Change useracc() and kernacc() to use VM_PROT_{READ|WRITE|EXECUTE} for the

"rw" argument, rather than hijacking B_{READ|WRITE}.

Fix two bugs (physio & cam) resulting by the confusion caused by this.

Submitted by:   Tor.Egge@fast.no
Reviewed by:    alc, ken (partly)

4 files changed, 19 insertions, 22 deletions

diff --git a/sys/kern/kern_physio.c b/sys/kern/kern_physio.c
index 6a4034e..128283f 100644
--- a/sys/kern/kern_physio.c
+++ b/sys/kern/kern_physio.c
@@ -101,7 +101,8 @@ physio(dev_t dev, struct uio *uio, int ioflag)
 
 			if (uio->uio_segflg == UIO_USERSPACE) {
 				if (!useracc(bp->b_data, bp->b_bufsize,
-				    bp->b_flags & B_READ)) {
+				    bp->b_flags & B_READ ?
+				    VM_PROT_WRITE : VM_PROT_READ)) {
 					error = EFAULT;
 					goto doerror;
 				}
diff --git a/sys/kern/kern_sysctl.c b/sys/kern/kern_sysctl.c
index af6c32a..a00d7a1 100644
--- a/sys/kern/kern_sysctl.c
+++ b/sys/kern/kern_sysctl.c
@@ -845,13 +845,13 @@ userland_sysctl(struct proc *p, int *name, u_int namelen, void *old, size_t *old
 	}
 
 	if (old) {
-		if (!useracc(old, req.oldlen, B_WRITE))
+		if (!useracc(old, req.oldlen, VM_PROT_WRITE))
 			return (EFAULT);
 		req.oldptr= old;
 	}
 
 	if (newlen) {
-		if (!useracc(new, req.newlen, B_READ))
+		if (!useracc(new, req.newlen, VM_PROT_READ))
 			return (EFAULT);
 		req.newlen = newlen;
 		req.newptr = new;
diff --git a/sys/kern/kern_time.c b/sys/kern/kern_time.c
index 032b038..7c06c50 100644
--- a/sys/kern/kern_time.c
+++ b/sys/kern/kern_time.c
@@ -276,7 +276,8 @@ nanosleep(p, uap)
 	if (error)
 		return (error);
 	if (SCARG(uap, rmtp))
-		if (!useracc((caddr_t)SCARG(uap, rmtp), sizeof(rmt), B_WRITE))
+		if (!useracc((caddr_t)SCARG(uap, rmtp), sizeof(rmt), 
+		    VM_PROT_WRITE))
 			return (EFAULT);
 	error = nanosleep1(p, &rqt, &rmt);
 	if (error && SCARG(uap, rmtp)) {
diff --git a/sys/kern/vfs_aio.c b/sys/kern/vfs_aio.c
index c1e7d9a..ea75c56 100644
--- a/sys/kern/vfs_aio.c
+++ b/sys/kern/vfs_aio.c
@@ -916,7 +916,6 @@ aio_qphysio(p, aiocbe)
 	struct aiocb *cb;
 	struct file *fp;
 	struct buf *bp;
-	int bflags;
 	struct vnode *vp;
 	struct kaioinfo *ki;
 	struct filedesc *fdp;
@@ -924,7 +923,6 @@ aio_qphysio(p, aiocbe)
 	int fd;
 	int s;
 	int cnt;
-	int rw;
 	struct cdevsw *cdev;
 
 	cb = &aiocbe->uaiocb;
@@ -996,29 +994,26 @@ aio_qphysio(p, aiocbe)
 	bp->b_dev = vp->v_rdev;
 	error = bp->b_error = 0;
 
-	if (cb->aio_lio_opcode == LIO_WRITE) {
-		rw = 0;
-		bflags = B_WRITE;
-	} else {
-		rw = 1;
-		bflags = B_READ;
-	}
-	
 	bp->b_bcount = cb->aio_nbytes;
 	bp->b_bufsize = cb->aio_nbytes;
-	bp->b_flags = B_PHYS | B_CALL | bflags;
+	bp->b_flags = B_PHYS | B_CALL;
 	bp->b_iodone = aio_physwakeup;
 	bp->b_saveaddr = bp->b_data;
 	bp->b_data = (void *) cb->aio_buf;
 	bp->b_blkno = btodb(cb->aio_offset);
 
-	if (rw && !useracc(bp->b_data, bp->b_bufsize, B_WRITE)) {
-		error = EFAULT;
-		goto doerror;
-	}
-	if (!rw && !useracc(bp->b_data, bp->b_bufsize, B_READ)) {
-		error = EFAULT;
-		goto doerror;
+	if (cb->aio_lio_opcode == LIO_WRITE) {
+		bp->b_flags |= B_WRITE;
+		if (!useracc(bp->b_data, bp->b_bufsize, VM_PROT_READ)) {
+			error = EFAULT;
+			goto doerror;
+		}
+	} else {
+		bp->b_flags |= B_READ;
+		if (!useracc(bp->b_data, bp->b_bufsize, VM_PROT_WRITE)) {
+			error = EFAULT;
+			goto doerror;
+		}
 	}
 
 	/* bring buffer into kernel space */