linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
To: Arnd Bergmann <arnd@kernel.org>
Cc: Hans Verkuil <hverkuil-cisco@xs4all.nl>,
	Mauro Carvalho Chehab <mchehab@kernel.org>,
	Arnd Bergmann <arnd@arndb.de>,
	"Lad, Prabhakar" <prabhakar.csengg@gmail.com>,
	Eduardo Valentin <edubezval@gmail.com>,
	Sakari Ailus <sakari.ailus@linux.intel.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Vaibhav Gupta <vaibhavgupta40@gmail.com>,
	Liu Shixin <liushixin2@huawei.com>,
	Jacopo Mondi <jacopo+renesas@jmondi.org>,
	Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
	linux-kernel@vger.kernel.org, linux-media@vger.kernel.org,
	linux-staging@lists.linux.dev, stable@vger.kernel.org
Subject: Re: [PATCH v3 8/8] media: subdev: disallow ioctl for saa6588/davinci
Date: Mon, 14 Jun 2021 20:21:05 +0300	[thread overview]
Message-ID: <YMeQARKbdVIZ8Rp9@pendragon.ideasonboard.com> (raw)
In-Reply-To: <20210614103409.3154127-9-arnd@kernel.org>

Hi Arnd,

Thank you for the patch.

On Mon, Jun 14, 2021 at 12:34:09PM +0200, Arnd Bergmann wrote:
> From: Arnd Bergmann <arnd@arndb.de>
> 
> The saa6588_ioctl() function expects to get called from other kernel
> functions with a 'saa6588_command' pointer, but I found nothing stops it
> from getting called from user space instead, which seems rather dangerous.
> 
> The same thing happens in the davinci vpbe driver with its VENC_GET_FLD
> command.
> 
> As a quick fix, add a separate .command() callback pointer for this
> driver and change the two callers over to that.  This change can easily
> get backported to stable kernels if necessary, but since there are only
> two drivers, we may want to eventually replace this with a set of more
> specialized callbacks in the long run.
> 
> Fixes: c3fda7f835b0 ("V4L/DVB (10537): saa6588: convert to v4l2_subdev.")
> Cc: stable@vger.kernel.org
> Signed-off-by: Arnd Bergmann <arnd@arndb.de>

Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>

> ---
>  drivers/media/i2c/saa6588.c                   | 4 ++--
>  drivers/media/pci/bt8xx/bttv-driver.c         | 6 +++---
>  drivers/media/pci/saa7134/saa7134-video.c     | 6 +++---
>  drivers/media/platform/davinci/vpbe_display.c | 2 +-
>  drivers/media/platform/davinci/vpbe_venc.c    | 6 ++----
>  include/media/v4l2-subdev.h                   | 4 ++++
>  6 files changed, 15 insertions(+), 13 deletions(-)
> 
> diff --git a/drivers/media/i2c/saa6588.c b/drivers/media/i2c/saa6588.c
> index ecb491d5f2ab..d1e0716bdfff 100644
> --- a/drivers/media/i2c/saa6588.c
> +++ b/drivers/media/i2c/saa6588.c
> @@ -380,7 +380,7 @@ static void saa6588_configure(struct saa6588 *s)
>  
>  /* ---------------------------------------------------------------------- */
>  
> -static long saa6588_ioctl(struct v4l2_subdev *sd, unsigned int cmd, void *arg)
> +static long saa6588_command(struct v4l2_subdev *sd, unsigned int cmd, void *arg)
>  {
>  	struct saa6588 *s = to_saa6588(sd);
>  	struct saa6588_command *a = arg;
> @@ -433,7 +433,7 @@ static int saa6588_s_tuner(struct v4l2_subdev *sd, const struct v4l2_tuner *vt)
>  /* ----------------------------------------------------------------------- */
>  
>  static const struct v4l2_subdev_core_ops saa6588_core_ops = {
> -	.ioctl = saa6588_ioctl,
> +	.command = saa6588_command,
>  };
>  
>  static const struct v4l2_subdev_tuner_ops saa6588_tuner_ops = {
> diff --git a/drivers/media/pci/bt8xx/bttv-driver.c b/drivers/media/pci/bt8xx/bttv-driver.c
> index 1f62a9d8ea1d..0e9df8b35ac6 100644
> --- a/drivers/media/pci/bt8xx/bttv-driver.c
> +++ b/drivers/media/pci/bt8xx/bttv-driver.c
> @@ -3179,7 +3179,7 @@ static int radio_release(struct file *file)
>  
>  	btv->radio_user--;
>  
> -	bttv_call_all(btv, core, ioctl, SAA6588_CMD_CLOSE, &cmd);
> +	bttv_call_all(btv, core, command, SAA6588_CMD_CLOSE, &cmd);
>  
>  	if (btv->radio_user == 0)
>  		btv->has_radio_tuner = 0;
> @@ -3260,7 +3260,7 @@ static ssize_t radio_read(struct file *file, char __user *data,
>  	cmd.result = -ENODEV;
>  	radio_enable(btv);
>  
> -	bttv_call_all(btv, core, ioctl, SAA6588_CMD_READ, &cmd);
> +	bttv_call_all(btv, core, command, SAA6588_CMD_READ, &cmd);
>  
>  	return cmd.result;
>  }
> @@ -3281,7 +3281,7 @@ static __poll_t radio_poll(struct file *file, poll_table *wait)
>  	cmd.instance = file;
>  	cmd.event_list = wait;
>  	cmd.poll_mask = res;
> -	bttv_call_all(btv, core, ioctl, SAA6588_CMD_POLL, &cmd);
> +	bttv_call_all(btv, core, command, SAA6588_CMD_POLL, &cmd);
>  
>  	return cmd.poll_mask;
>  }
> diff --git a/drivers/media/pci/saa7134/saa7134-video.c b/drivers/media/pci/saa7134/saa7134-video.c
> index 0f9d6b9edb90..374c8e1087de 100644
> --- a/drivers/media/pci/saa7134/saa7134-video.c
> +++ b/drivers/media/pci/saa7134/saa7134-video.c
> @@ -1181,7 +1181,7 @@ static int video_release(struct file *file)
>  
>  	saa_call_all(dev, tuner, standby);
>  	if (vdev->vfl_type == VFL_TYPE_RADIO)
> -		saa_call_all(dev, core, ioctl, SAA6588_CMD_CLOSE, &cmd);
> +		saa_call_all(dev, core, command, SAA6588_CMD_CLOSE, &cmd);
>  	mutex_unlock(&dev->lock);
>  
>  	return 0;
> @@ -1200,7 +1200,7 @@ static ssize_t radio_read(struct file *file, char __user *data,
>  	cmd.result = -ENODEV;
>  
>  	mutex_lock(&dev->lock);
> -	saa_call_all(dev, core, ioctl, SAA6588_CMD_READ, &cmd);
> +	saa_call_all(dev, core, command, SAA6588_CMD_READ, &cmd);
>  	mutex_unlock(&dev->lock);
>  
>  	return cmd.result;
> @@ -1216,7 +1216,7 @@ static __poll_t radio_poll(struct file *file, poll_table *wait)
>  	cmd.event_list = wait;
>  	cmd.poll_mask = 0;
>  	mutex_lock(&dev->lock);
> -	saa_call_all(dev, core, ioctl, SAA6588_CMD_POLL, &cmd);
> +	saa_call_all(dev, core, command, SAA6588_CMD_POLL, &cmd);
>  	mutex_unlock(&dev->lock);
>  
>  	return rc | cmd.poll_mask;
> diff --git a/drivers/media/platform/davinci/vpbe_display.c b/drivers/media/platform/davinci/vpbe_display.c
> index d19bad997f30..bf3c3e76b921 100644
> --- a/drivers/media/platform/davinci/vpbe_display.c
> +++ b/drivers/media/platform/davinci/vpbe_display.c
> @@ -47,7 +47,7 @@ static int venc_is_second_field(struct vpbe_display *disp_dev)
>  
>  	ret = v4l2_subdev_call(vpbe_dev->venc,
>  			       core,
> -			       ioctl,
> +			       command,
>  			       VENC_GET_FLD,
>  			       &val);
>  	if (ret < 0) {
> diff --git a/drivers/media/platform/davinci/vpbe_venc.c b/drivers/media/platform/davinci/vpbe_venc.c
> index 8caa084e5704..bde241c26d79 100644
> --- a/drivers/media/platform/davinci/vpbe_venc.c
> +++ b/drivers/media/platform/davinci/vpbe_venc.c
> @@ -521,9 +521,7 @@ static int venc_s_routing(struct v4l2_subdev *sd, u32 input, u32 output,
>  	return ret;
>  }
>  
> -static long venc_ioctl(struct v4l2_subdev *sd,
> -			unsigned int cmd,
> -			void *arg)
> +static long venc_command(struct v4l2_subdev *sd, unsigned int cmd, void *arg)
>  {
>  	u32 val;
>  
> @@ -542,7 +540,7 @@ static long venc_ioctl(struct v4l2_subdev *sd,
>  }
>  
>  static const struct v4l2_subdev_core_ops venc_core_ops = {
> -	.ioctl      = venc_ioctl,
> +	.command      = venc_command,
>  };
>  
>  static const struct v4l2_subdev_video_ops venc_video_ops = {
> diff --git a/include/media/v4l2-subdev.h b/include/media/v4l2-subdev.h
> index 42aa1f6c7c3f..115b1e41e933 100644
> --- a/include/media/v4l2-subdev.h
> +++ b/include/media/v4l2-subdev.h
> @@ -162,6 +162,9 @@ struct v4l2_subdev_io_pin_config {
>   * @s_gpio: set GPIO pins. Very simple right now, might need to be extended with
>   *	a direction argument if needed.
>   *
> + * @command: called by in-kernel drivers in order to call functions internal
> + *	   to subdev drivers driver that have a separate callback.
> + *
>   * @ioctl: called at the end of ioctl() syscall handler at the V4L2 core.
>   *	   used to provide support for private ioctls used on the driver.
>   *
> @@ -193,6 +196,7 @@ struct v4l2_subdev_core_ops {
>  	int (*load_fw)(struct v4l2_subdev *sd);
>  	int (*reset)(struct v4l2_subdev *sd, u32 val);
>  	int (*s_gpio)(struct v4l2_subdev *sd, u32 val);
> +	long (*command)(struct v4l2_subdev *sd, unsigned int cmd, void *arg);
>  	long (*ioctl)(struct v4l2_subdev *sd, unsigned int cmd, void *arg);
>  #ifdef CONFIG_COMPAT
>  	long (*compat_ioctl32)(struct v4l2_subdev *sd, unsigned int cmd, void *arg);

