diff options
| author | Hans Verkuil <hans.verkuil@cisco.com> | 2018-01-24 05:01:31 -0500 |
|---|---|---|
| committer | Mauro Carvalho Chehab <mchehab@s-opensource.com> | 2018-01-30 07:28:35 -0500 |
| commit | 333b1e9f96ce05f7498b581509bb30cde03018bf (patch) | |
| tree | ae136791b2796e427870be4e82da76b81e992b2b | |
| parent | 486c521510c44a04cd756a9267e7d1e271c8a4ba (diff) | |
media: v4l2-compat-ioctl32.c: avoid sizeof(type)
Instead of doing sizeof(struct foo) use sizeof(*up). There even were
cases where 4 * sizeof(__u32) was used instead of sizeof(kp->reserved),
which is very dangerous when the size of the reserved array changes.
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Cc: <stable@vger.kernel.org> # for v4.15 and up
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
| -rw-r--r-- | drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 79 |
1 files changed, 36 insertions, 43 deletions
diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c index c7e9d29d0e33..6c70705a48bc 100644 --- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c +++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c | |||
| @@ -48,7 +48,7 @@ struct v4l2_window32 { | |||
| 48 | 48 | ||
| 49 | static int get_v4l2_window32(struct v4l2_window *kp, struct v4l2_window32 __user *up) | 49 | static int get_v4l2_window32(struct v4l2_window *kp, struct v4l2_window32 __user *up) |
| 50 | { | 50 | { |
| 51 | if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_window32)) || | 51 | if (!access_ok(VERIFY_READ, up, sizeof(*up)) || |
| 52 | copy_from_user(&kp->w, &up->w, sizeof(up->w)) || | 52 | copy_from_user(&kp->w, &up->w, sizeof(up->w)) || |
| 53 | get_user(kp->field, &up->field) || | 53 | get_user(kp->field, &up->field) || |
| 54 | get_user(kp->chromakey, &up->chromakey) || | 54 | get_user(kp->chromakey, &up->chromakey) || |
| @@ -66,7 +66,7 @@ static int get_v4l2_window32(struct v4l2_window *kp, struct v4l2_window32 __user | |||
| 66 | if (get_user(p, &up->clips)) | 66 | if (get_user(p, &up->clips)) |
| 67 | return -EFAULT; | 67 | return -EFAULT; |
| 68 | uclips = compat_ptr(p); | 68 | uclips = compat_ptr(p); |
| 69 | kclips = compat_alloc_user_space(n * sizeof(struct v4l2_clip)); | 69 | kclips = compat_alloc_user_space(n * sizeof(*kclips)); |
| 70 | kp->clips = kclips; | 70 | kp->clips = kclips; |
| 71 | while (--n >= 0) { | 71 | while (--n >= 0) { |
| 72 | if (copy_in_user(&kclips->c, &uclips->c, sizeof(uclips->c))) | 72 | if (copy_in_user(&kclips->c, &uclips->c, sizeof(uclips->c))) |
| @@ -164,14 +164,14 @@ static int __get_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __us | |||
| 164 | 164 | ||
| 165 | static int get_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up) | 165 | static int get_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up) |
| 166 | { | 166 | { |
| 167 | if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_format32))) | 167 | if (!access_ok(VERIFY_READ, up, sizeof(*up))) |
| 168 | return -EFAULT; | 168 | return -EFAULT; |
| 169 | return __get_v4l2_format32(kp, up); | 169 | return __get_v4l2_format32(kp, up); |
| 170 | } | 170 | } |
| 171 | 171 | ||
| 172 | static int get_v4l2_create32(struct v4l2_create_buffers *kp, struct v4l2_create_buffers32 __user *up) | 172 | static int get_v4l2_create32(struct v4l2_create_buffers *kp, struct v4l2_create_buffers32 __user *up) |
