tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

V4L/DVB (3352): Some fixes to compat_ioctl32

- Adds suppport or fix support for VIDIOC_ENUMSTD, VIDIOC_ENUMINPUT,
VIDIOC_G_TUNER and VIDIOC_S_TUNER.
- Fix the warnings at compile time and add checks for the pointer validity
using access_ok().
- v4l_print_ioctl() has also be added to identify possible missing ioctls.
- Has been tested on sparc64 and amd64. Other arches such as mips and hppa
are expected to work as sparc, but not tested yet.

Signed-off-by: Guy Martin <gmsoft@tuxicoman.be>
Signed-off-by: Mauro Carvalho Chehab <mchehab@brturbo.com.br>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>

authored by Guy Martin and committed by Mauro Carvalho Chehab a113bc78 f8bf134d

+259 -112
unified split
+259 -112
drivers/media/video/compat_ioctl32.c
··· 18 18 #include <linux/videodev2.h> 19 19 #include <linux/module.h> 20 20 #include <linux/smp_lock.h> 21 + #include <media/v4l2-common.h> 21 22 22 23 #ifdef CONFIG_COMPAT 24 + 25 + 23 26 struct video_tuner32 { 24 27 compat_int_t tuner; 25 28 char name[32]; ··· 33 30 34 31 static int get_video_tuner32(struct video_tuner *kp, struct video_tuner32 __user *up) 35 32 { 36 - if(get_user(kp->tuner, &up->tuner)) 33 + if(!access_ok(VERIFY_READ, up, sizeof(struct video_tuner32)) || 34 + get_user(kp->tuner, &up->tuner) || 35 + copy_from_user(kp->name, up->name, 32) || 36 + get_user(kp->rangelow, &up->rangelow) || 37 + get_user(kp->rangehigh, &up->rangehigh) || 38 + get_user(kp->flags, &up->flags) || 39 + get_user(kp->mode, &up->mode) || 40 + get_user(kp->signal, &up->signal)) 37 41 return -EFAULT; 38 - __copy_from_user(kp->name, up->name, 32); 39 - __get_user(kp->rangelow, &up->rangelow); 40 - __get_user(kp->rangehigh, &up->rangehigh); 41 - __get_user(kp->flags, &up->flags); 42 - __get_user(kp->mode, &up->mode); 43 - __get_user(kp->signal, &up->signal); 44 42 return 0; 45 43 } 46 44 47 45 static int put_video_tuner32(struct video_tuner *kp, struct video_tuner32 __user *up) 48 46 { 49 - if(put_user(kp->tuner, &up->tuner)) 50 - return -EFAULT; 51 - __copy_to_user(up->name, kp->name, 32); 52 - __put_user(kp->rangelow, &up->rangelow); 53 - __put_user(kp->rangehigh, &up->rangehigh); 54 - __put_user(kp->flags, &up->flags); 55 - __put_user(kp->mode, &up->mode); 56 - __put_user(kp->signal, &up->signal); 47 + if(!access_ok(VERIFY_WRITE, up, sizeof(struct video_tuner32)) || 48 + put_user(kp->tuner, &up->tuner) || 49 + copy_to_user(up->name, kp->name, 32) || 50 + put_user(kp->rangelow, &up->rangelow) || 51 + put_user(kp->rangehigh, &up->rangehigh) || 52 + put_user(kp->flags, &up->flags) || 53 + put_user(kp->mode, &up->mode) || 54 + put_user(kp->signal, &up->signal)) 55 + return -EFAULT; 57 56 return 0; 58 57 } 59 58 ··· 68 63 { 69 64 u32 tmp; 70 65 71 - if (get_user(tmp, &up->base)) 72 - return -EFAULT; 66 + if (!access_ok(VERIFY_READ, up, sizeof(struct video_buffer32)) || 67 + get_user(tmp, &up->base) || 68 + get_user(kp->height, &up->height) || 69 + get_user(kp->width, &up->width) || 70 + get_user(kp->depth, &up->depth) || 71 + get_user(kp->bytesperline, &up->bytesperline)) 72 + return -EFAULT; 73 73 74 74 /* This is actually a physical address stored 75 75 * as a void pointer. 