From: Hans Verkuil <hverkuil@xs4all.nl>
To: Sakari Ailus <sakari.ailus@linux.intel.com>, linux-media@vger.kernel.org
Cc: laurent.pinchart@ideasonboard.com, mchehab@osg.samsung.com
Subject: Re: [PATCH v2 5/5] media: Support variable size IOCTL arguments
Date: Wed, 4 May 2016 14:37:01 +0200 [thread overview]
Message-ID: <5729ECED.9000708@xs4all.nl> (raw)
In-Reply-To: <1462360855-23354-6-git-send-email-sakari.ailus@linux.intel.com>
Hi Sakari,
On 05/04/2016 01:20 PM, Sakari Ailus wrote:
> Instead of checking for a strict size for the IOCTL arguments, place
> minimum and maximum limits.
>
> As an additional bonus, IOCTL handlers will be able to check whether the
> caller actually set (using the argument size) the field vs. assigning it
> to zero. Separate macro can be provided for that.
>
> This will be easier for applications as well since there is no longer the
> problem of setting the reserved fields zero, or at least it is a lesser
> problem.
>
> Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
> ---
> drivers/media/media-device.c | 45 +++++++++++++++++++++++++++++---------------
> 1 file changed, 30 insertions(+), 15 deletions(-)
>
> diff --git a/drivers/media/media-device.c b/drivers/media/media-device.c
> index 8aef5b8..c638d3b 100644
> --- a/drivers/media/media-device.c
> +++ b/drivers/media/media-device.c
> @@ -393,32 +393,44 @@ static long copy_arg_to_user_nop(void __user *uarg, void *karg,
> /* Do acquire the graph mutex */
> #define MEDIA_IOC_FL_GRAPH_MUTEX BIT(0)
>
> -#define MEDIA_IOC_ARG(__cmd, func, fl, from_user, to_user) \
> +#define MEDIA_IOC_ARG(__cmd, arg_type, func, fl, from_user, to_user) \
> [_IOC_NR(MEDIA_IOC_##__cmd)] = { \
> .cmd = MEDIA_IOC_##__cmd, \
> .fn = (long (*)(struct media_device *, void *))func, \
> .flags = fl, \
> + .min_arg_size = sizeof(arg_type), \
Hmm. I would prefer to change this to a pointer to an array of possible sizes.
E.g.
u16 media_ioc_foo_sizes[] = {
sizeof(struct foo_v1),
sizeof(struct foo_v2),
sizeof(struct foo_v3),
0
};
And pass this array to MEDIA_IOC_ARG, or NULL if there are no other versions.
In that case the code can use _IOC_SIZE.
That way the ioctl check is precise instead of a simple range check.
So add a size field for the default handling:
.size = _IOC_SIZE(MEDIA_IOC_##__cmd),
and a old_sizes pointer:
.old_sizes = oldsizesptr,
In the ioctl check code first compare _IOC_SIZE with the size field, and
if different walk the old_sizes array (if that pointer is != NULL).