| 173 | { | 173 | { |
| 174 | if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_create_buffers32)) || | 174 | if (!access_ok(VERIFY_READ, up, sizeof(*up)) || |
| 175 | copy_from_user(kp, up, offsetof(struct v4l2_create_buffers32, format))) | 175 | copy_from_user(kp, up, offsetof(struct v4l2_create_buffers32, format))) |
| 176 | return -EFAULT; | 176 | return -EFAULT; |
| 177 | return __get_v4l2_format32(&kp->format, &up->format); | 177 | return __get_v4l2_format32(&kp->format, &up->format); |
| @@ -218,14 +218,14 @@ static int __put_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __us | |||
| 218 | 218 | ||
| 219 | static int put_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up) | 219 | static int put_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up) |
| 220 | { | 220 | { |
| 221 | if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_format32))) | 221 | if (!access_ok(VERIFY_WRITE, up, sizeof(*up))) |
| 222 | return -EFAULT; | 222 | return -EFAULT; |
| 223 | return __put_v4l2_format32(kp, up); | 223 | return __put_v4l2_format32(kp, up); |
| 224 | } | 224 | } |
| 225 | 225 | ||
| 226 | static int put_v4l2_create32(struct v4l2_create_buffers *kp, struct v4l2_create_buffers32 __user *up) | 226 | static int put_v4l2_create32(struct v4l2_create_buffers *kp, struct v4l2_create_buffers32 __user *up) |
| 227 | { | 227 | { |
| 228 | if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_create_buffers32)) || | 228 | if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) || |
| 229 | copy_to_user(up, kp, offsetof(struct v4l2_create_buffers32, format)) || | 229 | copy_to_user(up, kp, offsetof(struct v4l2_create_buffers32, format)) || |
| 230 | copy_to_user(up->reserved, kp->reserved, sizeof(kp->reserved))) | 230 | copy_to_user(up->reserved, kp->reserved, sizeof(kp->reserved))) |
| 231 | return -EFAULT; | 231 | return -EFAULT; |
| @@ -244,7 +244,7 @@ struct v4l2_standard32 { | |||
| 244 | static int get_v4l2_standard32(struct v4l2_standard *kp, struct v4l2_standard32 __user *up) | 244 | static int get_v4l2_standard32(struct v4l2_standard *kp, struct v4l2_standard32 __user *up) |
| 245 | { | 245 | { |
| 246 | /* other fields are not set by the user, nor used by the driver */ | 246 | /* other fields are not set by the user, nor used by the driver */ |
| 247 | if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_standard32)) || | 247 | if (!access_ok(VERIFY_READ, up, sizeof(*up)) || |
| 248 | get_user(kp->index, &up->index)) | 248 | get_user(kp->index, &up->index)) |
| 249 | return -EFAULT; | 249 | return -EFAULT; |
| 250 | return 0; | 250 | return 0; |
| @@ -252,14 +252,14 @@ static int get_v4l2_standard32(struct v4l2_standard *kp, struct v4l2_standard32 | |||
| 252 | 252 | ||
| 253 | static int put_v4l2_standard32(struct v4l2_standard *kp, struct v4l2_standard32 __user *up) | 253 | static int put_v4l2_standard32(struct v4l2_standard *kp, struct v4l2_standard32 __user *up) |
| 254 | { | 254 | { |
| 255 | if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_standard32)) || | 255 | if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) || |
