From: Jeff Garzik Most of the ISDN ->readstat() implementations needed to check copy_to_user() and put_user() return values. Signed-off-by: Jeff Garzik Cc: Karsten Keil Signed-off-by: Andrew Morton --- drivers/isdn/capi/capidrv.c | 3 ++- drivers/isdn/hisax/config.c | 6 ++++-- drivers/isdn/icn/icn.c | 3 ++- drivers/isdn/isdnloop/isdnloop.c | 3 ++- drivers/isdn/pcbit/drv.c | 16 ++++++++++------ 5 files changed, 20 insertions(+), 11 deletions(-) diff -puN drivers/isdn/capi/capidrv.c~isdn-check-for-userspace-copy-faults drivers/isdn/capi/capidrv.c --- a/drivers/isdn/capi/capidrv.c~isdn-check-for-userspace-copy-faults +++ a/drivers/isdn/capi/capidrv.c @@ -1907,7 +1907,8 @@ static int if_readstat(u8 __user *buf, i } for (p=buf, count=0; count < len; p++, count++) { - put_user(*card->q931_read++, p); + if (put_user(*card->q931_read++, p)) + return -EFAULT; if (card->q931_read > card->q931_end) card->q931_read = card->q931_buf; } diff -puN drivers/isdn/hisax/config.c~isdn-check-for-userspace-copy-faults drivers/isdn/hisax/config.c --- a/drivers/isdn/hisax/config.c~isdn-check-for-userspace-copy-faults +++ a/drivers/isdn/hisax/config.c @@ -631,7 +631,8 @@ static int HiSax_readstatus(u_char __use count = cs->status_end - cs->status_read + 1; if (count >= len) count = len; - copy_to_user(p, cs->status_read, count); + if (copy_to_user(p, cs->status_read, count)) + return -EFAULT; cs->status_read += count; if (cs->status_read > cs->status_end) cs->status_read = cs->status_buf; @@ -642,7 +643,8 @@ static int HiSax_readstatus(u_char __use cnt = HISAX_STATUS_BUFSIZE; else cnt = count; - copy_to_user(p, cs->status_read, cnt); + if (copy_to_user(p, cs->status_read, cnt)) + return -EFAULT; p += cnt; cs->status_read += cnt % HISAX_STATUS_BUFSIZE; count -= cnt; diff -puN drivers/isdn/icn/icn.c~isdn-check-for-userspace-copy-faults drivers/isdn/icn/icn.c --- a/drivers/isdn/icn/icn.c~isdn-check-for-userspace-copy-faults +++ a/drivers/isdn/icn/icn.c @@ -1010,7 +1010,8 @@ icn_readstatus(u_char __user *buf, int l for (p = buf, count = 0; count < len; p++, count++) { if (card->msg_buf_read == card->msg_buf_write) return count; - put_user(*card->msg_buf_read++, p); + if (put_user(*card->msg_buf_read++, p)) + return -EFAULT; if (card->msg_buf_read > card->msg_buf_end) card->msg_buf_read = card->msg_buf; } diff -puN drivers/isdn/isdnloop/isdnloop.c~isdn-check-for-userspace-copy-faults drivers/isdn/isdnloop/isdnloop.c --- a/drivers/isdn/isdnloop/isdnloop.c~isdn-check-for-userspace-copy-faults +++ a/drivers/isdn/isdnloop/isdnloop.c @@ -446,7 +446,8 @@ isdnloop_readstatus(u_char __user *buf, for (p = buf, count = 0; count < len; p++, count++) { if (card->msg_buf_read == card->msg_buf_write) return count; - put_user(*card->msg_buf_read++, p); + if (put_user(*card->msg_buf_read++, p)) + return -EFAULT; if (card->msg_buf_read > card->msg_buf_end) card->msg_buf_read = card->msg_buf; } diff -puN drivers/isdn/pcbit/drv.c~isdn-check-for-userspace-copy-faults drivers/isdn/pcbit/drv.c --- a/drivers/isdn/pcbit/drv.c~isdn-check-for-userspace-copy-faults +++ a/drivers/isdn/pcbit/drv.c @@ -725,23 +725,27 @@ static int pcbit_stat(u_char __user *buf if (stat_st < stat_end) { - copy_to_user(buf, statbuf + stat_st, len); + if (copy_to_user(buf, statbuf + stat_st, len)) + return -EFAULT; stat_st += len; } else { if (len > STATBUF_LEN - stat_st) { - copy_to_user(buf, statbuf + stat_st, - STATBUF_LEN - stat_st); - copy_to_user(buf, statbuf, - len - (STATBUF_LEN - stat_st)); + if (copy_to_user(buf, statbuf + stat_st, + STATBUF_LEN - stat_st)) + return -EFAULT; + if (copy_to_user(buf, statbuf, + len - (STATBUF_LEN - stat_st))) + return -EFAULT; stat_st = len - (STATBUF_LEN - stat_st); } else { - copy_to_user(buf, statbuf + stat_st, len); + if (copy_to_user(buf, statbuf + stat_st, len)) + return -EFAULT; stat_st += len; _