From mboxrd@z Thu Jan 1 00:00:00 1970 From: Hans Verkuil Subject: Re: [PATCH] media: v4l2-compat-ioctl32: fix missing length copy in put_v4l2_buffer32 Date: Thu, 14 Jan 2016 08:53:45 +0100 Message-ID: <56975409.3090801@xs4all.nl> References: <1452757045-34051-1-git-send-email-tiffany.lin@mediatek.com> Mime-Version: 1.0 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1452757045-34051-1-git-send-email-tiffany.lin@mediatek.com> Sender: linux-media-owner@vger.kernel.org To: Tiffany Lin , Mauro Carvalho Chehab Cc: Eddie Huang , Yingjoe Chen , linux-media@vger.kernel.org, linux-mediatek@lists.infradead.org List-Id: linux-mediatek@lists.infradead.org Hi Tiffany, Good catch! But looking through the compat code I noticed that in the single-planar DMABUF case the length field is also never copied. I think it would be much simpler if the length field is just always copied instead of in each multiplanar or singleplanar mmap/userptr/dmabuf case. It will simplify the code and prevent such mistakes in the future. Can you make a v2 that makes that change? Thanks! Hans On 01/14/2016 08:37 AM, Tiffany Lin wrote: > In v4l2-compliance utility, test QUERYBUF required correct length > value to go through each planar to check planar's length in multi-planar > > Signed-off-by: Tiffany Lin > --- > drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c > index 327e83a..5ba932a 100644 > --- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c > +++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c > @@ -521,6 +521,9 @@ static int put_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user > if (num_planes == 0) > return 0; > > + if (put_user(kp->length, &up->length)) > + return -EFAULT; > + > uplane = (__force struct v4l2_plane __user *)kp->m.planes; > if (get_user(p, &up->m.planes)) > return -EFAULT; >