1 files changed, 216 insertions, 87 deletions
diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c
index 763d3f0a1f42..5b081cb84351 100644
--- a/drivers/mtd/mtdchar.c
+++ b/drivers/mtd/mtdchar.c
@@ -14,6 +14,7 @@
 #include <linux/sched.h>
 #include <linux/smp_lock.h>
 #include <linux/backing-dev.h>
+#include <linux/compat.h>
 #include <linux/mtd/mtd.h>
 #include <linux/mtd/compatmac.h>
@@ -355,6 +356,100 @@ static int otp_select_filemode(struct mtd_file_info *mfi, int mode)
 # define otp_select_filemode(f,m)       -EOPNOTSUPP
 #endif
+static int mtd_do_writeoob(struct file *file, struct mtd_info *mtd,
+        uint64_t start, uint32_t length, void __user *ptr,
+        uint32_t __user *retp)
+{
+        struct mtd_oob_ops ops;
+        uint32_t retlen;
+        int ret = 0;
+        if (!(file->f_mode & FMODE_WRITE))
+                return -EPERM;
+        if (length > 4096)
+                return -EINVAL;
+        if (!mtd->write_oob)
+                ret = -EOPNOTSUPP;
+        else
+                ret = access_ok(VERIFY_READ, ptr, length) ? 0 : EFAULT;
+        if (ret)
+                return ret;
+        ops.ooblen = length;
+        ops.ooboffs = start & (mtd->oobsize - 1);
+        ops.datbuf = NULL;
+        ops.mode = MTD_OOB_PLACE;
+        if (ops.ooboffs && ops.ooblen > (mtd->oobsize - ops.ooboffs))
+                return -EINVAL;
+        ops.oobbuf = kmalloc(length, GFP_KERNEL);
+        if (!ops.oobbuf)
+                return -ENOMEM;
+        if (copy_from_user(ops.oobbuf, ptr, length)) {
+                kfree(ops.oobbuf);
+                return -EFAULT;
+        }
+        start &= ~((uint64_t)mtd->oobsize - 1);
+        ret = mtd->write_oob(mtd, start, &ops);
+        if (ops.oobretlen > 0xFFFFFFFFU)
+                ret = -EOVERFLOW;
+        retlen = ops.oobretlen;
+        if (copy_to_user(retp, &retlen, sizeof(length)))
+                ret = -EFAULT;
+        kfree(ops.oobbuf);
+        return ret;
+}
+static int mtd_do_readoob(struct mtd_info *mtd, uint64_t start,
+        uint32_t length, void __user *ptr, uint32_t __user *retp)
+{
+        struct mtd_oob_ops ops;
+        int ret = 0;
+        if (length > 4096)
+                return -EINVAL;
+        if (!mtd->read_oob)
+                ret = -EOPNOTSUPP;
+        else
+                ret = access_ok(VERIFY_WRITE, ptr,
+                                length) ? 0 : -EFAULT;
+        if (ret)
+                return ret;
+        ops.ooblen = length;
+        ops.ooboffs = start & (mtd->oobsize - 1);
+        ops.datbuf = NULL;
+        ops.mode = MTD_OOB_PLACE;
+        if (ops.ooboffs && ops.ooblen > (mtd->oobsize - ops.ooboffs))
+                return -EINVAL;
+        ops.oobbuf = kmalloc(length, GFP_KERNEL);
+        if (!ops.oobbuf)
+                return -ENOMEM;
+        start &= ~((uint64_t)mtd->oobsize - 1);
+        ret = mtd->read_oob(mtd, start, &ops);
+        if (put_user(ops.oobretlen, retp))
+                ret = -EFAULT;
+        else if (ops.oobretlen && copy_to_user(ptr, ops.oobbuf,
+                                            ops.oobretlen))
+                ret = -EFAULT;
+        kfree(ops.oobbuf);
+        return ret;
+}
 static int mtd_ioctl(struct inode *inode, struct file *file,
                     u_int cmd, u_long arg)
 {
@@ -417,6 +512,7 @@ static int mtd_ioctl(struct inode *inode, struct file *file,
                break;
        case MEMERASE:
+        case MEMERASE64:
        {
