All of lore.kernel.org
 help / color / mirror / Atom feed
From: Hans Verkuil <hverkuil@xs4all.nl>
To: stable@vger.kernel.org
Cc: linux-media@vger.kernel.org,
	Hans Verkuil <hans.verkuil@cisco.com>,
	Mauro Carvalho Chehab <mchehab@s-opensource.com>
Subject: [PATCH for v4.9 06/13] media: v4l2-compat-ioctl32.c: copy m.userptr in put_v4l2_plane32
Date: Wed, 14 Feb 2018 12:48:23 +0100	[thread overview]
Message-ID: <20180214114830.27171-7-hverkuil@xs4all.nl> (raw)
In-Reply-To: <20180214114830.27171-1-hverkuil@xs4all.nl>

From: Hans Verkuil <hans.verkuil@cisco.com>

commit 8ed5a59dcb47a6f76034ee760b36e089f3e82529 upstream.

The struct v4l2_plane32 should set m.userptr as well. The same
happens in v4l2_buffer32 and v4l2-compliance tests for this.

Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
---
 drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 47 ++++++++++++++++-----------
 1 file changed, 28 insertions(+), 19 deletions(-)

diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
index 64e3977ab851..2ddeecdababe 100644
--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -299,19 +299,24 @@ static int get_v4l2_plane32(struct v4l2_plane __user *up, struct v4l2_plane32 __
 			 sizeof(up->data_offset)))
 		return -EFAULT;
 
-	if (memory == V4L2_MEMORY_USERPTR) {
+	switch (memory) {
+	case V4L2_MEMORY_MMAP:
+	case V4L2_MEMORY_OVERLAY:
+		if (copy_in_user(&up->m.mem_offset, &up32->m.mem_offset,
+				 sizeof(up32->m.mem_offset)))
+			return -EFAULT;
+		break;
+	case V4L2_MEMORY_USERPTR:
 		if (get_user(p, &up32->m.userptr))
 			return -EFAULT;
 		up_pln = compat_ptr(p);
 		if (put_user((unsigned long)up_pln, &up->m.userptr))
 			return -EFAULT;
-	} else if (memory == V4L2_MEMORY_DMABUF) {
+		break;
+	case V4L2_MEMORY_DMABUF:
 		if (copy_in_user(&up->m.fd, &up32->m.fd, sizeof(up32->m.fd)))
 			return -EFAULT;
-	} else {
-		if (copy_in_user(&up->m.mem_offset, &up32->m.mem_offset,
-				 sizeof(up32->m.mem_offset)))
-			return -EFAULT;
+		break;
 	}
 
 	return 0;
@@ -320,22 +325,32 @@ static int get_v4l2_plane32(struct v4l2_plane __user *up, struct v4l2_plane32 __
 static int put_v4l2_plane32(struct v4l2_plane __user *up, struct v4l2_plane32 __user *up32,
 			    enum v4l2_memory memory)
 {
+	unsigned long p;
+
 	if (copy_in_user(up32, up, 2 * sizeof(__u32)) ||
 	    copy_in_user(&up32->data_offset, &up->data_offset,
 			 sizeof(up->data_offset)))
 		return -EFAULT;
 
-	/* For MMAP, driver might've set up the offset, so copy it back.
-	 * USERPTR stays the same (was userspace-provided), so no copying. */
-	if (memory == V4L2_MEMORY_MMAP)
+	switch (memory) {
+	case V4L2_MEMORY_MMAP:
+	case V4L2_MEMORY_OVERLAY:
 		if (copy_in_user(&up32->m.mem_offset, &up->m.mem_offset,
 				 sizeof(up->m.mem_offset)))
 			return -EFAULT;
-	/* For DMABUF, driver might've set up the fd, so copy it back. */
-	if (memory == V4L2_MEMORY_DMABUF)
+		break;
+	case V4L2_MEMORY_USERPTR:
+		if (get_user(p, &up->m.userptr) ||
+		    put_user((compat_ulong_t)ptr_to_compat((__force void *)p),
+			     &up32->m.userptr))
+			return -EFAULT;
+		break;
+	case V4L2_MEMORY_DMABUF:
 		if (copy_in_user(&up32->m.fd, &up->m.fd,
 				 sizeof(up->m.fd)))
 			return -EFAULT;
+		break;
+	}
 
 	return 0;
 }
@@ -395,6 +410,7 @@ static int get_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user
 	} else {
 		switch (kp->memory) {
 		case V4L2_MEMORY_MMAP:
+		case V4L2_MEMORY_OVERLAY:
 			if (get_user(kp->m.offset, &up->m.offset))
 				return -EFAULT;
 			break;
@@ -408,10 +424,6 @@ static int get_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user
 				kp->m.userptr = (unsigned long)compat_ptr(tmp);
 			}
 			break;
-		case V4L2_MEMORY_OVERLAY:
-			if (get_user(kp->m.offset, &up->m.offset))
-				return -EFAULT;
-			break;
 		case V4L2_MEMORY_DMABUF:
 			if (get_user(kp->m.fd, &up->m.fd))
 				return -EFAULT;
@@ -468,6 +480,7 @@ static int put_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user
 	} else {
 		switch (kp->memory) {
 		case V4L2_MEMORY_MMAP:
+		case V4L2_MEMORY_OVERLAY:
 			if (put_user(kp->m.offset, &up->m.offset))
 				return -EFAULT;
 			break;
@@ -475,10 +488,6 @@ static int put_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user
 			if (put_user(kp->m.userptr, &up->m.userptr))
 				return -EFAULT;
 			break;
-		case V4L2_MEMORY_OVERLAY:
-			if (put_user(kp->m.offset, &up->m.offset))
-				return -EFAULT;
-			break;
 		case V4L2_MEMORY_DMABUF:
 			if (put_user(kp->m.fd, &up->m.fd))
 				return -EFAULT;
-- 
2.15.1

