From: David Miller <davem@davemloft.net>
Date: Tue, 11 Sep 2007 22:23:50 +0000 (-0700)
Subject: tty: termios locking functions break with new termios type
X-Git-Tag: v2.6.23-rc7~79
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f629307c857c030d5a3dd777fee37c8bb395e171;p=pandora-kernel.git

tty: termios locking functions break with new termios type

I ran into a few problems.

n_tty_ioctl() for instance:

drivers/char/tty_ioctl.c:799: error: $,1rxstruct termios$,1ry has no
member named $,1rxc_ispeed$,1ry

This is calling the copy interface that is supposed to be using
a termios2 when the new interfaces are defined, however:

	case TIOCGLCKTRMIOS:
		if (kernel_termios_to_user_termios((struct termios __user *)arg, real_tty->termios_locked))
			return -EFAULT;
		return 0;

This is going to write over the end of the userspace
structure by a few bytes, and wasn't caught by you yet
because the i386 implementation is simply copy_to_user()
which does zero type checking.

Signed-off-by: Alan Cox <alan@redhat.com>
Cc: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---

Reading git-diff-tree failed