                struct erase_info *erase;
@@ -427,20 +523,32 @@ static int mtd_ioctl(struct inode *inode, struct file *file,
                if (!erase)
                        ret = -ENOMEM;
                else {
-                        struct erase_info_user einfo;
                        wait_queue_head_t waitq;
                        DECLARE_WAITQUEUE(wait, current);
                        init_waitqueue_head(&waitq);
-                        if (copy_from_user(&einfo, argp,
+                        if (cmd == MEMERASE64) {
-                                    sizeof(struct erase_info_user))) {
+                                struct erase_info_user64 einfo64;
-                                kfree(erase);
-                                return -EFAULT;
+                                if (copy_from_user(&einfo64, argp,
+                                            sizeof(struct erase_info_user64))) {
+                                        kfree(erase);
+                                        return -EFAULT;
+                                }
+                                erase->addr = einfo64.start;
+                                erase->len = einfo64.length;
+                        } else {
+                                struct erase_info_user einfo32;
+                                if (copy_from_user(&einfo32, argp,
+                                            sizeof(struct erase_info_user))) {
+                                        kfree(erase);
+                                        return -EFAULT;
+                                }
+                                erase->addr = einfo32.start;
+                                erase->len = einfo32.length;
                        }
-                        erase->addr = einfo.start;
-                        erase->len = einfo.length;
                        erase->mtd = mtd;
                        erase->callback = mtdchar_erase_callback;
                        erase->priv = (unsigned long)&waitq;
@@ -474,100 +582,56 @@ static int mtd_ioctl(struct inode *inode, struct file *file,
        case MEMWRITEOOB:
        {
                struct mtd_oob_buf buf;
-                struct mtd_oob_ops ops;
+                struct mtd_oob_buf __user *buf_user = argp;
-                struct mtd_oob_buf __user *user_buf = argp;
-                uint32_t retlen;
-                if(!(file->f_mode & FMODE_WRITE))
-                        return -EPERM;
-                if (copy_from_user(&buf, argp, sizeof(struct mtd_oob_buf)))
-                        return -EFAULT;
-                if (buf.length > 4096)
-                        return -EINVAL;
-                if (!mtd->write_oob)
-                        ret = -EOPNOTSUPP;
-                else
-                        ret = access_ok(VERIFY_READ, buf.ptr,
-                                        buf.length) ? 0 : EFAULT;
-                if (ret)
-                        return ret;
-                ops.ooblen = buf.length;
-                ops.ooboffs = buf.start & (mtd->oobsize - 1);
-                ops.datbuf = NULL;
-                ops.mode = MTD_OOB_PLACE;
-                if (ops.ooboffs && ops.ooblen > (mtd->oobsize - ops.ooboffs))
-                        return -EINVAL;
-                ops.oobbuf = kmalloc(buf.length, GFP_KERNEL);
-                if (!ops.oobbuf)
-                        return -ENOMEM;
-                if (copy_from_user(ops.oobbuf, buf.ptr, buf.length)) {
-                        kfree(ops.oobbuf);
-                        return -EFAULT;
-                }
-                buf.start &= ~(mtd->oobsize - 1);
+                /* NOTE: writes return length to buf_user->length */
-                ret = mtd->write_oob(mtd, buf.start, &ops);
+                if (copy_from_user(&buf, argp, sizeof(buf)))
-                if (ops.oobretlen > 0xFFFFFFFFU)
-                        ret = -EOVERFLOW;
-                retlen = ops.oobretlen;
-                if (copy_to_user(&user_buf->length, &retlen, sizeof(buf.length)))
                        ret = -EFAULT;
+                else
-                kfree(ops.oobbuf);
+                        ret = mtd_do_writeoob(file, mtd, buf.start, buf.length,
+                                buf.ptr, &buf_user->length);
                break;
        }
        case MEMREADOOB:
        {
                struct mtd_oob_buf buf;
-                struct mtd_oob_ops ops;
+                struct mtd_oob_buf __user *buf_user = argp;
-                if (copy_from_user(&buf, argp, sizeof(struct mtd_oob_buf)))
-                        return -EFAULT;
-                if (buf.length > 4096)
-                        return -EINVAL;
-                if (!mtd->read_oob)
+                /* NOTE: writes return length to buf_user->start */
-                        ret = -EOPNOTSUPP;
+                if (copy_from_user(&buf, argp, sizeof(buf)))
+                        ret = -EFAULT;
                else
-                        ret = access_ok(VERIFY_WRITE, buf.ptr,
+                        ret = mtd_do_readoob(mtd, buf.start, buf.length,
-                                        buf.length) ? 0 : -EFAULT;
+                                buf.ptr, &buf_user->start);
-                if (ret)
+                break;
-                        return ret;
+        }
-                ops.ooblen = buf.length;
-                ops.ooboffs = buf.start & (mtd->oobsize - 1);
-                ops.datbuf = NULL;
-                ops.mode = MTD_OOB_PLACE;
-                if (ops.ooboffs && ops.ooblen > (mtd->oobsize - ops.ooboffs))
+        case MEMWRITEOOB64:
-                        return -EINVAL;
+        {
+                struct mtd_oob_buf64 buf;
+                struct mtd_oob_buf64 __user *buf_user = argp;
-                ops.oobbuf = kmalloc(buf.length, GFP_KERNEL);
+                if (copy_from_user(&buf, argp, sizeof(buf)))
-                if (!ops.oobbuf)
+                        ret = -EFAULT;
-                        return -ENOMEM;
+                else
+                        ret = mtd_do_writeoob(file, mtd, buf.start, buf.length,
+                                (void __user *)(uintptr_t)buf.usr_ptr,
+                                &buf_user->length);
+                break;
+        }
-                buf.start &= ~(mtd->oobsize - 1);
+        case MEMREADOOB64:
-                ret = mtd->read_oob(mtd, buf.start, &ops);
+        {
+                struct mtd_oob_buf64 buf;
+                struct mtd_oob_buf64 __user *buf_user = argp;
-                if (put_user(ops.oobretlen, (uint32_t __user *)argp))
+                if (copy_from_user(&buf, argp, sizeof(buf)))
-                        ret = -EFAULT;
-                else if (ops.oobretlen && copy_to_user(buf.ptr, ops.oobbuf,
-                                                    ops.oobretlen))
                        ret = -EFAULT;
+                else
-                kfree(ops.oobbuf);
+                        ret = mtd_do_readoob(mtd, buf.start, buf.length,
