summaryrefslogtreecommitdiffstats
path: root/drivers/media/v4l2-core
diff options
context:
space:
mode:
Diffstat (limited to 'drivers/media/v4l2-core')
-rw-r--r--drivers/media/v4l2-core/v4l2-compat-ioctl32.c46
-rw-r--r--drivers/media/v4l2-core/v4l2-ioctl.c24
2 files changed, 42 insertions, 28 deletions
diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
index fe4577a46869..73dac1d8d4f6 100644
--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -158,7 +158,7 @@ static int get_v4l2_window32(struct v4l2_window __user *p64,
compat_caddr_t p;
u32 clipcount;
- if (!access_ok(VERIFY_READ, p32, sizeof(*p32)) ||
+ if (!access_ok(p32, sizeof(*p32)) ||
copy_in_user(&p64->w, &p32->w, sizeof(p32->w)) ||
assign_in_user(&p64->field, &p32->field) ||
assign_in_user(&p64->chromakey, &p32->chromakey) ||
@@ -283,7 +283,7 @@ static int __bufsize_v4l2_format(struct v4l2_format32 __user *p32, u32 *size)
static int bufsize_v4l2_format(struct v4l2_format32 __user *p32, u32 *size)
{
- if (!access_ok(VERIFY_READ, p32, sizeof(*p32)))
+ if (!access_ok(p32, sizeof(*p32)))
return -EFAULT;
return __bufsize_v4l2_format(p32, size);
}
@@ -335,7 +335,7 @@ static int get_v4l2_format32(struct v4l2_format __user *p64,
struct v4l2_format32 __user *p32,
void __user *aux_buf, u32 aux_space)
{
- if (!access_ok(VERIFY_READ, p32, sizeof(*p32)))
+ if (!access_ok(p32, sizeof(*p32)))
return -EFAULT;
return __get_v4l2_format32(p64, p32, aux_buf, aux_space);
}
@@ -343,7 +343,7 @@ static int get_v4l2_format32(struct v4l2_format __user *p64,
static int bufsize_v4l2_create(struct v4l2_create_buffers32 __user *p32,
u32 *size)
{
- if (!access_ok(VERIFY_READ, p32, sizeof(*p32)))
+ if (!access_ok(p32, sizeof(*p32)))
return -EFAULT;
return __bufsize_v4l2_format(&p32->format, size);
}
@@ -352,7 +352,7 @@ static int get_v4l2_create32(struct v4l2_create_buffers __user *p64,
struct v4l2_create_buffers32 __user *p32,
void __user *aux_buf, u32 aux_space)
{
- if (!access_ok(VERIFY_READ, p32, sizeof(*p32)) ||
+ if (!access_ok(p32, sizeof(*p32)) ||
copy_in_user(p64, p32,
offsetof(struct v4l2_create_buffers32, format)))
return -EFAULT;
@@ -404,7 +404,7 @@ static int __put_v4l2_format32(struct v4l2_format __user *p64,
static int put_v4l2_format32(struct v4l2_format __user *p64,
struct v4l2_format32 __user *p32)
{
- if (!access_ok(VERIFY_WRITE, p32, sizeof(*p32)))
+ if (!access_ok(p32, sizeof(*p32)))
return -EFAULT;
return __put_v4l2_format32(p64, p32);
}
@@ -412,7 +412,7 @@ static int put_v4l2_format32(struct v4l2_format __user *p64,
static int put_v4l2_create32(struct v4l2_create_buffers __user *p64,
struct v4l2_create_buffers32 __user *p32)
{
- if (!access_ok(VERIFY_WRITE, p32, sizeof(*p32)) ||
+ if (!access_ok(p32, sizeof(*p32)) ||
copy_in_user(p32, p64,
offsetof(struct v4l2_create_buffers32, format)) ||
assign_in_user(&p32->capabilities, &p64->capabilities) ||
@@ -434,7 +434,7 @@ static int get_v4l2_standard32(struct v4l2_standard __user *p64,
struct v4l2_standard32 __user *p32)
{
/* other fields are not set by the user, nor used by the driver */
- if (!access_ok(VERIFY_READ, p32, sizeof(*p32)) ||
+ if (!access_ok(p32, sizeof(*p32)) ||
assign_in_user(&p64->index, &p32->index))
return -EFAULT;
return 0;
@@ -443,7 +443,7 @@ static int get_v4l2_standard32(struct v4l2_standard __user *p64,