| 256 | put_user(kp->index, &up->index) || | 256 | put_user(kp->index, &up->index) || |
| 257 | put_user(kp->id, &up->id) || | 257 | put_user(kp->id, &up->id) || |
| 258 | copy_to_user(up->name, kp->name, 24) || | 258 | copy_to_user(up->name, kp->name, sizeof(up->name)) || |
| 259 | copy_to_user(&up->frameperiod, &kp->frameperiod, | 259 | copy_to_user(&up->frameperiod, &kp->frameperiod, |
| 260 | sizeof(kp->frameperiod)) || | 260 | sizeof(kp->frameperiod)) || |
| 261 | put_user(kp->framelines, &up->framelines) || | 261 | put_user(kp->framelines, &up->framelines) || |
| 262 | copy_to_user(up->reserved, kp->reserved, 4 * sizeof(__u32))) | 262 | copy_to_user(up->reserved, kp->reserved, sizeof(kp->reserved))) |
| 263 | return -EFAULT; | 263 | return -EFAULT; |
| 264 | return 0; | 264 | return 0; |
| 265 | } | 265 | } |
| @@ -307,7 +307,7 @@ static int get_v4l2_plane32(struct v4l2_plane __user *up, struct v4l2_plane32 __ | |||
| 307 | 307 | ||
| 308 | if (copy_in_user(up, up32, 2 * sizeof(__u32)) || | 308 | if (copy_in_user(up, up32, 2 * sizeof(__u32)) || |
| 309 | copy_in_user(&up->data_offset, &up32->data_offset, | 309 | copy_in_user(&up->data_offset, &up32->data_offset, |
| 310 | sizeof(__u32))) | 310 | sizeof(up->data_offset))) |
| 311 | return -EFAULT; | 311 | return -EFAULT; |
| 312 | 312 | ||
| 313 | if (memory == V4L2_MEMORY_USERPTR) { | 313 | if (memory == V4L2_MEMORY_USERPTR) { |
| @@ -317,11 +317,11 @@ static int get_v4l2_plane32(struct v4l2_plane __user *up, struct v4l2_plane32 __ | |||
| 317 | if (put_user((unsigned long)up_pln, &up->m.userptr)) | 317 | if (put_user((unsigned long)up_pln, &up->m.userptr)) |
| 318 | return -EFAULT; | 318 | return -EFAULT; |
| 319 | } else if (memory == V4L2_MEMORY_DMABUF) { | 319 | } else if (memory == V4L2_MEMORY_DMABUF) { |
| 320 | if (copy_in_user(&up->m.fd, &up32->m.fd, sizeof(int))) | 320 | if (copy_in_user(&up->m.fd, &up32->m.fd, sizeof(up32->m.fd))) |
| 321 | return -EFAULT; | 321 | return -EFAULT; |
| 322 | } else { | 322 | } else { |
| 323 | if (copy_in_user(&up->m.mem_offset, &up32->m.mem_offset, | 323 | if (copy_in_user(&up->m.mem_offset, &up32->m.mem_offset, |
| 324 | sizeof(__u32))) | 324 | sizeof(up32->m.mem_offset))) |
| 325 | return -EFAULT; | 325 | return -EFAULT; |
| 326 | } | 326 | } |
| 327 | 327 | ||
| @@ -333,19 +333,19 @@ static int put_v4l2_plane32(struct v4l2_plane __user *up, struct v4l2_plane32 __ | |||
| 333 | { | 333 | { |
| 334 | if (copy_in_user(up32, up, 2 * sizeof(__u32)) || | 334 | if (copy_in_user(up32, up, 2 * sizeof(__u32)) || |
| 335 | copy_in_user(&up32->data_offset, &up->data_offset, | 335 | copy_in_user(&up32->data_offset, &up->data_offset, |
| 336 | sizeof(__u32))) | 336 | sizeof(up->data_offset))) |
| 337 | return -EFAULT; | 337 | return -EFAULT; |
| 338 | 338 | ||
| 339 | /* For MMAP, driver might've set up the offset, so copy it back. | 339 | /* For MMAP, driver might've set up the offset, so copy it back. |
| 340 | * USERPTR stays the same (was userspace-provided), so no copying. */ | 340 | * USERPTR stays the same (was userspace-provided), so no copying. */ |
| 341 | if (memory == V4L2_MEMORY_MMAP) | 341 | if (memory == V4L2_MEMORY_MMAP) |
| 342 | if (copy_in_user(&up32->m.mem_offset, &up->m.mem_offset, | 342 | if (copy_in_user(&up32->m.mem_offset, &up->m.mem_offset, |