+                                (void __user *)(uintptr_t)buf.usr_ptr,
+                                &buf_user->length);
                break;
        }
@@ -758,6 +822,68 @@ static int mtd_ioctl(struct inode *inode, struct file *file,
        return ret;
 } /* memory_ioctl */
+#ifdef CONFIG_COMPAT
+struct mtd_oob_buf32 {
+        u_int32_t start;
+        u_int32_t length;
+        compat_caddr_t ptr;     /* unsigned char* */
+};
+#define MEMWRITEOOB32           _IOWR('M', 3, struct mtd_oob_buf32)
+#define MEMREADOOB32            _IOWR('M', 4, struct mtd_oob_buf32)
+static long mtd_compat_ioctl(struct file *file, unsigned int cmd,
+        unsigned long arg)
+{
+        struct inode *inode = file->f_path.dentry->d_inode;
+        struct mtd_file_info *mfi = file->private_data;
+        struct mtd_info *mtd = mfi->mtd;
+        void __user *argp = compat_ptr(arg);
+        int ret = 0;
+        lock_kernel();
+        switch (cmd) {
+        case MEMWRITEOOB32:
+        {
+                struct mtd_oob_buf32 buf;
+                struct mtd_oob_buf32 __user *buf_user = argp;
+                if (copy_from_user(&buf, argp, sizeof(buf)))
+                        ret = -EFAULT;
+                else
+                        ret = mtd_do_writeoob(file, mtd, buf.start,
+                                buf.length, compat_ptr(buf.ptr),
+                                &buf_user->length);
+                break;
+        }
+        case MEMREADOOB32:
+        {
+                struct mtd_oob_buf32 buf;
+                struct mtd_oob_buf32 __user *buf_user = argp;
+                /* NOTE: writes return length to buf->start */
+                if (copy_from_user(&buf, argp, sizeof(buf)))
+                        ret = -EFAULT;
+                else
+                        ret = mtd_do_readoob(mtd, buf.start,
+                                buf.length, compat_ptr(buf.ptr),
+                                &buf_user->start);
+                break;
+        }
+        default:
+                ret = mtd_ioctl(inode, file, cmd, (unsigned long)argp);
+        }
+        unlock_kernel();
+        return ret;
+}
+#endif /* CONFIG_COMPAT */
 /*
 * try to determine where a shared mapping can be made
 * - only supported for NOMMU at the moment (MMU can't doesn't copy private
@@ -817,6 +943,9 @@ static const struct file_operations mtd_fops = {
        .read           = mtd_read,
        .write          = mtd_write,
        .ioctl          = mtd_ioctl,
+#ifdef CONFIG_COMPAT
+        .compat_ioctl   = mtd_compat_ioctl,
+#endif
        .open           = mtd_open,
        .release        = mtd_close,
        .mmap           = mtd_mmap,

diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c index 763d3f0a1f42..5b081cb84351 100644 --- a/drivers/mtd/mtdchar.c +++ b/drivers/mtd/mtdchar.c
@@ -14,6 +14,7 @@
14	#include <linux/sched.h>	14	#include <linux/sched.h>
15	#include <linux/smp_lock.h>	15	#include <linux/smp_lock.h>
16	#include <linux/backing-dev.h>	16	#include <linux/backing-dev.h>
		17	#include <linux/compat.h>
17		18
18	#include <linux/mtd/mtd.h>	19	#include <linux/mtd/mtd.h>
19	#include <linux/mtd/compatmac.h>	20	#include <linux/mtd/compatmac.h>
@@ -355,6 +356,100 @@ static int otp_select_filemode(struct mtd_file_info *mfi, int mode)
355	# define otp_select_filemode(f,m) -EOPNOTSUPP	356	# define otp_select_filemode(f,m) -EOPNOTSUPP
356	#endif	357	#endif
357		358
