Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S261808AbTFJKEH (ORCPT ); Tue, 10 Jun 2003 06:04:07 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S261785AbTFJKDS (ORCPT ); Tue, 10 Jun 2003 06:03:18 -0400 Received: from e5.ny.us.ibm.com ([32.97.182.105]:48559 "EHLO e5.ny.us.ibm.com") by vger.kernel.org with ESMTP id S261589AbTFJKBj (ORCPT ); Tue, 10 Jun 2003 06:01:39 -0400 Date: Tue, 10 Jun 2003 15:48:01 +0530 From: Dipankar Sarma To: Andrew Morton Cc: linux-kernel@vger.kernel.org, thomas@winischhofer.net Subject: Re: Misc 2.5 Fixes: cp-user-sisfb Message-ID: <20030610101801.GJ2194@in.ibm.com> Reply-To: dipankar@in.ibm.com References: <20030610100527.GA2194@in.ibm.com> <20030610100643.GB2194@in.ibm.com> <20030610100746.GC2194@in.ibm.com> <20030610100905.GD2194@in.ibm.com> <20030610100950.GE2194@in.ibm.com> <20030610101035.GF2194@in.ibm.com> <20030610101121.GG2194@in.ibm.com> <20030610101318.GH2194@in.ibm.com> <20030610101503.GI2194@in.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030610101503.GI2194@in.ibm.com> User-Agent: Mutt/1.4i Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 5001 Lines: 155 Fix sisfb_ioctl() to use copy_to/from routines. There may be some some changes in this patch that are ifdefed out in 2.5. Maintainers to rescue. drivers/video/sis/sis_main.c | 91 +++++++++++++++++++++++++------------------ 1 files changed, 55 insertions(+), 36 deletions(-) diff -puN drivers/video/sis/sis_main.c~cp-user-sisfb drivers/video/sis/sis_main.c --- linux-2.5.70-ds/drivers/video/sis/sis_main.c~cp-user-sisfb 2003-06-08 04:34:39.000000000 +0530 +++ linux-2.5.70-ds-dipankar/drivers/video/sis/sis_main.c 2003-06-08 12:27:49.000000000 +0530 @@ -1461,44 +1461,57 @@ static int sisfb_ioctl(struct inode *ino struct fb_info *info) { TWDEBUG("inside ioctl"); + struct sis_memreq req; + struct ap_data ap; + unsigned long a; switch (cmd) { case FBIO_ALLOC: if (!capable(CAP_SYS_RAWIO)) return -EPERM; - sis_malloc((struct sis_memreq *) arg); + if (copy_from_user(&req, (void *)arg, sizeof(req))) + return -EFAULT; + sis_malloc(&req); + if (copy_to_user((void *)arg, &req, sizeof(req))) + return -EFAULT; break; case FBIO_FREE: if (!capable(CAP_SYS_RAWIO)) return -EPERM; - sis_free(*(unsigned long *) arg); + if(get_user(a, (unsigned long *) arg)) + return -EFAULT; + sis_free(a); break; case FBIOGET_GLYPH: + /* Not in 2.5 ???? */ sis_get_glyph(info,(SIS_GLYINFO *) arg); break; case FBIOGET_HWCINFO: { unsigned long *hwc_offset = (unsigned long *) arg; - if (sisfb_caps & HW_CURSOR_CAP) - *hwc_offset = sisfb_hwcursor_vbase - - (unsigned long) ivideo.video_vbase; - else - *hwc_offset = 0; - + if (sisfb_caps & HW_CURSOR_CAP) { + if (put_user(sisfb_hwcursor_vbase - + (unsigned long) ivideo.video_vbase, + hwc_offset)) + return -EFAULT; + } else if (put_user(0UL, hwc_offset)) + return -EFAULT; break; } case FBIOPUT_MODEINFO: { - struct mode_info *x = (struct mode_info *)arg; + struct mode_info x; - ivideo.video_bpp = x->bpp; - ivideo.video_width = x->xres; - ivideo.video_height = x->yres; - ivideo.video_vwidth = x->v_xres; - ivideo.video_vheight = x->v_yres; - ivideo.org_x = x->org_x; - ivideo.org_y = x->org_y; - ivideo.refresh_rate = x->vrate; + if (copy_from_user(&x, (void *)arg, sizeof(x))) + return -EFAULT; + ivideo.video_bpp = x.bpp; + ivideo.video_width = x.xres; + ivideo.video_height = x.yres; + ivideo.video_vwidth = x.v_xres; + ivideo.video_vheight = x.v_yres; + ivideo.org_x = x.org_x; + ivideo.org_y = x.org_y; + ivideo.refresh_rate = x.vrate; ivideo.video_linelength = ivideo.video_vwidth * (ivideo.video_bpp >> 3); switch(ivideo.video_bpp) { case 8: @@ -1526,34 +1539,40 @@ static int sisfb_ioctl(struct inode *ino break; } case FBIOGET_DISPINFO: - sis_dispinfo((struct ap_data *)arg); + sis_dispinfo(&ap); + if (copy_to_user((void *)arg, &ap, sizeof(ap))) + return -EFAULT; break; case SISFB_GET_INFO: /* TW: New for communication with X driver */ { - sisfb_info *x = (sisfb_info *)arg; + sisfb_info x; - x->sisfb_id = SISFB_ID; - x->sisfb_version = VER_MAJOR; - x->sisfb_revision = VER_MINOR; - x->sisfb_patchlevel = VER_LEVEL; - x->chip_id = ivideo.chip_id; - x->memory = ivideo.video_size / 1024; - x->heapstart = ivideo.heapstart / 1024; - x->fbvidmode = sisfb_mode_no; - x->sisfb_caps = sisfb_caps; - x->sisfb_tqlen = 512; /* yet unused */ - x->sisfb_pcibus = ivideo.pcibus; - x->sisfb_pcislot = ivideo.pcislot; - x->sisfb_pcifunc = ivideo.pcifunc; - x->sisfb_lcdpdc = sisfb_detectedpdc; - x->sisfb_lcda = sisfb_detectedlcda; + x.sisfb_id = SISFB_ID; + x.sisfb_version = VER_MAJOR; + x.sisfb_revision = VER_MINOR; + x.sisfb_patchlevel = VER_LEVEL; + x.chip_id = ivideo.chip_id; + x.memory = ivideo.video_size / 1024; + x.heapstart = ivideo.heapstart / 1024; + x.fbvidmode = sisfb_mode_no; + x.sisfb_caps = sisfb_caps; + x.sisfb_tqlen = 512; /* yet unused */ + x.sisfb_pcibus = ivideo.pcibus; + x.sisfb_pcislot = ivideo.pcislot; + x.sisfb_pcifunc = ivideo.pcifunc; + x.sisfb_lcdpdc = sisfb_detectedpdc; + x.sisfb_lcda = sisfb_detectedlcda; + if (copy_to_user((void *)arg, &x, sizeof(x))) + return -EFAULT; break; } case SISFB_GET_VBRSTATUS: { unsigned long *vbrstatus = (unsigned long *) arg; - if(sisfb_CheckVBRetrace()) *vbrstatus = 1; - else *vbrstatus = 0; + if(sisfb_CheckVBRetrace()) { + return put_user(1UL, vbrstatus); + else + return put_user(0UL, vbrstatus); } default: return -EINVAL; _ - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/