| 343 | sizeof(__u32))) | 343 | sizeof(up->m.mem_offset))) |
| 344 | return -EFAULT; | 344 | return -EFAULT; |
| 345 | /* For DMABUF, driver might've set up the fd, so copy it back. */ | 345 | /* For DMABUF, driver might've set up the fd, so copy it back. */ |
| 346 | if (memory == V4L2_MEMORY_DMABUF) | 346 | if (memory == V4L2_MEMORY_DMABUF) |
| 347 | if (copy_in_user(&up32->m.fd, &up->m.fd, | 347 | if (copy_in_user(&up32->m.fd, &up->m.fd, |
| 348 | sizeof(int))) | 348 | sizeof(up->m.fd))) |
| 349 | return -EFAULT; | 349 | return -EFAULT; |
| 350 | 350 | ||
| 351 | return 0; | 351 | return 0; |
| @@ -358,7 +358,7 @@ static int get_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user | |||
| 358 | compat_caddr_t p; | 358 | compat_caddr_t p; |
| 359 | int ret; | 359 | int ret; |
| 360 | 360 | ||
| 361 | if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_buffer32)) || | 361 | if (!access_ok(VERIFY_READ, up, sizeof(*up)) || |
| 362 | get_user(kp->index, &up->index) || | 362 | get_user(kp->index, &up->index) || |
| 363 | get_user(kp->type, &up->type) || | 363 | get_user(kp->type, &up->type) || |
| 364 | get_user(kp->flags, &up->flags) || | 364 | get_user(kp->flags, &up->flags) || |
| @@ -370,8 +370,7 @@ static int get_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user | |||
| 370 | if (get_user(kp->bytesused, &up->bytesused) || | 370 | if (get_user(kp->bytesused, &up->bytesused) || |
| 371 | get_user(kp->field, &up->field) || | 371 | get_user(kp->field, &up->field) || |
| 372 | get_user(kp->timestamp.tv_sec, &up->timestamp.tv_sec) || | 372 | get_user(kp->timestamp.tv_sec, &up->timestamp.tv_sec) || |
| 373 | get_user(kp->timestamp.tv_usec, | 373 | get_user(kp->timestamp.tv_usec, &up->timestamp.tv_usec)) |
| 374 | &up->timestamp.tv_usec)) | ||
| 375 | return -EFAULT; | 374 | return -EFAULT; |
| 376 | 375 | ||
| 377 | if (V4L2_TYPE_IS_MULTIPLANAR(kp->type)) { | 376 | if (V4L2_TYPE_IS_MULTIPLANAR(kp->type)) { |
| @@ -391,13 +390,12 @@ static int get_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user | |||
| 391 | 390 | ||
| 392 | uplane32 = compat_ptr(p); | 391 | uplane32 = compat_ptr(p); |
| 393 | if (!access_ok(VERIFY_READ, uplane32, | 392 | if (!access_ok(VERIFY_READ, uplane32, |
| 394 | kp->length * sizeof(struct v4l2_plane32))) | 393 | kp->length * sizeof(*uplane32))) |
| 395 | return -EFAULT; | 394 | return -EFAULT; |
| 396 | 395 | ||
| 397 | /* We don't really care if userspace decides to kill itself | 396 | /* We don't really care if userspace decides to kill itself |
| 398 | * by passing a very big num_planes value */ | 397 | * by passing a very big num_planes value */ |
| 399 | uplane = compat_alloc_user_space(kp->length * | 398 | uplane = compat_alloc_user_space(kp->length * sizeof(*uplane)); |
| 400 | sizeof(struct v4l2_plane)); | ||
| 401 | kp->m.planes = (__force struct v4l2_plane *)uplane; | 399 | kp->m.planes = (__force struct v4l2_plane *)uplane; |
| 402 | 400 | ||
| 403 | for (num_planes = 0; num_planes < kp->length; num_planes++) { | 401 | for (num_planes = 0; num_planes < kp->length; num_planes++) { |
| @@ -445,7 +443,7 @@ static int put_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user | |||
