if (sjcd_get_q_info(&q_info) < 0) return (-EIO); @@ -1002,8 +1005,9 @@ static int sjcd_ioctl(struct block_devic sizeof(vol_ctrl))) == 0) { unsigned char dummy[4]; - copy_from_user(&vol_ctrl, (void *) arg, - sizeof(vol_ctrl)); + if (copy_from_user(&vol_ctrl, (void *) arg, + sizeof(vol_ctrl))) + return (-EFAULT); sjcd_send_4_cmd(SCMD_SET_VOLUME, vol_ctrl.channel0, 0xFF, vol_ctrl.channel1, 0xFF); _