76 76 */ 77 77 kp->base = (void *)(unsigned long) tmp; 78 78 79 - __get_user(kp->height, &up->height); 80 - __get_user(kp->width, &up->width); 81 - __get_user(kp->depth, &up->depth); 82 - __get_user(kp->bytesperline, &up->bytesperline); 83 79 return 0; 84 80 } 85 81 ··· 88 82 { 89 83 u32 tmp = (u32)((unsigned long)kp->base); 90 84 91 - if(put_user(tmp, &up->base)) 92 - return -EFAULT; 93 - __put_user(kp->height, &up->height); 94 - __put_user(kp->width, &up->width); 95 - __put_user(kp->depth, &up->depth); 96 - __put_user(kp->bytesperline, &up->bytesperline); 85 + if(!access_ok(VERIFY_WRITE, up, sizeof(struct video_buffer32)) || 86 + put_user(tmp, &up->base) || 87 + put_user(kp->height, &up->height) || 88 + put_user(kp->width, &up->width) || 89 + put_user(kp->depth, &up->depth) || 90 + put_user(kp->bytesperline, &up->bytesperline)) 91 + return -EFAULT; 97 92 return 0; 98 93 } 99 94 ··· 128 121 /* You get back everything except the clips... */ 129 122 static int put_video_window32(struct video_window *kp, struct video_window32 __user *up) 130 123 { 131 - if(put_user(kp->x, &up->x)) 132 - return -EFAULT; 133 - __put_user(kp->y, &up->y); 134 - __put_user(kp->width, &up->width); 135 - __put_user(kp->height, &up->height); 136 - __put_user(kp->chromakey, &up->chromakey); 137 - __put_user(kp->flags, &up->flags); 138 - __put_user(kp->clipcount, &up->clipcount); 124 + if(!access_ok(VERIFY_WRITE, up, sizeof(struct video_window32)) || 125 + put_user(kp->x, &up->x) || 126 + put_user(kp->y, &up->y) || 127 + put_user(kp->width, &up->width) || 128 + put_user(kp->height, &up->height) || 129 + put_user(kp->chromakey, &up->chromakey) || 130 + put_user(kp->flags, &up->flags) || 131 + put_user(kp->clipcount, &up->clipcount)) 132 + return -EFAULT; 139 133 return 0; 140 134 } 141 135 ··· 158 150 159 151 static int get_v4l2_window32(struct v4l2_window *kp, struct v4l2_window32 __user *up) 160 152 { 161 - if (copy_from_user(&kp->w, &up->w, sizeof(up->w))) 162 - return -EFAULT; 163 - __get_user(kp->field, &up->field); 164 - __get_user(kp->chromakey, &up->chromakey); 165 - __get_user(kp->clipcount, &up->clipcount); 153 + if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_window32)) || 154 + copy_from_user(&kp->w, &up->w, sizeof(up->w)) || 155 + get_user(kp->field, &up->field) || 156 + get_user(kp->chromakey, &up->chromakey) || 157 + get_user(kp->clipcount, &up->clipcount)) 158 + return -EFAULT; 166 159 if (kp->clipcount > 2048) 167 160 return -EINVAL; 168 161 if (kp->clipcount) { ··· 174 165 kclips = compat_alloc_user_space(n * sizeof(struct v4l2_clip)); 175 166 kp->clips = kclips; 176 167 while (--n >= 0) { 177 - copy_from_user(&kclips->c, &uclips->c, sizeof(uclips->c)); 168 + if (!access_ok(VERIFY_READ, &uclips->c, sizeof(uclips->c)) || 169 + copy_from_user(&kclips->c, &uclips->c, sizeof(uclips->c))) 170 + return -EFAULT; 178 171 kclips->next = n ? kclips + 1 : 0; 179 172 uclips += 1; 180 173 kclips += 1; ··· 188 177 189 178 static int put_v4l2_window32(struct v4l2_window *kp, struct v4l2_window32 __user *up) 190 179 { 191 - if (copy_to_user(&up->w, &kp->w, sizeof(up->w))) 192 - return -EFAULT; 193 - __put_user(kp->field, &up->field); 194 - __put_user(kp->chromakey, &up->chromakey); 195 - __put_user(kp->clipcount, &up->clipcount); 