| 445 | int num_planes; | 443 | int num_planes; |
| 446 | int ret; | 444 | int ret; |
| 447 | 445 | ||
| 448 | if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_buffer32)) || | 446 | if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) || |
| 449 | put_user(kp->index, &up->index) || | 447 | put_user(kp->index, &up->index) || |
| 450 | put_user(kp->type, &up->type) || | 448 | put_user(kp->type, &up->type) || |
| 451 | put_user(kp->flags, &up->flags) || | 449 | put_user(kp->flags, &up->flags) || |
| @@ -456,8 +454,7 @@ static int put_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user | |||
| 456 | put_user(kp->field, &up->field) || | 454 | put_user(kp->field, &up->field) || |
| 457 | put_user(kp->timestamp.tv_sec, &up->timestamp.tv_sec) || | 455 | put_user(kp->timestamp.tv_sec, &up->timestamp.tv_sec) || |
| 458 | put_user(kp->timestamp.tv_usec, &up->timestamp.tv_usec) || | 456 | put_user(kp->timestamp.tv_usec, &up->timestamp.tv_usec) || |
| 459 | copy_to_user(&up->timecode, &kp->timecode, | 457 | copy_to_user(&up->timecode, &kp->timecode, sizeof(kp->timecode)) || |
| 460 | sizeof(struct v4l2_timecode)) || | ||
| 461 | put_user(kp->sequence, &up->sequence) || | 458 | put_user(kp->sequence, &up->sequence) || |
| 462 | put_user(kp->reserved2, &up->reserved2) || | 459 | put_user(kp->reserved2, &up->reserved2) || |
| 463 | put_user(kp->reserved, &up->reserved) || | 460 | put_user(kp->reserved, &up->reserved) || |
| @@ -525,7 +522,7 @@ static int get_v4l2_framebuffer32(struct v4l2_framebuffer *kp, struct v4l2_frame | |||
| 525 | { | 522 | { |
| 526 | u32 tmp; | 523 | u32 tmp; |
| 527 | 524 | ||
| 528 | if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_framebuffer32)) || | 525 | if (!access_ok(VERIFY_READ, up, sizeof(*up)) || |
| 529 | get_user(tmp, &up->base) || | 526 | get_user(tmp, &up->base) || |
| 530 | get_user(kp->capability, &up->capability) || | 527 | get_user(kp->capability, &up->capability) || |
| 531 | get_user(kp->flags, &up->flags) || | 528 | get_user(kp->flags, &up->flags) || |
| @@ -539,7 +536,7 @@ static int put_v4l2_framebuffer32(struct v4l2_framebuffer *kp, struct v4l2_frame | |||
| 539 | { | 536 | { |
| 540 | u32 tmp = (u32)((unsigned long)kp->base); | 537 | u32 tmp = (u32)((unsigned long)kp->base); |
| 541 | 538 | ||
| 542 | if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_framebuffer32)) || | 539 | if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) || |
| 543 | put_user(tmp, &up->base) || | 540 | put_user(tmp, &up->base) || |
| 544 | put_user(kp->capability, &up->capability) || | 541 | put_user(kp->capability, &up->capability) || |
| 545 | put_user(kp->flags, &up->flags) || | 542 | put_user(kp->flags, &up->flags) || |
| @@ -564,14 +561,14 @@ struct v4l2_input32 { | |||
| 564 | Otherwise it is identical to the 32-bit version. */ | 561 | Otherwise it is identical to the 32-bit version. */ |
| 565 | static inline int get_v4l2_input32(struct v4l2_input *kp, struct v4l2_input32 __user *up) | 562 | static inline int get_v4l2_input32(struct v4l2_input *kp, struct v4l2_input32 __user *up) |
| 566 | { | 563 | { |
| 567 | if (copy_from_user(kp, up, sizeof(struct v4l2_input32))) | 564 | if (copy_from_user(kp, up, sizeof(*up))) |
| 568 | return -EFAULT; | 565 | return -EFAULT; |
