Date: Fri, 11 Jun 2004 06:31:07 +0200
From: Luca Risolia <luca.risolia@studio.unibo.it>
To: linux-usb-devel@lists.sourceforge.net,
       viro@parcelfarce.linux.theplanet.co.uk, greg@kroah.com
Cc: rtjohnso@eecs.berkeley.edu, linux-kernel@vger.kernel.org
Subject: [linux-usb-devel] Re: Finding user/kernel pointer bugs [no html]
Message-Id: <20040611063107.0c62e2f8.luca.risolia@studio.unibo.it>
In-Reply-To: <E1BYXuJ-0006vd-RU@sc8-sf-list1.sourceforge.net>
References: <E1BYXuJ-0006vd-RU@sc8-sf-list1.sourceforge.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1320
Lines: 38

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>                    unsigned int cmd, void* arg)
>  {
>  	struct w9968cf_device* cam;
> +	void __user *user_arg = (void __user *)arg;

The right place to apply this patch is in video_usercopy().

When video_usercopy() is used in the ioctl() method, there is no need
to dereference the arg pointer in ioctl() itself, since one of the purposes
of video_usercopy() is to do this work for us.

Please have a look at definition of the function in videodev.c.

int
video_usercopy(struct inode *inode, struct file *file,
               unsigned int cmd, unsigned long arg,
               int (*func)(struct inode *inode, struct file *file,
                           unsigned int cmd, unsigned void *arg))

What you have patched in your patch is the function pointed
by "func" above, which should already receive the __user pointer to arg.

Luca
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFAyTWLmdpdKvzmNaQRAhDuAJ0e8okB48LQUaHnxZsSS0ZFTmuxRQCgnYqZ
WECeSegLUG5WDyUArFcByKU=
=u+vB
-----END PGP SIGNATURE-----
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/