180 + if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_window32)) || 181 + copy_to_user(&up->w, &kp->w, sizeof(up->w)) || 182 + put_user(kp->field, &up->field) || 183 + put_user(kp->chromakey, &up->chromakey) || 184 + put_user(kp->clipcount, &up->clipcount)) 185 + return -EFAULT; 196 186 return 0; 197 187 } 198 188 199 189 static inline int get_v4l2_pix_format(struct v4l2_pix_format *kp, struct v4l2_pix_format __user *up) 200 190 { 201 - return copy_from_user(kp, up, sizeof(struct v4l2_pix_format)); 191 + if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_pix_format)) || 192 + copy_from_user(kp, up, sizeof(struct v4l2_pix_format))) 193 + return -EFAULT; 194 + return 0; 202 195 } 203 196 204 197 static inline int put_v4l2_pix_format(struct v4l2_pix_format *kp, struct v4l2_pix_format __user *up) 205 198 { 206 - return copy_to_user(up, kp, sizeof(struct v4l2_pix_format)); 199 + if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_pix_format)) || 200 + copy_to_user(up, kp, sizeof(struct v4l2_pix_format))) 201 + return -EFAULT; 202 + return 0; 207 203 } 208 204 209 205 static inline int get_v4l2_vbi_format(struct v4l2_vbi_format *kp, struct v4l2_vbi_format __user *up) 210 206 { 211 - return copy_from_user(kp, up, sizeof(struct v4l2_vbi_format)); 207 + if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_vbi_format)) || 208 + copy_from_user(kp, up, sizeof(struct v4l2_vbi_format))) 209 + return -EFAULT; 210 + return 0; 212 211 } 213 212 214 213 static inline int put_v4l2_vbi_format(struct v4l2_vbi_format *kp, struct v4l2_vbi_format __user *up) 215 214 { 216 - return copy_to_user(up, kp, sizeof(struct v4l2_vbi_format)); 215 + if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_vbi_format)) || 216 + copy_to_user(up, kp, sizeof(struct v4l2_vbi_format))) 217 + return -EFAULT; 218 + return 0; 217 219 } 218 220 219 221 struct v4l2_format32 ··· 243 219 244 220 static int get_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up) 245 221 { 246 - if(get_user(kp->type, &up->type)) 247 - return -EFAULT; 222 + if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_format32)) || 223 + get_user(kp->type, &up->type)) 224 + return -EFAULT; 248 225 switch (kp->type) { 249 226 case V4L2_BUF_TYPE_VIDEO_CAPTURE: 250 227 return get_v4l2_pix_format(&kp->fmt.pix, &up->fmt.pix); ··· 262 237 263 238 static int put_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up) 264 239 { 265 - if(put_user(kp->type, &up->type)) 240 + if(!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_format32)) || 241 + put_user(kp->type, &up->type)) 266 242 return -EFAULT; 267 243 switch (kp->type) { 268 244 case V4L2_BUF_TYPE_VIDEO_CAPTURE: ··· 275 249 default: 276 250 return -ENXIO; 277 251 } 252 + } 253 + 254 + static inline int get_v4l2_standard(struct v4l2_standard *kp, struct v4l2_standard __user *up) 255 + { 256 + if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_standard)) || 257 + copy_from_user(kp, up, sizeof(struct v4l2_standard))) 258 + return -EFAULT; 259 + return 0; 260 + 261 + } 262 + 263 + static inline int put_v4l2_standard(struct v4l2_standard *kp, struct v4l2_standard __user *up) 264 + { 265 + if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_standard)) || 266 + copy_to_user(up, kp, sizeof(struct v4l2_standard))) 267 + return -EFAULT; 268 + return 0; 278 269 } 279 270 280 271 struct v4l2_standard32 ··· 307 264 static int get_v4l2_standard32(struct v4l2_standard *kp, struct v4l2_standard32 __user *up) 308 265 { 309 266 /* other fields are not set by the user, nor used by the driver */ 310 - return get_user(kp->index, &up->index); 267 + if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_standard32)) || 268 + get_user(kp->index, &up->index)) 269 + return -EFAULT; 270 + return 0; 311 271 } 312 272 313 273 static int put_v4l2_standard32(struct v4l2_standard *kp, struct v4l2_standard32 __user *up) 314 274 { 315 - if(put_user(kp->index, &up->index)) 316 - return -EFAULT; 317 - __copy_to_user(up->id, &kp->id, sizeof(__u64)); 318 - __copy_to_user(up->name, kp->name, 24); 319 - __put_user(kp->frameperiod, &up->frameperiod); 320 - __put_user(kp->framelines, &up->framelines); 321 - __copy_to_user(up->reserved, kp->reserved, 4 * sizeof(__u32)); 275 + if(!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_standard32)) || 276 + put_user(kp->index, &up->index) || 277 + copy_to_user(up->id, &kp->id, sizeof(__u64)) || 278 + copy_to_user(up->name, kp->name, 24) || 279 + copy_to_user(&up->frameperiod, &kp->frameperiod, sizeof(kp->frameperiod)) || 280 + put_user(kp->framelines, &up->framelines) || 281 + copy_to_user(up->reserved, kp->reserved, 4 * sizeof(__u32))) 282 + return -EFAULT; 283 + return 0; 284 + } 285 + 286 + static inline int get_v4l2_tuner(struct v4l2_tuner *kp, struct v4l2_tuner __user *up) 287 + { 288 + if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_tuner)) || 289 + copy_from_user(kp, up, sizeof(struct v4l2_tuner))) 290 + return -EFAULT; 291 + return 0; 292 + 293 + } 294 + 295 + static inline int put_v4l2_tuner(struct v4l2_tuner *kp, struct v4l2_tuner __user *up) 296 + { 297 + if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_tuner)) || 298 + copy_to_user(up, kp, sizeof(struct v4l2_tuner))) 299 + return -EFAULT; 322 300 return 0; 323 301 } 324 302 ··· 368 304 static int get_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user *up) 369 305 { 370 306 371 - if (get_user(kp->index, &up->index)) 372 - return -EFAULT; 373 - __get_user(kp->type, &up->type); 374 - __get_user(kp->flags, &up->flags); 375 - __get_user(kp->memory, &up->memory); 376 - __get_user(kp->input, &up->input); 307 + if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_buffer32)) || 308 + get_user(kp->index, &up->index) || 309 + get_user(kp->type, &up->type) || 310 + get_user(kp->flags, &up->flags) || 311 + get_user(kp->memory, &up->memory) || 312 + get_user(kp->input, &up->input)) 313 + return -EFAULT; 377 314 switch(kp->memory) { 378 315 case V4L2_MEMORY_MMAP: 379 316 break; ··· 382 317 { 383 318 unsigned long tmp = (unsigned long)compat_ptr(up->m.userptr); 384 319 385 - __get_user(kp->length, &up->length); 386 - __get_user(kp->m.userptr, &tmp); 320 + if(get_user(kp->length, &up->length) || 321 + get_user(kp->m.userptr, &tmp)) 322 + return -EFAULT; 387 323 } 388 324 break; 389 325 case V4L2_MEMORY_OVERLAY: 390 - __get_user(kp->m.offset, &up->m.offset); 326 + if(get_user(kp->m.offset, &up->m.offset)) 327 + return -EFAULT; 391 328 break; 392 329 } 393 