static int put_v4l2_standard32(struct v4l2_standard __user *p64,
struct v4l2_standard32 __user *p32)
{
- if (!access_ok(VERIFY_WRITE, p32, sizeof(*p32)) ||
+ if (!access_ok(p32, sizeof(*p32)) ||
assign_in_user(&p32->index, &p64->index) ||
assign_in_user(&p32->id, &p64->id) ||
copy_in_user(p32->name, p64->name, sizeof(p32->name)) ||
@@ -560,7 +560,7 @@ static int bufsize_v4l2_buffer(struct v4l2_buffer32 __user *p32, u32 *size)
u32 type;
u32 length;
- if (!access_ok(VERIFY_READ, p32, sizeof(*p32)) ||
+ if (!access_ok(p32, sizeof(*p32)) ||
get_user(type, &p32->type) ||
get_user(length, &p32->length))
return -EFAULT;
@@ -593,7 +593,7 @@ static int get_v4l2_buffer32(struct v4l2_buffer __user *p64,
compat_caddr_t p;
int ret;
- if (!access_ok(VERIFY_READ, p32, sizeof(*p32)) ||
+ if (!access_ok(p32, sizeof(*p32)) ||
assign_in_user(&p64->index, &p32->index) ||
get_user(type, &p32->type) ||
put_user(type, &p64->type) ||
@@ -632,7 +632,7 @@ static int get_v4l2_buffer32(struct v4l2_buffer __user *p64,
return -EFAULT;
uplane32 = compat_ptr(p);
- if (!access_ok(VERIFY_READ, uplane32,
+ if (!access_ok(uplane32,
num_planes * sizeof(*uplane32)))
return -EFAULT;
@@ -691,7 +691,7 @@ static int put_v4l2_buffer32(struct v4l2_buffer __user *p64,
compat_caddr_t p;
int ret;
- if (!access_ok(VERIFY_WRITE, p32, sizeof(*p32)) ||
+ if (!access_ok(p32, sizeof(*p32)) ||
assign_in_user(&p32->index, &p64->index) ||
get_user(type, &p64->type) ||
put_user(type, &p32->type) ||
@@ -781,7 +781,7 @@ static int get_v4l2_framebuffer32(struct v4l2_framebuffer __user *p64,
{
compat_caddr_t tmp;
- if (!access_ok(VERIFY_READ, p32, sizeof(*p32)) ||
+ if (!access_ok(p32, sizeof(*p32)) ||
get_user(tmp, &p32->base) ||
put_user_force(compat_ptr(tmp), &p64->base) ||
assign_in_user(&p64->capability, &p32->capability) ||
@@ -796,7 +796,7 @@ static int put_v4l2_framebuffer32(struct v4l2_framebuffer __user *p64,
{
void *base;
- if (!access_ok(VERIFY_WRITE, p32, sizeof(*p32)) ||
+ if (!access_ok(p32, sizeof(*p32)) ||
get_user(base, &p64->base) ||
put_user(ptr_to_compat((void __user *)base), &p32->base) ||
assign_in_user(&p32->capability, &p64->capability) ||
@@ -893,7 +893,7 @@ static int bufsize_v4l2_ext_controls(struct v4l2_ext_controls32 __user *p32,
{
u32 count;
- if (!access_ok(VERIFY_READ, p32, sizeof(*p32)) ||
+ if (!access_ok(p32, sizeof(*p32)) ||
get_user(count, &p32->count))
return -EFAULT;
if (count > V4L2_CID_MAX_CTRLS)
@@ -913,7 +913,7 @@ static int get_v4l2_ext_controls32(struct file *file,
u32 n;
compat_caddr_t p;
- if (!access_ok(VERIFY_READ, p32, sizeof(*p32)) ||
+ if (!access_ok(p32, sizeof(*p32)) ||
assign_in_user(&p64->which, &p32->which) ||
get_user(count, &p32->count) ||
put_user(count, &p64->count) ||
@@ -929,7 +929,7 @@ static int get_v4l2_ext_controls32(struct file *file,
if (get_user(p, &p32->controls))
return -EFAULT;
ucontrols = compat_ptr(p);
- if (!access_ok(VERIFY_READ, ucontrols, count * sizeof(*ucontrols)))
+ if (!access_ok(ucontrols, count * sizeof(*ucontrols)))
return -EFAULT;
if (aux_space < count * sizeof(*kcontrols))
return -EFAULT;
@@ -979,7 +979,7 @@ static int put_v4l2_ext_controls32(struct file *file,
* with __user causes smatch warnings, so instead declare it
* without __user and cast it as a userspace pointer where needed.
*/
- if (!access_ok(VERIFY_WRITE, p32, sizeof(*p32)) ||
+ if (!access_ok(p32, sizeof(*p32)) ||
assign_in_user(&p32->which, &p64->which) ||
get_user(count, &p64->count) ||
put_user(count, &p32->count) ||
@@ -994,7 +994,7 @@ static int put_v4l2_ext_controls32(struct file *file,
if (get_user(p, &p32->controls))
return -EFAULT;
ucontrols = compat_ptr(p);
- if (!access_ok(VERIFY_WRITE, ucontrols, count * sizeof(*ucontrols)))
+ if (!access_ok(ucontrols, count * sizeof(*ucontrols)))
return -EFAULT;
for (n = 0; n < count; n++) {
@@ -1043,7 +1043,7 @@ struct v4l2_event32 {
static int put_v4l2_event32(struct v4l2_event __user *p64,
struct v4l2_event32 __user *p32)
{
- if (!access_ok(VERIFY_WRITE, p32, sizeof(*p32)) ||
+ if (!access_ok(p32, sizeof(*p32)) ||
assign_in_user(&p32->type, &p64->type) ||
copy_in_user(&p32->u, &p64->u, sizeof(p64->u)) ||
assign_in_user(&p32->pending, &p64->pending) ||
@@ -1069,7 +1069,7 @@ static int get_v4l2_edid32(struct v4l2_edid __user *p64,
{
compat_uptr_t tmp;
- if (!access_ok(VERIFY_READ, p32, sizeof(*p32)) ||
+ if (!access_ok(p32, sizeof(*p32)) ||
assign_in_user(&p64->pad, &p32->pad) ||
assign_in_user(&p64->start_block, &p32->start_block) ||
assign_in_user_cast(&p64->blocks, &p32->blocks) ||
@@ -1085,7 +1085,7 @@ static int put_v4l2_edid32(struct v4l2_edid __user *p64,
{
void *edid;
- if (!access_ok(VERIFY_WRITE, p32, sizeof(*p32)) ||
+ if (!access_ok(p32, sizeof(*p32)) ||
assign_in_user(&p32->pad, &p64->pad) ||
assign_in_user(&p32->start_block, &p64->start_block) ||
assign_in_user(&p32->blocks, &p64->blocks) ||
diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c
index 1441a73ce64c..90aad465f9ed 100644
--- a/drivers/media/v4l2-core/v4l2-ioctl.c
+++ b/drivers/media/v4l2-core/v4l2-ioctl.c
@@ -287,6 +287,7 @@ static void v4l_print_format(const void *arg, bool write_only)
const struct v4l2_window *win;
const struct v4l2_sdr_format *sdr;
const struct v4l2_meta_format *meta;
+ u32 planes;
unsigned i;
pr_cont("type=%s", prt_names(p->type, v4l2_type_names));
@@ -317,7 +318,8 @@ static void v4l_print_format(const void *arg, bool write_only)
prt_names(mp->field, v4l2_field_names),
mp->colorspace, mp->num_planes, mp->flags,
mp->ycbcr_enc, mp->quantization, mp->xfer_func);
- for (i = 0; i < mp->num_planes; i++)
+ planes = min_t(u32, mp->num_planes, VIDEO_MAX_PLANES);
+ for (i = 0; i < planes; i++)
