fedora core 6 1.2949 + vserver 2.2.0

[linux-2.6.git] / fs / coda / upcall.c

diff --git a/fs/coda/upcall.c b/fs/coda/upcall.c
index 569e144..a5b5e63 100644 (file)
--- a/fs/coda/upcall.c
+++ b/fs/coda/upcall.c
@@ -15,7 +15,6 @@
  */
 
 #include <asm/system.h>
-#include <asm/signal.h>
 #include <linux/signal.h>
 
 #include <linux/types.h>
@@ -331,7 +330,7 @@ int venus_rename(struct super_block *sb, struct CodaFid *old_fid,
 }
 
 int venus_create(struct super_block *sb, struct CodaFid *dirfid, 
-                const char *name, int length, int excl, int mode, dev_t rdev,
+                const char *name, int length, int excl, int mode,
                 struct CodaFid *newfid, struct coda_vattr *attrs) 
 {
         union inputArgs *inp;
@@ -345,7 +344,6 @@ int venus_create(struct super_block *sb, struct CodaFid *dirfid,
 
         inp->coda_create.VFid = *dirfid;
         inp->coda_create.attr.va_mode = mode;
-        inp->coda_create.attr.va_rdev = huge_encode_dev(rdev);
        inp->coda_create.excl = excl;
         inp->coda_create.mode = mode;
         inp->coda_create.name = offset;
@@ -555,6 +553,11 @@ int venus_pioctl(struct super_block *sb, struct CodaFid *fid,
                goto exit;
         }
 
+        if (data->vi.out_size > VC_MAXDATASIZE) {
+               error = -EINVAL;
+               goto exit;
+       }
+
         inp->coda_ioctl.VFid = *fid;
     
         /* the cmd field was mutated by increasing its size field to
@@ -583,25 +586,32 @@ int venus_pioctl(struct super_block *sb, struct CodaFid *fid,
                       error, coda_f2s(fid));
                goto exit; 
        }
+
+       if (outsize < (long)outp->coda_ioctl.data + outp->coda_ioctl.len) {
+               error = -EINVAL;
+               goto exit;
+       }
         
        /* Copy out the OUT buffer. */
         if (outp->coda_ioctl.len > data->vi.out_size) {
                error = -EINVAL;
-        } else {
-               if (copy_to_user(data->vi.out, 
-                                (char *)outp + (long)outp->coda_ioctl.data, 
-                                data->vi.out_size)) {
-                       error = -EFAULT;
-                       goto exit;
-               }
+               goto exit;
         }
 
+       /* Copy out the OUT buffer. */
+       if (copy_to_user(data->vi.out,
+                        (char *)outp + (long)outp->coda_ioctl.data,
+                        outp->coda_ioctl.len)) {
+               error = -EFAULT;
+               goto exit;
+       }
+
  exit:
        CODA_FREE(inp, insize);
        return error;
 }
 
-int venus_statfs(struct super_block *sb, struct kstatfs *sfs) 
+int venus_statfs(struct dentry *dentry, struct kstatfs *sfs)
 { 
         union inputArgs *inp;
         union outputArgs *outp;
@@ -610,7 +620,7 @@ int venus_statfs(struct super_block *sb, struct kstatfs *sfs)
        insize = max_t(unsigned int, INSIZE(statfs), OUTSIZE(statfs));
        UPARG(CODA_STATFS);
 
-        error = coda_upcall(coda_sbp(sb), insize, &outsize, inp);
+        error = coda_upcall(coda_sbp(dentry->d_sb), insize, &outsize, inp);
        
         if (!error) {
                sfs->f_blocks = outp->coda_statfs.stat.f_blocks;
@@ -715,7 +725,7 @@ static int coda_upcall(struct coda_sb_info *sbi,
        ((union inputArgs *)buffer)->ih.unique = req->uc_unique;
 
        /* Append msg to pending queue and poke Venus. */
-       list_add(&(req->uc_chain), vcommp->vc_pending.prev);
+       list_add_tail(&(req->uc_chain), &vcommp->vc_pending);
         
        wake_up_interruptible(&vcommp->vc_waitq);
        /* We can be interrupted while we wait for Venus to process