330 return 0; ··· 397 330 398 331 static int put_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user *up) 399 332 { 400 - if (put_user(kp->index, &up->index)) 401 - return -EFAULT; 402 - __put_user(kp->type, &up->type); 403 - __put_user(kp->flags, &up->flags); 404 - __put_user(kp->memory, &up->memory); 405 - __put_user(kp->input, &up->input); 333 + if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_buffer32)) || 334 + put_user(kp->index, &up->index) || 335 + put_user(kp->type, &up->type) || 336 + put_user(kp->flags, &up->flags) || 337 + put_user(kp->memory, &up->memory) || 338 + put_user(kp->input, &up->input)) 339 + return -EFAULT; 406 340 switch(kp->memory) { 407 341 case V4L2_MEMORY_MMAP: 408 - __put_user(kp->length, &up->length); 409 - __put_user(kp->m.offset, &up->m.offset); 342 + if (put_user(kp->length, &up->length) || 343 + put_user(kp->m.offset, &up->m.offset)) 344 + return -EFAULT; 410 345 break; 411 346 case V4L2_MEMORY_USERPTR: 412 - __put_user(kp->length, &up->length); 413 - __put_user(kp->m.userptr, &up->m.userptr); 347 + if (put_user(kp->length, &up->length) || 348 + put_user(kp->m.userptr, &up->m.userptr)) 349 + return -EFAULT; 414 350 break; 415 351 case V4L2_MEMORY_OVERLAY: 416 - __put_user(kp->m.offset, &up->m.offset); 352 + if (put_user(kp->m.offset, &up->m.offset)) 353 + return -EFAULT; 417 354 break; 418 355 } 419 - __put_user(kp->bytesused, &up->bytesused); 420 - __put_user(kp->field, &up->field); 421 - __put_user(kp->timestamp.tv_sec, &up->timestamp.tv_sec); 422 - __put_user(kp->timestamp.tv_usec, &up->timestamp.tv_usec); 423 - __copy_to_user(&up->timecode, &kp->timecode, sizeof(struct v4l2_timecode)); 424 - __put_user(kp->sequence, &up->sequence); 425 - __put_user(kp->reserved, &up->reserved); 356 + if (put_user(kp->bytesused, &up->bytesused) || 357 + put_user(kp->field, &up->field) || 358 + put_user(kp->timestamp.tv_sec, &up->timestamp.tv_sec) || 359 + put_user(kp->timestamp.tv_usec, &up->timestamp.tv_usec) || 360 + copy_to_user(&up->timecode, &kp->timecode, sizeof(struct v4l2_timecode)) || 361 + put_user(kp->sequence, &up->sequence) || 362 + put_user(kp->reserved, &up->reserved)) 363 + return -EFAULT; 426 364 return 0; 427 365 } 428 366 ··· 443 371 { 444 372 u32 tmp; 445 373 446 - if (get_user(tmp, &up->base)) 447 - return -EFAULT; 374 + if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_framebuffer32)) || 375 + get_user(tmp, &up->base) || 376 + get_user(kp->capability, &up->capability) || 377 + get_user(kp->flags, &up->flags)) 378 + return -EFAULT; 448 379 kp->base = compat_ptr(tmp); 449 - __get_user(kp->capability, &up->capability); 450 - __get_user(kp->flags, &up->flags); 451 380 get_v4l2_pix_format(&kp->fmt, &up->fmt); 452 381 return 0; 453 382 } ··· 457 384 { 458 385 u32 tmp = (u32)((unsigned long)kp->base); 459 386 460 - if(put_user(tmp, &up->base)) 461 - return -EFAULT; 462 - __put_user(kp->capability, &up->capability); 463 - __put_user(kp->flags, &up->flags); 387 + if(!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_framebuffer32)) || 388 + put_user(tmp, &up->base) || 389 + put_user(kp->capability, &up->capability) || 390 + put_user(kp->flags, &up->flags)) 391 + return -EFAULT; 464 392 put_v4l2_pix_format(&kp->fmt, &up->fmt); 465 393 return 0; 466 394 } 467 395 468 - struct v4l2_input32 /* identical layout, but different size */ 396 + static inline int get_v4l2_input32(struct v4l2_input *kp, struct v4l2_input __user *up) 469 397 { 470 - __u32 index; /* Which input */ 471 - __u8 name[32]; /* Label */ 472 - __u32 type; /* Type of input */ 473 - __u32 audioset; /* Associated audios (bitfield) */ 474 - __u32 tuner; /* Associated tuner */ 475 - __u32 std[2]; /* __u64 would get the padding wrong */ 476 - __u32 status; 477 - __u32 reserved[4]; 478 - }; 398 + if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_input) - 4) || 399 + copy_from_user(kp, up, sizeof(struct v4l2_input) - 4)) 400 + return -EFAULT; 401 + return 0; 402 + } 403 + 404 + static inline int put_v4l2_input32(struct v4l2_input *kp, struct v4l2_input __user *up) 405 + { 406 + if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_input) - 4) || 407 + copy_to_user(up, kp, sizeof(struct v4l2_input) - 4)) 408 + return -EFAULT; 409 + return 0; 410 + } 411 + 412 + static inline int get_v4l2_input(struct v4l2_input *kp, struct v4l2_input __user *up) 413 + { 414 + if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_input)) || 415 + copy_from_user(kp, up, sizeof(struct v4l2_input))) 416 + return -EFAULT; 417 + return 0; 418 + } 419 + 420 + static inline int put_v4l2_input(struct v4l2_input *kp, struct v4l2_input __user *up) 421 + { 422 + if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_input)) || 423 + copy_to_user(up, kp, sizeof(struct v4l2_input))) 424 + return -EFAULT; 425 + return 0; 426 + } 479 427 480 428 #define VIDIOCGTUNER32 _IOWR('v',4, struct video_tuner32) 481 429 #define VIDIOCSTUNER32 _IOW('v',5, struct video_tuner32) ··· 507 413 #define VIDIOCGFREQ32 _IOR('v',14, u32) 508 414 #define VIDIOCSFREQ32 _IOW('v',15, u32) 509 415 416 + /* VIDIOC_ENUMINPUT32 is VIDIOC_ENUMINPUT minus 4 bytes of padding alignement */ 417 + #define VIDIOC_ENUMINPUT32 VIDIOC_ENUMINPUT - _IOC(0, 0, 0, 4) 510 418 #define VIDIOC_G_FMT32 _IOWR ('V', 4, struct v4l2_format32) 511 419 #define VIDIOC_S_FMT32 _IOWR ('V', 5, struct v4l2_format32) 512 420 #define VIDIOC_QUERYBUF32 _IOWR ('V', 9, struct v4l2_buffer32) ··· 521 425 #define VIDIOC_STREAMON32 _IOW ('V', 18, compat_int_t) 522 426 #define VIDIOC_STREAMOFF32 _IOW ('V', 19, compat_int_t) 523 427 #define VIDIOC_ENUMSTD32 _IOWR ('V', 25, struct v4l2_standard32) 524 - #define VIDIOC_ENUMINPUT32 _IOWR ('V', 26, struct v4l2_input32) 525 428 /* VIDIOC_S_CTRL is now _IOWR, but was _IOW */ 526 429 #define VIDIOC_S_CTRL32 _IOW ('V', 28, struct v4l2_control) 527 430 #define VIDIOC_G_INPUT32 _IOR ('V', 38, compat_int_t) ··· 538 443 struct video_clip __user *p; 539 444 int nclips; 540 445 u32 n; 446 + 447 + if (!access_ok(VERIFY_READ, up, sizeof(struct video_window32))) 448 + return -EFAULT; 541 449 542 450 if (get_user(nclips, &up->clipcount)) 543 451 return -EFAULT; ··· 574 476 return -EINVAL; 575 477 for (i = 0; i < nclips; i++, u++, p++) { 576 478 s32 v; 577 - if (get_user(v, &u->x) || 479 + if (!access_ok(VERIFY_READ, u, sizeof(struct video_clip32)) || 480 + !access_ok(VERIFY_WRITE, p, sizeof(struct video_clip32)) || 481 + get_user(v, &u->x) || 578 482 put_user(v, &p->x) || 579 483 get_user(v, &u->y) || 580 484 