From patchwork Tue Apr 5 00:02:58 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Dr. David Alan Gilbert" X-Patchwork-Id: 685781 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by demeter1.kernel.org (8.14.4/8.14.3) with ESMTP id p3500DNc032504 for ; Tue, 5 Apr 2011 00:03:04 GMT Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750807Ab1DEADE (ORCPT ); Mon, 4 Apr 2011 20:03:04 -0400 Received: from mx.treblig.org ([80.68.94.177]:58072 "EHLO mx.treblig.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750787Ab1DEADD (ORCPT ); Mon, 4 Apr 2011 20:03:03 -0400 Received: from dg by mx.treblig.org with local (Exim 4.69) (envelope-from ) id 1Q6tjW-0000aj-5E; Tue, 05 Apr 2011 01:02:58 +0100 Date: Tue, 5 Apr 2011 01:02:58 +0100 From: "Dr. David Alan Gilbert" To: bernie@plugable.com, lethal@linux-sh.org, linux-fbdev@vger.kernel.org Subject: [PATCH] udlfb.c dlfb_ops_ioctl - missing copy_from_user's - NEEDS TESTING Message-ID: <20110405000258.GA30668@gallifrey> References: <20110401194706.GA28823@gallifrey> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20110401194706.GA28823@gallifrey> X-Chocolate: 70 percent or better cocoa solids preferably X-Operating-System: Linux/2.6.32.27-kvm-i386-20110114 (i686) X-Uptime: 00:58:06 up 46 days, 1:30, 1 user, load average: 0.07, 0.02, 0.00 User-Agent: Mutt/1.5.18 (2008-05-17) Sender: linux-fbdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fbdev@vger.kernel.org X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.2.6 (demeter1.kernel.org [140.211.167.41]); Tue, 05 Apr 2011 00:03:04 +0000 (UTC) Fix __user casting in dlfb_ops_ioctl and a missing copy_from_user, and a missing & Signed-off-by: Dr. David Alan Gilbert --- NOTE! I don't have the hardware to test this; but Bernie suggested I put the patch together anyway; build and Sparse tested only -** don't ** merge without a test by a udl dev Patch is against ecb78ab6f30106ab72a575a25b1cdfd1633b7ca2 on Linus's tree a few days after 39-rc1 diff --git a/drivers/video/udlfb.c b/drivers/video/udlfb.c index 2c8364e..ef7801a 100644 --- a/drivers/video/udlfb.c +++ b/drivers/video/udlfb.c @@ -751,14 +751,13 @@ static int dlfb_ops_ioctl(struct fb_info *info, unsigned int cmd, { struct dlfb_data *dev = info->par; - struct dloarea *area = NULL; if (!atomic_read(&dev->usb_active)) return 0; /* TODO: Update X server to get this from sysfs instead */ if (cmd == DLFB_IOCTL_RETURN_EDID) { - char *edid = (char *)arg; + void __user *edid = (void __user *)arg; if (copy_to_user(edid, dev->edid, dev->edid_size)) return -EFAULT; return 0; @@ -766,6 +765,11 @@ static int dlfb_ops_ioctl(struct fb_info *info, unsigned int cmd, /* TODO: Help propose a standard fb.h ioctl to report mmap damage */ if (cmd == DLFB_IOCTL_REPORT_DAMAGE) { + struct dloarea area; + + if (copy_from_user(&area, (void __user *)arg, + sizeof(struct dloarea))) + return -EFAULT; /* * If we have a damage-aware client, turn fb_defio "off" @@ -777,21 +781,19 @@ static int dlfb_ops_ioctl(struct fb_info *info, unsigned int cmd, if (info->fbdefio) info->fbdefio->delay = DL_DEFIO_WRITE_DISABLE; - area = (struct dloarea *)arg; - - if (area->x < 0) - area->x = 0; + if (area.x < 0) + area.x = 0; - if (area->x > info->var.xres) - area->x = info->var.xres; + if (area.x > info->var.xres) + area.x = info->var.xres; - if (area->y < 0) - area->y = 0; + if (area.y < 0) + area.y = 0; - if (area->y > info->var.yres) - area->y = info->var.yres; + if (area.y > info->var.yres) + area.y = info->var.yres; - dlfb_handle_damage(dev, area->x, area->y, area->w, area->h, + dlfb_handle_damage(dev, area.x, area.y, area.w, area.h, info->screen_base); } @@ -839,7 +841,7 @@ static int dlfb_ops_open(struct fb_info *info, int user) * preventing other clients (X) from working properly. Usually * not what the user wants. Fail by default with option to enable. */ - if ((user == 0) & (!console)) + if ((user == 0) && (!console)) return -EBUSY; /* If the USB device is gone, we don't accept new opens */