| 569 | return 0; | 566 | return 0; |
| 570 | } | 567 | } |
| 571 | 568 | ||
| 572 | static inline int put_v4l2_input32(struct v4l2_input *kp, struct v4l2_input32 __user *up) | 569 | static inline int put_v4l2_input32(struct v4l2_input *kp, struct v4l2_input32 __user *up) |
| 573 | { | 570 | { |
| 574 | if (copy_to_user(up, kp, sizeof(struct v4l2_input32))) | 571 | if (copy_to_user(up, kp, sizeof(*up))) |
| 575 | return -EFAULT; | 572 | return -EFAULT; |
| 576 | return 0; | 573 | return 0; |
| 577 | } | 574 | } |
| @@ -619,12 +616,11 @@ static int get_v4l2_ext_controls32(struct v4l2_ext_controls *kp, struct v4l2_ext | |||
| 619 | unsigned int n; | 616 | unsigned int n; |
| 620 | compat_caddr_t p; | 617 | compat_caddr_t p; |
| 621 | 618 | ||
| 622 | if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_ext_controls32)) || | 619 | if (!access_ok(VERIFY_READ, up, sizeof(*up)) || |
| 623 | get_user(kp->which, &up->which) || | 620 | get_user(kp->which, &up->which) || |
| 624 | get_user(kp->count, &up->count) || | 621 | get_user(kp->count, &up->count) || |
| 625 | get_user(kp->error_idx, &up->error_idx) || | 622 | get_user(kp->error_idx, &up->error_idx) || |
| 626 | copy_from_user(kp->reserved, up->reserved, | 623 | copy_from_user(kp->reserved, up->reserved, sizeof(kp->reserved))) |
| 627 | sizeof(kp->reserved))) | ||
| 628 | return -EFAULT; | 624 | return -EFAULT; |
| 629 | if (kp->count == 0) { | 625 | if (kp->count == 0) { |
| 630 | kp->controls = NULL; | 626 | kp->controls = NULL; |
| @@ -635,11 +631,9 @@ static int get_v4l2_ext_controls32(struct v4l2_ext_controls *kp, struct v4l2_ext | |||
| 635 | if (get_user(p, &up->controls)) | 631 | if (get_user(p, &up->controls)) |
| 636 | return -EFAULT; | 632 | return -EFAULT; |
| 637 | ucontrols = compat_ptr(p); | 633 | ucontrols = compat_ptr(p); |
| 638 | if (!access_ok(VERIFY_READ, ucontrols, | 634 | if (!access_ok(VERIFY_READ, ucontrols, kp->count * sizeof(*ucontrols))) |
| 639 | kp->count * sizeof(struct v4l2_ext_control32))) | ||
| 640 | return -EFAULT; | 635 | return -EFAULT; |
| 641 | kcontrols = compat_alloc_user_space(kp->count * | 636 | kcontrols = compat_alloc_user_space(kp->count * sizeof(*kcontrols)); |
| 642 | sizeof(struct v4l2_ext_control)); | ||
| 643 | kp->controls = (__force struct v4l2_ext_control *)kcontrols; | 637 | kp->controls = (__force struct v4l2_ext_control *)kcontrols; |
| 644 | for (n = 0; n < kp->count; n++) { | 638 | for (n = 0; n < kp->count; n++) { |
| 645 | u32 id; | 639 | u32 id; |
| @@ -671,7 +665,7 @@ static int put_v4l2_ext_controls32(struct v4l2_ext_controls *kp, struct v4l2_ext | |||
| 671 | int n = kp->count; | 665 | int n = kp->count; |
| 672 | compat_caddr_t p; | 666 | compat_caddr_t p; |
| 673 | 667 | ||
| 674 | if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_ext_controls32)) || | 668 | if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) || |
| 675 | put_user(kp->which, &up->which) || | 669 | put_user(kp->which, &up->which) || |
| 676 | put_user(kp->count, &up->count) || | 670 | put_user(kp->count, &up->count) || |
| 677 | put_user(kp->error_idx, &up->error_idx) || | 671 | put_user(kp->error_idx, &up->error_idx) || |
| @@ -683,8 +677,7 @@ static int put_v4l2_ext_controls32(struct v4l2_ext_controls *kp, struct v4l2_ext | |||