		359	static int mtd_do_writeoob(struct file file, struct mtd_info mtd,
		360	uint64_t start, uint32_t length, void __user *ptr,
		361	uint32_t __user *retp)
		362	{
		363	struct mtd_oob_ops ops;
		364	uint32_t retlen;
		365	int ret = 0;
		366
		367	if (!(file->f_mode & FMODE_WRITE))
		368	return -EPERM;
		369
		370	if (length > 4096)
		371	return -EINVAL;
		372
		373	if (!mtd->write_oob)
		374	ret = -EOPNOTSUPP;
		375	else
		376	ret = access_ok(VERIFY_READ, ptr, length) ? 0 : EFAULT;
		377
		378	if (ret)
		379	return ret;
		380
		381	ops.ooblen = length;
		382	ops.ooboffs = start & (mtd->oobsize - 1);
		383	ops.datbuf = NULL;
		384	ops.mode = MTD_OOB_PLACE;
		385
		386	if (ops.ooboffs && ops.ooblen > (mtd->oobsize - ops.ooboffs))
		387	return -EINVAL;
		388
		389	ops.oobbuf = kmalloc(length, GFP_KERNEL);
		390	if (!ops.oobbuf)
		391	return -ENOMEM;
		392
		393	if (copy_from_user(ops.oobbuf, ptr, length)) {
		394	kfree(ops.oobbuf);
		395	return -EFAULT;
		396	}
		397
		398	start &= ~((uint64_t)mtd->oobsize - 1);
		399	ret = mtd->write_oob(mtd, start, &ops);
		400
		401	if (ops.oobretlen > 0xFFFFFFFFU)
		402	ret = -EOVERFLOW;
		403	retlen = ops.oobretlen;
		404	if (copy_to_user(retp, &retlen, sizeof(length)))
		405	ret = -EFAULT;
		406
		407	kfree(ops.oobbuf);
		408	return ret;
		409	}
		410
		411	static int mtd_do_readoob(struct mtd_info *mtd, uint64_t start,
		412	uint32_t length, void __user ptr, uint32_t __user retp)
		413	{
		414	struct mtd_oob_ops ops;
		415	int ret = 0;
		416
		417	if (length > 4096)
		418	return -EINVAL;
		419
		420	if (!mtd->read_oob)
		421	ret = -EOPNOTSUPP;
		422	else
		423	ret = access_ok(VERIFY_WRITE, ptr,
		424	length) ? 0 : -EFAULT;
		425	if (ret)
		426	return ret;
		427
		428	ops.ooblen = length;
		429	ops.ooboffs = start & (mtd->oobsize - 1);
		430	ops.datbuf = NULL;
		431	ops.mode = MTD_OOB_PLACE;
		432
		433	if (ops.ooboffs && ops.ooblen > (mtd->oobsize - ops.ooboffs))
		434	return -EINVAL;
		435
		436	ops.oobbuf = kmalloc(length, GFP_KERNEL);
		437	if (!ops.oobbuf)
		438	return -ENOMEM;
		439
		440	start &= ~((uint64_t)mtd->oobsize - 1);
		441	ret = mtd->read_oob(mtd, start, &ops);
		442
		443	if (put_user(ops.oobretlen, retp))
		444	ret = -EFAULT;
		445	else if (ops.oobretlen && copy_to_user(ptr, ops.oobbuf,
		446	ops.oobretlen))
		447	ret = -EFAULT;
		448
		449	kfree(ops.oobbuf);
		450	return ret;
		451	}
		452
358	static int mtd_ioctl(struct inode inode, struct file file,	453	static int mtd_ioctl(struct inode inode, struct file file,
359	u_int cmd, u_long arg)	454	u_int cmd, u_long arg)
360	{	455	{
@@ -417,6 +512,7 @@ static int mtd_ioctl(struct inode inode, struct file file,
417	break;	512	break;
418		513
419	case MEMERASE:	514	case MEMERASE:
		515	case MEMERASE64:
420	{	516	{
421	struct erase_info *erase;	517	struct erase_info *erase;
422		518
@@ -427,20 +523,32 @@ static int mtd_ioctl(struct inode inode, struct file file,
427	if (!erase)	523	if (!erase)
428	ret = -ENOMEM;	524	ret = -ENOMEM;
429	else {	525	else {
430	struct erase_info_user einfo;
431
432	wait_queue_head_t waitq;	526	wait_queue_head_t waitq;
433	DECLARE_WAITQUEUE(wait, current);	527	DECLARE_WAITQUEUE(wait, current);
434		528
435	init_waitqueue_head(&waitq);	529	init_waitqueue_head(&waitq);
436		530
437	if (copy_from_user(&einfo, argp,	531	if (cmd == MEMERASE64) {
438	sizeof(struct erase_info_user))) {	532	struct erase_info_user64 einfo64;
439	kfree(erase);	533
440	return -EFAULT;	534	if (copy_from_user(&einfo64, argp,
		535	sizeof(struct erase_info_user64))) {
		536	kfree(erase);
		537	return -EFAULT;
		538	}
		539	erase->addr = einfo64.start;
		540	erase->len = einfo64.length;
		541	} else {
		542	struct erase_info_user einfo32;
		543
		544	if (copy_from_user(&einfo32, argp,
		545	sizeof(struct erase_info_user))) {
		546	kfree(erase);
		547	return -EFAULT;
		548	}
		549	erase->addr = einfo32.start;
		550	erase->len = einfo32.length;
441	}	551	}
442	erase->addr = einfo.start;
443	erase->len = einfo.length;
444	erase->mtd = mtd;	552	erase->mtd = mtd;
445	erase->callback = mtdchar_erase_callback;	553	erase->callback = mtdchar_erase_callback;
446	erase->priv = (unsigned long)&waitq;	554	erase->priv = (unsigned long)&waitq;
@@ -474,100 +582,56 @@ static int mtd_ioctl(struct inode inode, struct file file,
474	case MEMWRITEOOB:	582	case MEMWRITEOOB:
475	{	583	{
476	struct mtd_oob_buf buf;	584	struct mtd_oob_buf buf;
477	struct mtd_oob_ops ops;	585	struct mtd_oob_buf __user *buf_user = argp;
478	struct mtd_oob_buf __user *user_buf = argp;
479	uint32_t retlen;
480
481	if(!(file->f_mode & FMODE_WRITE))
482	return -EPERM;
483
484	if (copy_from_user(&buf, argp, sizeof(struct mtd_oob_buf)))
485	return -EFAULT;
486
487	if (buf.length > 4096)
488	return -EINVAL;
489
490	if (!mtd->write_oob)
491	ret = -EOPNOTSUPP;
492	else
493	ret = access_ok(VERIFY_READ, buf.ptr,
494	buf.length) ? 0 : EFAULT;
495
496	if (ret)
497	return ret;
498
499	ops.ooblen = buf.length;
500	ops.ooboffs = buf.start & (mtd->oobsize - 1);
501	ops.datbuf = NULL;
502	ops.mode = MTD_OOB_PLACE;
503
504	if (ops.ooboffs && ops.ooblen > (mtd->oobsize - ops.ooboffs))
505	return -EINVAL;
506
507	ops.oobbuf = kmalloc(buf.length, GFP_KERNEL);
508	if (!ops.oobbuf)
509	return -ENOMEM;
510
511	if (copy_from_user(ops.oobbuf, buf.ptr, buf.length)) {
512	kfree(ops.oobbuf);
513	return -EFAULT;
514	}
515		586
516	buf.start &= ~(mtd->oobsize - 1);	587	/* NOTE: writes return length to buf_user->length */
517	ret = mtd->write_oob(mtd, buf.start, &ops);	588	if (copy_from_user(&buf, argp, sizeof(buf)))
518
519	if (ops.oobretlen > 0xFFFFFFFFU)
520	ret = -EOVERFLOW;
521	retlen = ops.oobretlen;
522	if (copy_to_user(&user_buf->length, &retlen, sizeof(buf.length)))
523	ret = -EFAULT;	589	ret = -EFAULT;
524		590	else
525	kfree(ops.oobbuf);	591	ret = mtd_do_writeoob(file, mtd, buf.start, buf.length,
		592	buf.ptr, &buf_user->length);
526	break;	593	break;
527
528	}	594	}
529		595
530	case MEMREADOOB:	596	case MEMREADOOB:
531	{	597	{
532	struct mtd_oob_buf buf;	598	struct mtd_oob_buf buf;
533	struct mtd_oob_ops ops;	599	struct mtd_oob_buf __user *buf_user = argp;
534
535	if (copy_from_user(&buf, argp, sizeof(struct mtd_oob_buf)))
536	return -EFAULT;
537
538	if (buf.length > 4096)
539	return -EINVAL;
540		600
541	if (!mtd->read_oob)	601	/* NOTE: writes return length to buf_user->start */
542	ret = -EOPNOTSUPP;	602	if (copy_from_user(&buf, argp, sizeof(buf)))
		603	ret = -EFAULT;
543	else	604	else
544	ret = access_ok(VERIFY_WRITE, buf.ptr,	605	ret = mtd_do_readoob(mtd, buf.start, buf.length,
545	buf.length) ? 0 : -EFAULT;	606	buf.ptr, &buf_user->start);
546	if (ret)	607	break;
547	return ret;	608	}
548
549	ops.ooblen = buf.length;
550	ops.ooboffs = buf.start & (mtd->oobsize - 1);
551	ops.datbuf = NULL;
552	ops.mode = MTD_OOB_PLACE;
553		609
554	if (ops.ooboffs && ops.ooblen > (mtd->oobsize - ops.ooboffs))	610	case MEMWRITEOOB64:
555	return -EINVAL;	611	{
		612	struct mtd_oob_buf64 buf;
		613	struct mtd_oob_buf64 __user *buf_user = argp;
556		614
557	ops.oobbuf = kmalloc(buf.length, GFP_KERNEL);	615	if (copy_from_user(&buf, argp, sizeof(buf)))
558	if (!ops.oobbuf)	616	ret = -EFAULT;
559	return -ENOMEM;	617	else
		618	ret = mtd_do_writeoob(file, mtd, buf.start, buf.length,
		619	(void __user *)(uintptr_t)buf.usr_ptr,
		620	&buf_user->length);
		621	break;
		622	}
560		623
561	buf.start &= ~(mtd->oobsize - 1);	624	case MEMREADOOB64:
562	ret = mtd->read_oob(mtd, buf.start, &ops);	625	{
		626	struct mtd_oob_buf64 buf;
		627	struct mtd_oob_buf64 __user *buf_user = argp;
563		628
564	if (put_user(ops.oobretlen, (uint32_t __user *)argp))	629	if (copy_from_user(&buf, argp, sizeof(buf)))
565	ret = -EFAULT;
566	else if (ops.oobretlen && copy_to_user(buf.ptr, ops.oobbuf,
567	ops.oobretlen))
568	ret = -EFAULT;	630	ret = -EFAULT;
569		631	else
570	kfree(ops.oobbuf);	632	ret = mtd_do_readoob(mtd, buf.start, buf.length,
		633	(void __user *)(uintptr_t)buf.usr_ptr,
		634	&buf_user->length);
571	break;	635	break;
572	}	636	}
573		637
@@ -758,6 +822,68 @@ static int mtd_ioctl(struct inode inode, struct file file,
758	return ret;	822	return ret;
759	} /* memory_ioctl */	823	} /* memory_ioctl */
760		824
		825	#ifdef CONFIG_COMPAT
		826
		827	struct mtd_oob_buf32 {
		828	u_int32_t start;
		829	u_int32_t length;
		830	compat_caddr_t ptr; /* unsigned char* */
		831	};
		832
		833	#define MEMWRITEOOB32 _IOWR('M', 3, struct mtd_oob_buf32)
		834	#define MEMREADOOB32 _IOWR('M', 4, struct mtd_oob_buf32)
		835
		836	static long mtd_compat_ioctl(struct file *file, unsigned int cmd,
		837	unsigned long arg)
		838	{
		839	struct inode *inode = file->f_path.dentry->d_inode;
		840	struct mtd_file_info *mfi = file->private_data;
		841	struct mtd_info *mtd = mfi->mtd;
		842	void __user *argp = compat_ptr(arg);
		843	int ret = 0;
		844
		845	lock_kernel();
		846
		847	switch (cmd) {
		848	case MEMWRITEOOB32:
		849	{
		850	struct mtd_oob_buf32 buf;
		851	struct mtd_oob_buf32 __user *buf_user = argp;
		852
		853	if (copy_from_user(&buf, argp, sizeof(buf)))
		854	ret = -EFAULT;
		855	else
		856	ret = mtd_do_writeoob(file, mtd, buf.start,
		857	buf.length, compat_ptr(buf.ptr),
		858	&buf_user->length);
		859	break;
		860	}
		861
		862	case MEMREADOOB32:
		863	{
		864	struct mtd_oob_buf32 buf;
		865	struct mtd_oob_buf32 __user *buf_user = argp;
		866
		867	/* NOTE: writes return length to buf->start */
		868	if (copy_from_user(&buf, argp, sizeof(buf)))
		869	ret = -EFAULT;
		870	else
		871	ret = mtd_do_readoob(mtd, buf.start,
		872	buf.length, compat_ptr(buf.ptr),
		873	&buf_user->start);
		874	break;
		875	}
		876	default:
		877	ret = mtd_ioctl(inode, file, cmd, (unsigned long)argp);
		878	}
		879
		880	unlock_kernel();
		881
		882	return ret;
		883	}
		884
		885	#endif /* CONFIG_COMPAT */
		886
761	/*	887	/*
762	* try to determine where a shared mapping can be made	888	* try to determine where a shared mapping can be made
763	* - only supported for NOMMU at the moment (MMU can't doesn't copy private	889	* - only supported for NOMMU at the moment (MMU can't doesn't copy private
@@ -817,6 +943,9 @@ static const struct file_operations mtd_fops = {
817	.read = mtd_read,	943	.read = mtd_read,
818	.write = mtd_write,	944	.write = mtd_write,
819	.ioctl = mtd_ioctl,	945	.ioctl = mtd_ioctl,
		946	#ifdef CONFIG_COMPAT
		947	.compat_ioctl = mtd_compat_ioctl,
		948	#endif
820	.open = mtd_open,	949	.open = mtd_open,
821	.release = mtd_close,	950	.release = mtd_close,
822	.mmap = mtd_mmap,	951	.mmap = mtd_mmap,