Thomas
Dipankar Sarma wrote:
>
> Fix sisfb_ioctl() to use copy_to/from routines. There may be some
> some changes in this patch that are ifdefed out in 2.5. Maintainers
> to rescue.
>
>
> drivers/video/sis/sis_main.c | 91 +++++++++++++++++++++++++------------------
> 1 files changed, 55 insertions(+), 36 deletions(-)
>
> diff -puN drivers/video/sis/sis_main.c~cp-user-sisfb drivers/video/sis/sis_main.c
> --- linux-2.5.70-ds/drivers/video/sis/sis_main.c~cp-user-sisfb 2003-06-08 04:34:39.000000000 +0530
> +++ linux-2.5.70-ds-dipankar/drivers/video/sis/sis_main.c 2003-06-08 12:27:49.000000000 +0530
> @@ -1461,44 +1461,57 @@ static int sisfb_ioctl(struct inode *ino
> struct fb_info *info)
> {
> TWDEBUG("inside ioctl");
> + struct sis_memreq req;
> + struct ap_data ap;
> + unsigned long a;
> switch (cmd) {
> case FBIO_ALLOC:
> if (!capable(CAP_SYS_RAWIO))
> return -EPERM;
> - sis_malloc((struct sis_memreq *) arg);
> + if (copy_from_user(&req, (void *)arg, sizeof(req)))
> + return -EFAULT;
> + sis_malloc(&req);
> + if (copy_to_user((void *)arg, &req, sizeof(req)))
> + return -EFAULT;
> break;
> case FBIO_FREE:
> if (!capable(CAP_SYS_RAWIO))
> return -EPERM;
> - sis_free(*(unsigned long *) arg);
> + if(get_user(a, (unsigned long *) arg))
> + return -EFAULT;
> + sis_free(a);
> break;
> case FBIOGET_GLYPH:
> + /* Not in 2.5 ???? */
> sis_get_glyph(info,(SIS_GLYINFO *) arg);
> break;
> case FBIOGET_HWCINFO:
> {
> unsigned long *hwc_offset = (unsigned long *) arg;
>
> - if (sisfb_caps & HW_CURSOR_CAP)
> - *hwc_offset = sisfb_hwcursor_vbase -
> - (unsigned long) ivideo.video_vbase;
> - else
> - *hwc_offset = 0;
> -
> + if (sisfb_caps & HW_CURSOR_CAP) {
> + if (put_user(sisfb_hwcursor_vbase -
> + (unsigned long) ivideo.video_vbase,
> + hwc_offset))
> + return -EFAULT;
> + } else if (put_user(0UL, hwc_offset))
> + return -EFAULT;
> break;
> }
> case FBIOPUT_MODEINFO:
> {
> - struct mode_info *x = (struct mode_info *)arg;
> + struct mode_info x;
>
> - ivideo.video_bpp = x->bpp;
> - ivideo.video_width = x->xres;
> - ivideo.video_height = x->yres;
> - ivideo.video_vwidth = x->v_xres;
> - ivideo.video_vheight = x->v_yres;
> - ivideo.org_x = x->org_x;
> - ivideo.org_y = x->org_y;
> - ivideo.refresh_rate = x->vrate;
> + if (copy_from_user(&x, (void *)arg, sizeof(x)))
> + return -EFAULT;
> + ivideo.video_bpp = x.bpp;
> + ivideo.video_width = x.xres;
> + ivideo.video_height = x.yres;
> + ivideo.video_vwidth = x.v_xres;
> + ivideo.video_vheight = x.v_yres;
> + ivideo.org_x = x.org_x;
> + ivideo.org_y = x.org_y;
> + ivideo.refresh_rate = x.vrate;
> ivideo.video_linelength = ivideo.video_vwidth * (ivideo.video_bpp >> 3);
> switch(ivideo.video_bpp) {
> case 8:
> @@ -1526,34 +1539,40 @@ static int sisfb_ioctl(struct inode *ino
> break;
> }
> case FBIOGET_DISPINFO:
> - sis_dispinfo((struct ap_data *)arg);
> + sis_dispinfo(&ap);
> + if (copy_to_user((void *)arg, &ap, sizeof(ap)))
> + return -EFAULT;
> break;
> case SISFB_GET_INFO: /* TW: New for communication with X driver */
> {
> - sisfb_info *x = (sisfb_info *)arg;
> + sisfb_info x;
>
> - x->sisfb_id = SISFB_ID;
> - x->sisfb_version = VER_MAJOR;
> - x->sisfb_revision = VER_MINOR;
> - x->sisfb_patchlevel = VER_LEVEL;
> - x->chip_id = ivideo.chip_id;
> - x->memory = ivideo.video_size / 1024;
> - x->heapstart = ivideo.heapstart / 1024;
> - x->fbvidmode = sisfb_mode_no;
> - x->sisfb_caps = sisfb_caps;
> - x->sisfb_tqlen = 512; /* yet unused */
> - x->sisfb_pcibus = ivideo.pcibus;
> - x->sisfb_pcislot = ivideo.pcislot;
> - x->sisfb_pcifunc = ivideo.pcifunc;
> - x->sisfb_lcdpdc = sisfb_detectedpdc;
> - x->sisfb_lcda = sisfb_detectedlcda;
> + x.sisfb_id = SISFB_ID;
> + x.sisfb_version = VER_MAJOR;
> + x.sisfb_revision = VER_MINOR;
> + x.sisfb_patchlevel = VER_LEVEL;
> + x.chip_id = ivideo.chip_id;
> + x.memory = ivideo.video_size / 1024;
> + x.heapstart = ivideo.heapstart / 1024;
> + x.fbvidmode = sisfb_mode_no;
> + x.sisfb_caps = sisfb_caps;
> + x.sisfb_tqlen = 512; /* yet unused */
> + x.sisfb_pcibus = ivideo.pcibus;
> + x.sisfb_pcislot = ivideo.pcislot;
> + x.sisfb_pcifunc = ivideo.pcifunc;
> + x.sisfb_lcdpdc = sisfb_detectedpdc;
> + x.sisfb_lcda = sisfb_detectedlcda;
> + if (copy_to_user((void *)arg, &x, sizeof(x)))
> + return -EFAULT;
> break;
> }
> case SISFB_GET_VBRSTATUS:
> {
> unsigned long *vbrstatus = (unsigned long *) arg;
> - if(sisfb_CheckVBRetrace()) *vbrstatus = 1;
> - else *vbrstatus = 0;
> + if(sisfb_CheckVBRetrace()) {
> + return put_user(1UL, vbrstatus);
> + else
> + return put_user(0UL, vbrstatus);
> }
> default:
> return -EINVAL;
>
> _
>
-- Thomas Winischhofer Vienna/Austria thomas AT winischhofer DOT net *** http://www.winischhofer.net/ twini AT xfree86 DOT org
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/