[media] media: v4l2-compat-ioctl32: fix missing length copy in put_v4l2_buffer32

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

In v4l2-compliance utility, test QUERYBUF required correct length
value to go through each planar to check planar's length in
multi-planar buffer type

Signed-off-by: Tiffany Lin <tiffany.lin@mediatek.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Cc: <stable@vger.kernel.org> # for v3.7 and up
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>

authored by

Tiffany Lin and committed by

Mauro Carvalho Chehab 10 years ago 7df5ab87 49fe7340

+8 -13

1 changed file

expand all

drivers

media

v4l2-core

v4l2-compat-ioctl32.c

+8 -13

drivers/media/v4l2-core/v4l2-compat-ioctl32.c

··· 415 415 get_user(kp->index, &up->index) || 416 416 get_user(kp->type, &up->type) || 417 417 get_user(kp->flags, &up->flags) || 418 - get_user(kp->memory, &up->memory)) 418 + get_user(kp->memory, &up->memory) || 419 + get_user(kp->length, &up->length)) 419 420 return -EFAULT; 420 421 421 422 if (V4L2_TYPE_IS_OUTPUT(kp->type)) ··· 428 427 return -EFAULT; 429 428 430 429 if (V4L2_TYPE_IS_MULTIPLANAR(kp->type)) { 431 - if (get_user(kp->length, &up->length)) 432 - return -EFAULT; 433 - 434 430 num_planes = kp->length; 435 431 if (num_planes == 0) { 436 432 kp->m.planes = NULL; ··· 460 462 } else { 461 463 switch (kp->memory) { 462 464 case V4L2_MEMORY_MMAP: 463 - if (get_user(kp->length, &up->length) || 464 - get_user(kp->m.offset, &up->m.offset)) 465 + if (get_user(kp->m.offset, &up->m.offset)) 465 466 return -EFAULT; 466 467 break; 467 468 case V4L2_MEMORY_USERPTR: 468 469 { 469 470 compat_long_t tmp; 470 471 471 - if (get_user(kp->length, &up->length) || 472 - get_user(tmp, &up->m.userptr)) 472 + if (get_user(tmp, &up->m.userptr)) 473 473 return -EFAULT; 474 474 475 475 kp->m.userptr = (unsigned long)compat_ptr(tmp); ··· 509 513 copy_to_user(&up->timecode, &kp->timecode, sizeof(struct v4l2_timecode)) || 510 514 put_user(kp->sequence, &up->sequence) || 511 515 put_user(kp->reserved2, &up->reserved2) || 512 - put_user(kp->reserved, &up->reserved)) 516 + put_user(kp->reserved, &up->reserved) || 517 + put_user(kp->length, &up->length)) 513 518 return -EFAULT; 514 519 515 520 if (V4L2_TYPE_IS_MULTIPLANAR(kp->type)) { ··· 533 536 } else { 534 537 switch (kp->memory) { 535 538 case V4L2_MEMORY_MMAP: 536 - if (put_user(kp->length, &up->length) || 537 - put_user(kp->m.offset, &up->m.offset)) 539 + if (put_user(kp->m.offset, &up->m.offset)) 538 540 return -EFAULT; 539 541 break; 540 542 case V4L2_MEMORY_USERPTR: 541 - if (put_user(kp->length, &up->length) || 542 - put_user(kp->m.userptr, &up->m.userptr)) 543 + if (put_user(kp->m.userptr, &up->m.userptr)) 543 544 return -EFAULT; 544 545 break; 545 546 case V4L2_MEMORY_OVERLAY: