Re: [PATCHv2 10/13] v4l2-compat-ioctl32.c: copy clip list in put_v4l2_window32

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
To: Hans Verkuil <hverkuil@xs4all.nl>
Cc: linux-media@vger.kernel.org,
	Daniel Mentz <danielmentz@google.com>,
	Hans Verkuil <hans.verkuil@cisco.com>,
	stable@vger.kernel.org
Subject: Re: [PATCHv2 10/13] v4l2-compat-ioctl32.c: copy clip list in put_v4l2_window32
Date: Tue, 30 Jan 2018 16:28:17 +0200	[thread overview]
Message-ID: <4863902.8Pkeng1b4R@avalon> (raw)
In-Reply-To: <20180130102701.13664-11-hverkuil@xs4all.nl>

Hi Hans,

Thank you for the patch.

On Tuesday, 30 January 2018 12:26:58 EET Hans Verkuil wrote:
> From: Hans Verkuil <hans.verkuil@cisco.com>
> 
> put_v4l2_window32() didn't copy back the clip list to userspace.
> Drivers can update the clip rectangles, so this should be done.
> 
> Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
> Cc: <stable@vger.kernel.org>      # for v4.15 and up
> ---
>  drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 59
> ++++++++++++++++++--------- 1 file changed, 40 insertions(+), 19
> deletions(-)
> 
> diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
> b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c index
> 30c5be1f0549..0df941ca4d90 100644
> --- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
> +++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
> @@ -50,6 +50,11 @@ struct v4l2_window32 {
> 
>  static int get_v4l2_window32(struct v4l2_window *kp, struct v4l2_window32
> __user *up) {
> +	struct v4l2_clip32 __user *uclips;
> +	struct v4l2_clip __user *kclips;
> +	compat_caddr_t p;
> +	u32 n;
> +
>  	if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
>  	    copy_from_user(&kp->w, &up->w, sizeof(up->w)) ||
>  	    get_user(kp->field, &up->field) ||
> @@ -59,38 +64,54 @@ static int get_v4l2_window32(struct v4l2_window *kp,
> struct v4l2_window32 __user return -EFAULT;
>  	if (kp->clipcount > 2048)
>  		return -EINVAL;
> -	if (kp->clipcount) {
> -		struct v4l2_clip32 __user *uclips;
> -		struct v4l2_clip __user *kclips;
> -		int n = kp->clipcount;
> -		compat_caddr_t p;
> +	if (!kp->clipcount) {
> +		kp->clips = NULL;
> +		return 0;
> +	}
> 
> -		if (get_user(p, &up->clips))
> +	n = kp->clipcount;
> +	if (get_user(p, &up->clips))
> +		return -EFAULT;
> +	uclips = compat_ptr(p);
> +	kclips = compat_alloc_user_space(n * sizeof(*kclips));
> +	kp->clips = kclips;
> +	while (n--) {
> +		if (copy_in_user(&kclips->c, &uclips->c, sizeof(uclips->c)))
>  			return -EFAULT;
> -		uclips = compat_ptr(p);
> -		kclips = compat_alloc_user_space(n * sizeof(*kclips));
> -		kp->clips = kclips;
> -		while (--n >= 0) {
> -			if (copy_in_user(&kclips->c, &uclips->c, sizeof(uclips->c)))
> -				return -EFAULT;
> -			if (put_user(n ? kclips + 1 : NULL, &kclips->next))
> -				return -EFAULT;
> -			uclips += 1;
> -			kclips += 1;
> -		}
> -	} else
> -		kp->clips = NULL;
> +		if (put_user(n ? kclips + 1 : NULL, &kclips->next))
> +			return -EFAULT;
> +		uclips++;
> +		kclips++;
> +	}
>  	return 0;
>  }
> 
>  static int put_v4l2_window32(struct v4l2_window *kp, struct v4l2_window32
> __user *up) {
> +	struct v4l2_clip __user *kclips = kp->clips;
> +	struct v4l2_clip32 __user *uclips;
> +	u32 n = kp->clipcount;
> +	compat_caddr_t p;
> +
>  	if (copy_to_user(&up->w, &kp->w, sizeof(kp->w)) ||
>  	    put_user(kp->field, &up->field) ||
>  	    put_user(kp->chromakey, &up->chromakey) ||
>  	    put_user(kp->clipcount, &up->clipcount) ||
>  	    put_user(kp->global_alpha, &up->global_alpha))
>  		return -EFAULT;
> +
> +	if (!kp->clipcount)
> +		return 0;
> +
> +	if (get_user(p, &up->clips))
> +		return -EFAULT;
> +	uclips = compat_ptr(p);

This is compat code so I don't care too much, but it would be more readable if 
you assigned both kclips and uclips here instead of assigning kclips at the 
beginning of the function.

> +	while (n--) {

Similarly a for loop would be easier to read.

> +		if (copy_in_user(&uclips->c, &kclips->c, sizeof(uclips->c)))
> +			return -EFAULT;
> +		uclips++;
> +		kclips++;
> +	}
>  	return 0;
>  }

-- 
Regards,

Laurent Pinchart

next prev parent reply	other threads:[~2018-01-30 14:28 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-01-30 10:26 [PATCHv2 00/13] v4l2-compat-ioctl32.c: remove set_fs(KERNEL_DS) Hans Verkuil
2018-01-30 10:26 ` [PATCHv2 01/13] vivid: fix module load error when enabling fb and no_error_inj=1 Hans Verkuil
2018-01-30 10:26 ` [PATCHv2 02/13] v4l2-ioctl.c: use check_fmt for enum/g/s/try_fmt Hans Verkuil
2018-01-30 10:26 ` [PATCHv2 03/13] v4l2-ioctl.c: don't copy back the result for -ENOTTY Hans Verkuil
2018-01-30 11:51   ` Sakari Ailus
2018-01-30 10:26 ` [PATCHv2 04/13] v4l2-compat-ioctl32.c: add missing VIDIOC_PREPARE_BUF Hans Verkuil
2018-01-30 10:26 ` [PATCHv2 05/13] v4l2-compat-ioctl32.c: fix the indentation Hans Verkuil
2018-01-30 10:26 ` [PATCHv2 06/13] v4l2-compat-ioctl32.c: move 'helper' functions to __get/put_v4l2_format32 Hans Verkuil
2018-01-30 10:26 ` [PATCHv2 07/13] v4l2-compat-ioctl32.c: avoid sizeof(type) Hans Verkuil
2018-01-30 10:26 ` [PATCHv2 08/13] v4l2-compat-ioctl32.c: copy m.userptr in put_v4l2_plane32 Hans Verkuil
2018-01-30 10:26 ` [PATCHv2 09/13] v4l2-compat-ioctl32.c: fix ctrl_is_pointer Hans Verkuil
2018-01-30 11:51   ` Sakari Ailus
2018-01-30 14:36   ` Laurent Pinchart
2018-01-30 10:26 ` [PATCHv2 10/13] v4l2-compat-ioctl32.c: copy clip list in put_v4l2_window32 Hans Verkuil
2018-01-30 11:50   ` Sakari Ailus
2018-01-30 14:28   ` Laurent Pinchart [this message]
2018-01-30 10:26 ` [PATCHv2 11/13] v4l2-compat-ioctl32.c: drop pr_info for unknown buffer type Hans Verkuil
2018-01-30 10:27 ` [PATCHv2 12/13] v4l2-compat-ioctl32.c: don't copy back the result for certain errors Hans Verkuil
2018-01-30 14:32   ` Laurent Pinchart
2018-01-30 14:37     ` Hans Verkuil
2018-01-30 10:27 ` [PATCHv2 13/13] v4l2-compat-ioctl32.c: refactor, fix security bug in compat ioctl32 Hans Verkuil
2018-01-30 11:46   ` Sakari Ailus
2018-01-30 11:53     ` Hans Verkuil
2018-01-30 14:41 ` [PATCHv2 00/13] v4l2-compat-ioctl32.c: remove set_fs(KERNEL_DS) Laurent Pinchart

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4863902.8Pkeng1b4R@avalon \
    --to=laurent.pinchart@ideasonboard.com \
    --cc=danielmentz@google.com \
    --cc=hans.verkuil@cisco.com \
    --cc=hverkuil@xs4all.nl \
    --cc=linux-media@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.