Add missing copyin() to access LUN and port ioctl arguments.

Somehow this was working even after PTI in, at least on amd64, and got
broken by something only very recently.

Reviewed by:	araujo
Approved by:	re (gjb)

1 files changed, 20 insertions, 2 deletions

diff --git a/sys/cam/ctl/ctl.c b/sys/cam/ctl/ctl.c
index 94bc97bc033d..2606327d3851 100644
--- a/sys/cam/ctl/ctl.c
+++ b/sys/cam/ctl/ctl.c
@@ -2943,8 +2943,17 @@ ctl_ioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flag,
 		}
 
 		if (lun_req->args != NULL) {
-			lun_req->args_nvl = nvlist_unpack(lun_req->args,
+			packed = malloc(lun_req->args_len, M_CTL, M_WAITOK);
+			if (copyin(lun_req->args, packed, lun_req->args_len) != 0) {
+				free(packed, M_CTL);
+				lun_req->status = CTL_LUN_ERROR;
+				snprintf(lun_req->error_str, sizeof(lun_req->error_str),
+				    "Cannot copyin args.");
+				break;
+			}
+			lun_req->args_nvl = nvlist_unpack(packed,
 			    lun_req->args_len, 0);
+			free(packed, M_CTL);
 
 			if (lun_req->args_nvl == NULL) {
 				lun_req->status = CTL_LUN_ERROR;
@@ -3211,8 +3220,17 @@ ctl_ioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flag,
 		}
 
 		if (req->args != NULL) {
-			req->args_nvl = nvlist_unpack(req->args,
+			packed = malloc(req->args_len, M_CTL, M_WAITOK);
+			if (copyin(req->args, packed, req->args_len) != 0) {
+				free(packed, M_CTL);
+				req->status = CTL_LUN_ERROR;
+				snprintf(req->error_str, sizeof(req->error_str),
+				    "Cannot copyin args.");
+				break;
+			}
+			req->args_nvl = nvlist_unpack(packed,
 			    req->args_len, 0);
+			free(packed, M_CTL);
 
 			if (req->args_nvl == NULL) {
 				req->status = CTL_LUN_ERROR;