  parent reply	other threads:[~2018-02-14 11:48 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-02-14 11:48 [PATCH for v4.9 00/13] v4l2-compat-ioctl32.c: remove set_fs(KERNEL_DS) Hans Verkuil
2018-02-14 11:48 ` [PATCH for v4.9 01/13] media: v4l2-ioctl.c: don't copy back the result for -ENOTTY Hans Verkuil
2018-02-15  7:43   ` Patch "media: v4l2-ioctl.c: don't copy back the result for -ENOTTY" has been added to the 4.9-stable tree gregkh
2018-02-14 11:48 ` [PATCH for v4.9 02/13] media: v4l2-compat-ioctl32.c: add missing VIDIOC_PREPARE_BUF Hans Verkuil
2018-02-15  7:43   ` Patch "media: v4l2-compat-ioctl32.c: add missing VIDIOC_PREPARE_BUF" has been added to the 4.9-stable tree gregkh
2018-02-14 11:48 ` [PATCH for v4.9 03/13] media: v4l2-compat-ioctl32.c: fix the indentation Hans Verkuil
2018-02-15  7:43   ` Patch "media: v4l2-compat-ioctl32.c: fix the indentation" has been added to the 4.9-stable tree gregkh
2018-02-14 11:48 ` [PATCH for v4.9 04/13] media: v4l2-compat-ioctl32.c: move 'helper' functions to __get/put_v4l2_format32 Hans Verkuil
2018-02-15  7:43   ` Patch "media: v4l2-compat-ioctl32.c: move 'helper' functions to __get/put_v4l2_format32" has been added to the 4.9-stable tree gregkh
2018-02-14 11:48 ` [PATCH for v4.9 05/13] media: v4l2-compat-ioctl32.c: avoid sizeof(type) Hans Verkuil
2018-02-15  7:43   ` Patch "media: v4l2-compat-ioctl32.c: avoid sizeof(type)" has been added to the 4.9-stable tree gregkh
2018-02-14 11:48 ` Hans Verkuil [this message]
2018-02-15  7:43   ` Patch "media: v4l2-compat-ioctl32.c: copy m.userptr in put_v4l2_plane32" " gregkh
2018-02-14 11:48 ` [PATCH for v4.9 07/13] media: v4l2-compat-ioctl32.c: fix ctrl_is_pointer Hans Verkuil
2018-02-15  7:43   ` Patch "media: v4l2-compat-ioctl32.c: fix ctrl_is_pointer" has been added to the 4.9-stable tree gregkh
2018-02-14 11:48 ` [PATCH for v4.9 08/13] media: v4l2-compat-ioctl32.c: make ctrl_is_pointer work for subdevs Hans Verkuil
2018-02-15  7:43   ` Patch "media: v4l2-compat-ioctl32.c: make ctrl_is_pointer work for subdevs" has been added to the 4.9-stable tree gregkh
2018-02-14 11:48 ` [PATCH for v4.9 09/13] media: v4l2-compat-ioctl32: Copy v4l2_window->global_alpha Hans Verkuil
2018-02-15  7:43   ` Patch "media: v4l2-compat-ioctl32: Copy v4l2_window->global_alpha" has been added to the 4.9-stable tree gregkh
2018-02-14 11:48 ` [PATCH for v4.9 10/13] media: v4l2-compat-ioctl32.c: copy clip list in put_v4l2_window32 Hans Verkuil
2018-02-15  7:43   ` Patch "media: v4l2-compat-ioctl32.c: copy clip list in put_v4l2_window32" has been added to the 4.9-stable tree gregkh
2018-02-14 11:48 ` [PATCH for v4.9 11/13] media: v4l2-compat-ioctl32.c: drop pr_info for unknown buffer type Hans Verkuil
2018-02-15  7:43   ` Patch "media: v4l2-compat-ioctl32.c: drop pr_info for unknown buffer type" has been added to the 4.9-stable tree gregkh
2018-02-14 11:48 ` [PATCH for v4.9 12/13] media: v4l2-compat-ioctl32.c: don't copy back the result for certain errors Hans Verkuil
2018-02-15  7:43   ` Patch "media: v4l2-compat-ioctl32.c: don't copy back the result for certain errors" has been added to the 4.9-stable tree gregkh
2018-02-14 11:48 ` [PATCH for v4.9 13/13] media: v4l2-compat-ioctl32.c: refactor compat ioctl32 logic Hans Verkuil
2018-02-15  7:43   ` Patch "media: v4l2-compat-ioctl32.c: refactor compat ioctl32 logic" has been added to the 4.9-stable tree gregkh
2018-02-15  7:43 ` [PATCH for v4.9 00/13] v4l2-compat-ioctl32.c: remove set_fs(KERNEL_DS) Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180214114830.27171-7-hverkuil@xs4all.nl \
    --to=hverkuil@xs4all.nl \
    --cc=hans.verkuil@cisco.com \
    --cc=linux-media@vger.kernel.org \
    --cc=mchehab@s-opensource.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.