-- 
Regards,

Laurent Pinchart

      reply	other threads:[~2021-06-14 17:21 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-06-14 10:34 [PATCH v3 0/7] media: v4l2: compat ioctl fixes Arnd Bergmann
2021-06-14 10:34 ` [PATCH v3 1/8] media: v4l2-core: ignore native time32 ioctls on 64-bit Arnd Bergmann
2021-06-14 13:24   ` Andy Shevchenko
2021-06-14 16:50   ` Laurent Pinchart
2021-06-14 10:34 ` [PATCH v3 2/8] media: v4l2-core: explicitly clear ioctl input data Arnd Bergmann
2021-06-14 16:56   ` Laurent Pinchart
2021-06-14 10:34 ` [PATCH v3 3/8] media: v4l2-core: fix whitespace damage in video_get_user() Arnd Bergmann
2021-06-14 16:58   ` Laurent Pinchart
2021-06-14 10:34 ` [PATCH v3 4/8] media: subdev: remove VIDIOC_DQEVENT_TIME32 handling Arnd Bergmann
2021-06-14 17:02   ` Laurent Pinchart
2021-06-15  8:43     ` Arnd Bergmann
2021-06-15  8:48       ` Hans Verkuil
2021-06-15  9:30         ` Arnd Bergmann
2021-06-14 10:34 ` [PATCH v3 5/8] media: v4l2-core: return -ENODEV from ioctl when not registered Arnd Bergmann
2021-06-14 17:04   ` Laurent Pinchart
2021-06-14 17:04   ` Laurent Pinchart
2021-06-14 10:34 ` [PATCH v3 6/8] media: atomisp: remove compat_ioctl32 code Arnd Bergmann
2021-06-14 17:07   ` Laurent Pinchart
2021-06-14 10:34 ` [PATCH v3 7/8] media: subdev: fix compat_ioctl32 Arnd Bergmann
2021-06-14 17:18   ` Laurent Pinchart
2021-06-15  8:26     ` Hans Verkuil
2021-06-15  8:39       ` Arnd Bergmann
2021-06-14 10:34 ` [PATCH v3 8/8] media: subdev: disallow ioctl for saa6588/davinci Arnd Bergmann
2021-06-14 17:21   ` Laurent Pinchart [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YMeQARKbdVIZ8Rp9@pendragon.ideasonboard.com \
    --to=laurent.pinchart@ideasonboard.com \
    --cc=andriy.shevchenko@linux.intel.com \
    --cc=arnd@arndb.de \
    --cc=arnd@kernel.org \
    --cc=edubezval@gmail.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=hverkuil-cisco@xs4all.nl \
    --cc=jacopo+renesas@jmondi.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-media@vger.kernel.org \
    --cc=linux-staging@lists.linux.dev \
    --cc=liushixin2@huawei.com \
    --cc=mchehab@kernel.org \
    --cc=prabhakar.csengg@gmail.com \
    --cc=sakari.ailus@linux.intel.com \
    --cc=stable@vger.kernel.org \
    --cc=vaibhavgupta40@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).