| 683 | if (get_user(p, &up->controls)) | 677 | if (get_user(p, &up->controls)) |
| 684 | return -EFAULT; | 678 | return -EFAULT; |
| 685 | ucontrols = compat_ptr(p); | 679 | ucontrols = compat_ptr(p); |
| 686 | if (!access_ok(VERIFY_WRITE, ucontrols, | 680 | if (!access_ok(VERIFY_WRITE, ucontrols, n * sizeof(*ucontrols))) |
| 687 | n * sizeof(struct v4l2_ext_control32))) | ||
| 688 | return -EFAULT; | 681 | return -EFAULT; |
| 689 | 682 | ||
| 690 | while (--n >= 0) { | 683 | while (--n >= 0) { |
| @@ -721,7 +714,7 @@ struct v4l2_event32 { | |||
| 721 | 714 | ||
| 722 | static int put_v4l2_event32(struct v4l2_event *kp, struct v4l2_event32 __user *up) | 715 | static int put_v4l2_event32(struct v4l2_event *kp, struct v4l2_event32 __user *up) |
| 723 | { | 716 | { |
| 724 | if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_event32)) || | 717 | if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) || |
| 725 | put_user(kp->type, &up->type) || | 718 | put_user(kp->type, &up->type) || |
| 726 | copy_to_user(&up->u, &kp->u, sizeof(kp->u)) || | 719 | copy_to_user(&up->u, &kp->u, sizeof(kp->u)) || |
| 727 | put_user(kp->pending, &up->pending) || | 720 | put_user(kp->pending, &up->pending) || |
| @@ -729,7 +722,7 @@ static int put_v4l2_event32(struct v4l2_event *kp, struct v4l2_event32 __user *u | |||
| 729 | put_user(kp->timestamp.tv_sec, &up->timestamp.tv_sec) || | 722 | put_user(kp->timestamp.tv_sec, &up->timestamp.tv_sec) || |
| 730 | put_user(kp->timestamp.tv_nsec, &up->timestamp.tv_nsec) || | 723 | put_user(kp->timestamp.tv_nsec, &up->timestamp.tv_nsec) || |
| 731 | put_user(kp->id, &up->id) || | 724 | put_user(kp->id, &up->id) || |
| 732 | copy_to_user(up->reserved, kp->reserved, 8 * sizeof(__u32))) | 725 | copy_to_user(up->reserved, kp->reserved, sizeof(kp->reserved))) |
| 733 | return -EFAULT; | 726 | return -EFAULT; |
| 734 | return 0; | 727 | return 0; |
| 735 | } | 728 | } |
| @@ -746,7 +739,7 @@ static int get_v4l2_edid32(struct v4l2_edid *kp, struct v4l2_edid32 __user *up) | |||
| 746 | { | 739 | { |
| 747 | u32 tmp; | 740 | u32 tmp; |
| 748 | 741 | ||
| 749 | if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_edid32)) || | 742 | if (!access_ok(VERIFY_READ, up, sizeof(*up)) || |
| 750 | get_user(kp->pad, &up->pad) || | 743 | get_user(kp->pad, &up->pad) || |
| 751 | get_user(kp->start_block, &up->start_block) || | 744 | get_user(kp->start_block, &up->start_block) || |
| 752 | get_user(kp->blocks, &up->blocks) || | 745 | get_user(kp->blocks, &up->blocks) || |
| @@ -761,7 +754,7 @@ static int put_v4l2_edid32(struct v4l2_edid *kp, struct v4l2_edid32 __user *up) | |||
| 761 | { | 754 | { |
| 762 | u32 tmp = (u32)((unsigned long)kp->edid); | 755 | u32 tmp = (u32)((unsigned long)kp->edid); |
| 763 | 756 | ||
| 764 | if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_edid32)) || | 757 | if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) || |
| 765 | put_user(kp->pad, &up->pad) || | 758 | put_user(kp->pad, &up->pad) || |
| 766 | put_user(kp->start_block, &up->start_block) || | 759 | put_user(kp->start_block, &up->start_block) || |
| 767 | put_user(kp->blocks, &up->blocks) || | 760 | put_user(kp->blocks, &up->blocks) || |