Re: Misc 2.5 Fixes: cp-user-sisfb

Dipankar Sarma (dipankar@in.ibm.com)
Tue, 10 Jun 2003 15:48:01 +0530


Fix sisfb_ioctl() to use copy_to/from routines. There may be some
some changes in this patch that are ifdefed out in 2.5. Maintainers
to rescue.

drivers/video/sis/sis_main.c | 91 +++++++++++++++++++++++++------------------
1 files changed, 55 insertions(+), 36 deletions(-)

diff -puN drivers/video/sis/sis_main.c~cp-user-sisfb drivers/video/sis/sis_main.c
--- linux-2.5.70-ds/drivers/video/sis/sis_main.c~cp-user-sisfb 2003-06-08 04:34:39.000000000 +0530
+++ linux-2.5.70-ds-dipankar/drivers/video/sis/sis_main.c 2003-06-08 12:27:49.000000000 +0530
@@ -1461,44 +1461,57 @@ static int sisfb_ioctl(struct inode *ino
struct fb_info *info)
{
TWDEBUG("inside ioctl");
+ struct sis_memreq req;
+ struct ap_data ap;
+ unsigned long a;
switch (cmd) {
case FBIO_ALLOC:
if (!capable(CAP_SYS_RAWIO))
return -EPERM;
- sis_malloc((struct sis_memreq *) arg);
+ if (copy_from_user(&req, (void *)arg, sizeof(req)))
+ return -EFAULT;
+ sis_malloc(&req);
+ if (copy_to_user((void *)arg, &req, sizeof(req)))
+ return -EFAULT;
break;
case FBIO_FREE:
if (!capable(CAP_SYS_RAWIO))
return -EPERM;
- sis_free(*(unsigned long *) arg);
+ if(get_user(a, (unsigned long *) arg))
+ return -EFAULT;
+ sis_free(a);
break;
case FBIOGET_GLYPH:
+ /* Not in 2.5 ???? */
sis_get_glyph(info,(SIS_GLYINFO *) arg);
break;
case FBIOGET_HWCINFO:
{
unsigned long *hwc_offset = (unsigned long *) arg;

- if (sisfb_caps & HW_CURSOR_CAP)
- *hwc_offset = sisfb_hwcursor_vbase -
- (unsigned long) ivideo.video_vbase;
- else
- *hwc_offset = 0;
-
+ if (sisfb_caps & HW_CURSOR_CAP) {
+ if (put_user(sisfb_hwcursor_vbase -
+ (unsigned long) ivideo.video_vbase,
+ hwc_offset))
+ return -EFAULT;
+ } else if (put_user(0UL, hwc_offset))
+ return -EFAULT;
break;
}
case FBIOPUT_MODEINFO:
{
- struct mode_info *x = (struct mode_info *)arg;
+ struct mode_info x;

- ivideo.video_bpp = x->bpp;
- ivideo.video_width = x->xres;
- ivideo.video_height = x->yres;
- ivideo.video_vwidth = x->v_xres;
- ivideo.video_vheight = x->v_yres;
- ivideo.org_x = x->org_x;
- ivideo.org_y = x->org_y;
- ivideo.refresh_rate = x->vrate;
+ if (copy_from_user(&x, (void *)arg, sizeof(x)))
+ return -EFAULT;
+ ivideo.video_bpp = x.bpp;
+ ivideo.video_width = x.xres;
+ ivideo.video_height = x.yres;
+ ivideo.video_vwidth = x.v_xres;
+ ivideo.video_vheight = x.v_yres;
+ ivideo.org_x = x.org_x;
+ ivideo.org_y = x.org_y;
+ ivideo.refresh_rate = x.vrate;
ivideo.video_linelength = ivideo.video_vwidth * (ivideo.video_bpp >> 3);
switch(ivideo.video_bpp) {
case 8:
@@ -1526,34 +1539,40 @@ static int sisfb_ioctl(struct inode *ino
break;
}
case FBIOGET_DISPINFO:
- sis_dispinfo((struct ap_data *)arg);
+ sis_dispinfo(&ap);
+ if (copy_to_user((void *)arg, &ap, sizeof(ap)))
+ return -EFAULT;
break;
case SISFB_GET_INFO: /* TW: New for communication with X driver */
{
- sisfb_info *x = (sisfb_info *)arg;
+ sisfb_info x;

- x->sisfb_id = SISFB_ID;
- x->sisfb_version = VER_MAJOR;
- x->sisfb_revision = VER_MINOR;
- x->sisfb_patchlevel = VER_LEVEL;
- x->chip_id = ivideo.chip_id;
- x->memory = ivideo.video_size / 1024;
- x->heapstart = ivideo.heapstart / 1024;
- x->fbvidmode = sisfb_mode_no;
- x->sisfb_caps = sisfb_caps;
- x->sisfb_tqlen = 512; /* yet unused */
- x->sisfb_pcibus = ivideo.pcibus;
- x->sisfb_pcislot = ivideo.pcislot;
- x->sisfb_pcifunc = ivideo.pcifunc;
- x->sisfb_lcdpdc = sisfb_detectedpdc;
- x->sisfb_lcda = sisfb_detectedlcda;
+ x.sisfb_id = SISFB_ID;
+ x.sisfb_version = VER_MAJOR;
+ x.sisfb_revision = VER_MINOR;
+ x.sisfb_patchlevel = VER_LEVEL;
+ x.chip_id = ivideo.chip_id;
+ x.memory = ivideo.video_size / 1024;
+ x.heapstart = ivideo.heapstart / 1024;
+ x.fbvidmode = sisfb_mode_no;
+ x.sisfb_caps = sisfb_caps;
+ x.sisfb_tqlen = 512; /* yet unused */
+ x.sisfb_pcibus = ivideo.pcibus;
+ x.sisfb_pcislot = ivideo.pcislot;
+ x.sisfb_pcifunc = ivideo.pcifunc;
+ x.sisfb_lcdpdc = sisfb_detectedpdc;
+ x.sisfb_lcda = sisfb_detectedlcda;
+ if (copy_to_user((void *)arg, &x, sizeof(x)))
+ return -EFAULT;
break;
}
case SISFB_GET_VBRSTATUS:
{
unsigned long *vbrstatus = (unsigned long *) arg;
- if(sisfb_CheckVBRetrace()) *vbrstatus = 1;
- else *vbrstatus = 0;
+ if(sisfb_CheckVBRetrace()) {
+ return put_user(1UL, vbrstatus);
+ else
+ return put_user(0UL, vbrstatus);
}
default:
return -EINVAL;

_
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/