From: "Robert T. Johnson" <rtjohnso@eecs.berkeley.edu>

Since arg is a user pointer, so are uioc_mimd and uiocp, and hence umc is a
user pointer.  Thus reading umc->xferaddr requires dereferencing a user
pointer, which isn't safe.

Signed-off-by: Andrew Morton <akpm@osdl.org>
---

 25-akpm/drivers/scsi/megaraid.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

diff -puN drivers/scsi/megaraid.c~267-rc3-drivers-scsi-megaraidc-user-kernel-pointer-bugs drivers/scsi/megaraid.c
--- 25/drivers/scsi/megaraid.c~267-rc3-drivers-scsi-megaraidc-user-kernel-pointer-bugs	Thu Jun 10 13:19:19 2004
+++ 25-akpm/drivers/scsi/megaraid.c	Thu Jun 10 13:19:19 2004
@@ -3815,7 +3815,8 @@ mega_n_to_m(void *arg, megacmd_t *mc)
 
 			umc = MBOX_P(uiocp);
 
-			upthru = (mega_passthru *)umc->xferaddr;
+			if (get_user(upthru, (mega_passthru **)&umc->xferaddr))
+				return (-EFAULT);
 
 			if( put_user(mc->status, (u8 *)&upthru->scsistatus) )
 				return (-EFAULT);
@@ -3831,7 +3832,8 @@ mega_n_to_m(void *arg, megacmd_t *mc)
 
 			umc = (megacmd_t *)uioc_mimd->mbox;
 
-			upthru = (mega_passthru *)umc->xferaddr;
+			if (get_user(upthru, (mega_passthru **)&umc->xferaddr))
+				return (-EFAULT);
 
 			if( put_user(mc->status, (u8 *)&upthru->scsistatus) )
 				return (-EFAULT);
_