Regards,
Hans
> .arg_from_user = from_user, \
> .arg_to_user = to_user, \
> }
>
> -#define MEDIA_IOC(__cmd, func, fl) \
> - MEDIA_IOC_ARG(__cmd, func, fl, copy_arg_from_user, copy_arg_to_user)
> +#define MEDIA_IOC(__cmd, arg_type, func, fl) \
> + MEDIA_IOC_ARG(__cmd, arg_type, func, fl, \
> + copy_arg_from_user, copy_arg_to_user)
>
> /* the table is indexed by _IOC_NR(cmd) */
> struct media_ioctl_info {
> unsigned int cmd;
> long (*fn)(struct media_device *dev, void *arg);
> unsigned short flags;
> + unsigned short min_arg_size;
> long (*arg_from_user)(void *karg, void __user *uarg, unsigned int cmd);
> long (*arg_to_user)(void __user *uarg, void *karg, unsigned int cmd);
> };
>
> +#define MASK_IOC_SIZE(cmd) \
> + ((cmd) & ~(_IOC_SIZEMASK << _IOC_SIZESHIFT))
> +
> static inline long is_valid_ioctl(const struct media_ioctl_info *info,
> unsigned int len, unsigned int cmd)
> {
> - return (_IOC_NR(cmd) >= len
> - || info[_IOC_NR(cmd)].cmd != cmd) ? -ENOIOCTLCMD : 0;
> + if (_IOC_NR(cmd) >= len)
> + return -ENOIOCTLCMD;
> +
> + info += _IOC_NR(cmd);
> +
> + return (MASK_IOC_SIZE(info->cmd) != MASK_IOC_SIZE(cmd)
> + || _IOC_SIZE(cmd) < info->min_arg_size
> + || _IOC_SIZE(cmd) > _IOC_SIZE(info->cmd)) ? -ENOIOCTLCMD : 0;
> }
>
> static unsigned int media_ioctl_max_arg_size(
> @@ -454,6 +466,9 @@ static long __media_device_ioctl(
>
> info->arg_from_user(karg, arg, cmd);
>
> + /* Set the rest of the argument struct to zero */
> + memset(karg + _IOC_SIZE(cmd), 0, _IOC_SIZE(info->cmd) - _IOC_SIZE(cmd));
> +
> if (info->flags & MEDIA_IOC_FL_GRAPH_MUTEX)
> mutex_lock(&dev->graph_mutex);
>
> @@ -469,11 +484,11 @@ static long __media_device_ioctl(
> }
>
> static const struct media_ioctl_info ioctl_info[] = {
> - MEDIA_IOC(DEVICE_INFO, media_device_get_info, MEDIA_IOC_FL_GRAPH_MUTEX),
> - MEDIA_IOC(ENUM_ENTITIES, media_device_enum_entities, MEDIA_IOC_FL_GRAPH_MUTEX),
> - MEDIA_IOC(ENUM_LINKS, media_device_enum_links, MEDIA_IOC_FL_GRAPH_MUTEX),
> - MEDIA_IOC(SETUP_LINK, media_device_setup_link, MEDIA_IOC_FL_GRAPH_MUTEX),
> - MEDIA_IOC(G_TOPOLOGY, media_device_get_topology, MEDIA_IOC_FL_GRAPH_MUTEX),
> + MEDIA_IOC(DEVICE_INFO, struct media_device_info, media_device_get_info, MEDIA_IOC_FL_GRAPH_MUTEX),
> + MEDIA_IOC(ENUM_ENTITIES, struct media_entity_desc, media_device_enum_entities, MEDIA_IOC_FL_GRAPH_MUTEX),
> + MEDIA_IOC(ENUM_LINKS, struct media_links_enum, media_device_enum_links, MEDIA_IOC_FL_GRAPH_MUTEX),
> + MEDIA_IOC(SETUP_LINK, struct media_link_desc, media_device_setup_link, MEDIA_IOC_FL_GRAPH_MUTEX),
> + MEDIA_IOC(G_TOPOLOGY, struct media_v2_topology, media_device_get_topology, MEDIA_IOC_FL_GRAPH_MUTEX),
> };
>
> static long media_device_ioctl(struct file *filp, unsigned int cmd,
> @@ -519,11 +534,11 @@ static long from_user_enum_links32(void *karg, void __user *uarg,
> #define MEDIA_IOC_ENUM_LINKS32 _IOWR('|', 0x02, struct media_links_enum32)
>
> static const struct media_ioctl_info compat_ioctl_info[] = {