put_user(v, &p->y) || ··· 602 502 struct v4l2_buffer v2b; 603 503 struct v4l2_framebuffer v2fb; 604 504 struct v4l2_standard v2s; 505 + struct v4l2_input v2i; 506 + struct v4l2_tuner v2t; 605 507 unsigned long vx; 606 508 } karg; 607 509 void __user *up = compat_ptr(arg); 608 510 int compatible_arg = 1; 609 511 int err = 0; 512 + int realcmd = cmd; 610 513 611 514 /* First, convert the command. */ 612 515 switch(cmd) { ··· 630 527 case VIDIOC_G_FBUF32: cmd = VIDIOC_G_FBUF; break; 631 528 case VIDIOC_S_FBUF32: cmd = VIDIOC_S_FBUF; break; 632 529 case VIDIOC_OVERLAY32: cmd = VIDIOC_OVERLAY; break; 633 - case VIDIOC_ENUMSTD32: cmd = VIDIOC_ENUMSTD; break; 634 - case VIDIOC_ENUMINPUT32: cmd = VIDIOC_ENUMINPUT; break; 530 + case VIDIOC_ENUMSTD32: realcmd = VIDIOC_ENUMSTD; break; 531 + case VIDIOC_ENUMINPUT32: realcmd = VIDIOC_ENUMINPUT; break; 635 532 case VIDIOC_S_CTRL32: cmd = VIDIOC_S_CTRL; break; 636 533 case VIDIOC_G_INPUT32: cmd = VIDIOC_G_INPUT; break; 637 534 case VIDIOC_S_INPUT32: cmd = VIDIOC_S_INPUT; break; ··· 680 577 break; 681 578 682 579 case VIDIOC_ENUMSTD: 580 + err = get_v4l2_standard(&karg.v2s, up); 581 + compatible_arg = 0; 582 + break; 583 + 584 + case VIDIOC_ENUMSTD32: 683 585 err = get_v4l2_standard32(&karg.v2s, up); 586 + compatible_arg = 0; 587 + break; 588 + 589 + case VIDIOC_ENUMINPUT: 590 + err = get_v4l2_input(&karg.v2i, up); 591 + compatible_arg = 0; 592 + break; 593 + 594 + case VIDIOC_ENUMINPUT32: 595 + err = get_v4l2_input32(&karg.v2i, up); 596 + compatible_arg = 0; 597 + break; 598 + 599 + case VIDIOC_G_TUNER: 600 + case VIDIOC_S_TUNER: 601 + err = get_v4l2_tuner(&karg.v2t, up); 684 602 compatible_arg = 0; 685 603 break; 686 604 ··· 717 593 goto out; 718 594 719 595 if(compatible_arg) 720 - err = native_ioctl(file, cmd, (unsigned long)up); 596 + err = native_ioctl(file, realcmd, (unsigned long)up); 721 597 else { 722 598 mm_segment_t old_fs = get_fs(); 723 599 724 600 set_fs(KERNEL_DS); 725 - err = native_ioctl(file, cmd, (unsigned long)&karg); 601 + err = native_ioctl(file, realcmd, (unsigned long)&karg); 726 602 set_fs(old_fs); 727 603 } 728 604 if(err == 0) { ··· 756 632 break; 757 633 758 634 case VIDIOC_ENUMSTD: 635 + err = put_v4l2_standard(&karg.v2s, up); 636 + break; 637 + 638 + case VIDIOC_ENUMSTD32: 759 639 err = put_v4l2_standard32(&karg.v2s, up); 640 + break; 641 + 642 + case VIDIOC_G_TUNER: 643 + case VIDIOC_S_TUNER: 644 + err = put_v4l2_tuner(&karg.v2t, up); 645 + break; 646 + 647 + case VIDIOC_ENUMINPUT: 648 + err = put_v4l2_input(&karg.v2i, up); 649 + break; 650 + 651 + case VIDIOC_ENUMINPUT32: 652 + err = put_v4l2_input32(&karg.v2i, up); 760 653 break; 761 654 762 655 case VIDIOCGFREQ: ··· 820 679 case VIDIOC_G_PARM: 821 680 case VIDIOC_G_STD: 822 681 case VIDIOC_S_STD: 682 + case VIDIOC_G_TUNER: 683 + case VIDIOC_S_TUNER: 684 + case VIDIOC_ENUMSTD: 823 685 case VIDIOC_ENUMSTD32: 686 + case VIDIOC_ENUMINPUT: 824 687 case VIDIOC_ENUMINPUT32: 825 688 case VIDIOC_G_CTRL: 826 689 case VIDIOC_S_CTRL32: ··· 863 718 case _IOR('v' , BASE_VIDIOCPRIVATE+7, int): 864 719 ret = native_ioctl(file, cmd, (unsigned long)compat_ptr(arg)); 865 720 break; 721 + default: 722 + v4l_print_ioctl("compat_ioctl32", cmd); 866 723 } 867 724 return ret; 868 725 }