printk(KERN_DEBUG "plane %u: bytesperline=%u sizeimage=%u\n", i,
mp->plane_fmt[i].bytesperline,
mp->plane_fmt[i].sizeimage);
@@ -1551,8 +1553,11 @@ static int v4l_s_fmt(const struct v4l2_ioctl_ops *ops,
if (unlikely(!ops->vidioc_s_fmt_vid_cap_mplane))
break;
CLEAR_AFTER_FIELD(p, fmt.pix_mp.xfer_func);
+ if (p->fmt.pix_mp.num_planes > VIDEO_MAX_PLANES)
+ break;
for (i = 0; i < p->fmt.pix_mp.num_planes; i++)
- CLEAR_AFTER_FIELD(p, fmt.pix_mp.plane_fmt[i].bytesperline);
+ CLEAR_AFTER_FIELD(&p->fmt.pix_mp.plane_fmt[i],
+ bytesperline);
return ops->vidioc_s_fmt_vid_cap_mplane(file, fh, arg);
case V4L2_BUF_TYPE_VIDEO_OVERLAY:
if (unlikely(!ops->vidioc_s_fmt_vid_overlay))
@@ -1581,8 +1586,11 @@ static int v4l_s_fmt(const struct v4l2_ioctl_ops *ops,
if (unlikely(!ops->vidioc_s_fmt_vid_out_mplane))
break;
CLEAR_AFTER_FIELD(p, fmt.pix_mp.xfer_func);
+ if (p->fmt.pix_mp.num_planes > VIDEO_MAX_PLANES)
+ break;
for (i = 0; i < p->fmt.pix_mp.num_planes; i++)
- CLEAR_AFTER_FIELD(p, fmt.pix_mp.plane_fmt[i].bytesperline);
+ CLEAR_AFTER_FIELD(&p->fmt.pix_mp.plane_fmt[i],
+ bytesperline);
return ops->vidioc_s_fmt_vid_out_mplane(file, fh, arg);
case V4L2_BUF_TYPE_VIDEO_OUTPUT_OVERLAY:
if (unlikely(!ops->vidioc_s_fmt_vid_out_overlay))
@@ -1648,8 +1656,11 @@ static int v4l_try_fmt(const struct v4l2_ioctl_ops *ops,
if (unlikely(!ops->vidioc_try_fmt_vid_cap_mplane))
break;
CLEAR_AFTER_FIELD(p, fmt.pix_mp.xfer_func);
+ if (p->fmt.pix_mp.num_planes > VIDEO_MAX_PLANES)
+ break;
for (i = 0; i < p->fmt.pix_mp.num_planes; i++)
- CLEAR_AFTER_FIELD(p, fmt.pix_mp.plane_fmt[i].bytesperline);
+ CLEAR_AFTER_FIELD(&p->fmt.pix_mp.plane_fmt[i],
+ bytesperline);
return ops->vidioc_try_fmt_vid_cap_mplane(file, fh, arg);
case V4L2_BUF_TYPE_VIDEO_OVERLAY:
if (unlikely(!ops->vidioc_try_fmt_vid_overlay))
@@ -1678,8 +1689,11 @@ static int v4l_try_fmt(const struct v4l2_ioctl_ops *ops,
if (unlikely(!ops->vidioc_try_fmt_vid_out_mplane))
break;
CLEAR_AFTER_FIELD(p, fmt.pix_mp.xfer_func);
+ if (p->fmt.pix_mp.num_planes > VIDEO_MAX_PLANES)
+ break;
for (i = 0; i < p->fmt.pix_mp.num_planes; i++)
- CLEAR_AFTER_FIELD(p, fmt.pix_mp.plane_fmt[i].bytesperline);
+ CLEAR_AFTER_FIELD(&p->fmt.pix_mp.plane_fmt[i],
+ bytesperline);
return ops->vidioc_try_fmt_vid_out_mplane(file, fh, arg);
case V4L2_BUF_TYPE_VIDEO_OUTPUT_OVERLAY:
if (unlikely(!ops->vidioc_try_fmt_vid_out_overlay))
OpenPOWER on IntegriCloud