> - MEDIA_IOC(DEVICE_INFO, media_device_get_info, MEDIA_IOC_FL_GRAPH_MUTEX),
> - MEDIA_IOC(ENUM_ENTITIES, media_device_enum_entities, MEDIA_IOC_FL_GRAPH_MUTEX),
> - MEDIA_IOC_ARG(ENUM_LINKS32, media_device_enum_links, MEDIA_IOC_FL_GRAPH_MUTEX, from_user_enum_links32, copy_arg_to_user_nop),
> - MEDIA_IOC(SETUP_LINK, media_device_setup_link, MEDIA_IOC_FL_GRAPH_MUTEX),
> - MEDIA_IOC(G_TOPOLOGY, media_device_get_topology, MEDIA_IOC_FL_GRAPH_MUTEX),
> + MEDIA_IOC(DEVICE_INFO, struct media_device_info, media_device_get_info, MEDIA_IOC_FL_GRAPH_MUTEX),
> + MEDIA_IOC(ENUM_ENTITIES, struct media_entity_desc, media_device_enum_entities, MEDIA_IOC_FL_GRAPH_MUTEX),
> + MEDIA_IOC_ARG(ENUM_LINKS32, struct media_links_enum32, media_device_enum_links, MEDIA_IOC_FL_GRAPH_MUTEX, from_user_enum_links32, copy_arg_to_user_nop),
> + MEDIA_IOC(SETUP_LINK, struct media_link_desc, media_device_setup_link, MEDIA_IOC_FL_GRAPH_MUTEX),
> + MEDIA_IOC(G_TOPOLOGY, struct media_v2_topology, media_device_get_topology, MEDIA_IOC_FL_GRAPH_MUTEX),
> };
>
> static long media_device_compat_ioctl(struct file *filp, unsigned int cmd,
>
next prev parent reply other threads:[~2016-05-04 12:37 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-04 11:20 [PATCH v2 0/5] Refactor media IOCTL handling, add variable length arguments Sakari Ailus
2016-05-04 11:20 ` [PATCH v2 1/5] media: Determine early whether an IOCTL is supported Sakari Ailus
2016-05-09 12:43 ` Laurent Pinchart
2016-05-04 11:20 ` [PATCH v2 2/5] media: Unify IOCTL handler calling Sakari Ailus
2016-05-09 12:43 ` Laurent Pinchart
2016-05-04 11:20 ` [PATCH v2 3/5] media: Refactor copying IOCTL arguments from and to user space Sakari Ailus
2016-05-04 12:24 ` Hans Verkuil
2016-05-04 12:31 ` Sakari Ailus
2016-05-04 13:09 ` [PATCH v2.1 " Sakari Ailus
2016-05-09 12:43 ` Laurent Pinchart
2016-05-09 13:16 ` Sakari Ailus
2016-07-09 19:29 ` Laurent Pinchart
2016-07-09 22:03 ` Sakari Ailus
2016-07-09 23:12 ` Laurent Pinchart
2016-07-09 23:23 ` Sakari Ailus
2016-07-21 10:56 ` [PATCH v2.3 " Sakari Ailus
2016-05-17 14:49 ` [PATCH v2.2 " Sakari Ailus
2016-05-04 11:20 ` [PATCH v2 4/5] media: Add flags to tell whether to take graph mutex for an IOCTL Sakari Ailus
2016-05-04 14:50 ` Shuah Khan
2016-05-04 16:26 ` Sakari Ailus
2016-05-09 12:44 ` Laurent Pinchart
2016-07-09 19:47 ` Laurent Pinchart
2016-07-09 22:07 ` Sakari Ailus
2016-07-21 11:04 ` [PATCH v2.1 " Sakari Ailus
2016-05-04 11:20 ` [PATCH v2 5/5] media: Support variable size IOCTL arguments Sakari Ailus
2016-05-04 12:37 ` Hans Verkuil [this message]
2016-05-04 23:06 ` [PATCH v2.1 " Sakari Ailus
2016-06-17 16:21 ` Hans Verkuil
2016-06-20 17:03 ` Sakari Ailus
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5729ECED.9000708@xs4all.nl \
--to=hverkuil@xs4all.nl \
--cc=laurent.pinchart@ideasonboard.com \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@osg.samsung.com \
--cc=sakari.ailus@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox