]> git.pld-linux.org Git - packages/kernel.git/blame - linux-2.4-sparse-fixes.patch
projects / packages / kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- obsolete
[packages/kernel.git] / linux-2.4-sparse-fixes.patch
CommitLineData
655f500d
JB		 1# This is a BitKeeper generated diff -Nru style patch.
2#
3# ChangeSet
4# 2004/06/23 09:08:01-03:00 marcelo@logos.cnet
5# Al Viro sparse fixes: decnet user pointer dereference
6#
7# net/decnet/dn_dev.c
8# 2004/06/15 23:54:14-03:00 marcelo@logos.cnet +15 -7
9# Import patch decnet-fix
10#
11diff -Nru a/net/decnet/dn_dev.c b/net/decnet/dn_dev.c
12--- a/net/decnet/dn_dev.c 2004-06-25 05:11:19 -07:00
13+++ b/net/decnet/dn_dev.c 2004-06-25 05:11:19 -07:00
14@@ -1061,31 +1061,39 @@
15 {
16 struct dn_dev *dn_db = (struct dn_dev *)dev->dn_ptr;
17 struct dn_ifaddr *ifa;
18- struct ifreq *ifr = (struct ifreq *)buf;
19+ char buffer[DN_IFREQ_SIZE];
20+ struct ifreq *ifr = (struct ifreq *)buffer;
21+ struct sockaddr_dn *addr = (struct sockaddr_dn *)&ifr->ifr_addr;
22 int done = 0;
23
24 if ((dn_db == NULL) || ((ifa = dn_db->ifa_list) == NULL))
25 return 0;
26
27 for(; ifa; ifa = ifa->ifa_next) {
28- if (!ifr) {
29+ if (!buf) {
30 done += sizeof(DN_IFREQ_SIZE);
31 continue;
32 }
33 if (len < DN_IFREQ_SIZE)
34 return done;
35- memset(ifr, 0, DN_IFREQ_SIZE);
36+ memset(buffer, 0, DN_IFREQ_SIZE);
37
38 if (ifa->ifa_label)
39 strcpy(ifr->ifr_name, ifa->ifa_label);
40 else
41 strcpy(ifr->ifr_name, dev->name);
42
43- (*(struct sockaddr_dn *) &ifr->ifr_addr).sdn_family = AF_DECnet;
44- (*(struct sockaddr_dn *) &ifr->ifr_addr).sdn_add.a_len = 2;
45- (*(dn_address *)(*(struct sockaddr_dn *) &ifr->ifr_addr).sdn_add.a_addr) = ifa->ifa_local;
46+ addr->sdn_family = AF_DECnet;
47+ addr->sdn_add.a_len = 2;
48+ memcpy(addr->sdn_add.a_addr, &ifa->ifa_local,
49+ sizeof(dn_address));
50
51- ifr = (struct ifreq *)((char *)ifr + DN_IFREQ_SIZE);
52+ if (copy_to_user(buf, buffer, DN_IFREQ_SIZE)) {
53+ done = -EFAULT;
54+ break;
55+ }
56+
57+ buf += DN_IFREQ_SIZE;
58 len -= DN_IFREQ_SIZE;
59 done += DN_IFREQ_SIZE;
60 }
61# This is a BitKeeper generated diff -Nru style patch.
62#
63# ChangeSet
64# 2004/06/23 09:09:39-03:00 marcelo@logos.cnet
65# Al Viro sparse fixes: mpu401 user pointer dereference
66#
67# drivers/sound/mpu401.c
68# 2004/06/16 00:07:29-03:00 marcelo@logos.cnet +28 -11
69# Import patch mpu401-fix
70#
71diff -Nru a/drivers/sound/mpu401.c b/drivers/sound/mpu401.c
72--- a/drivers/sound/mpu401.c 2004-06-25 05:15:29 -07:00
73+++ b/drivers/sound/mpu401.c 2004-06-25 05:15:29 -07:00
74@@ -1513,14 +1513,16 @@
75 static int mpu_timer_ioctl(int dev, unsigned int command, caddr_t arg)
76 {
77 int midi_dev = sound_timer_devs[dev]->devlink;
78+ int *p = (int *)arg;
79
80 switch (command)
81 {
82 case SNDCTL_TMR_SOURCE:
83 {
84 int parm;
85-
86- parm = *(int *) arg;
87+
88+ if (get_user(parm, p))
89+ return -EFAULT;
90 parm &= timer_caps;
91
92 if (parm != 0)
93@@ -1532,7 +1534,9 @@
94 else if (timer_mode & TMR_MODE_SMPTE)
95 mpu_cmd(midi_dev, 0x3d, 0); /* Use SMPTE sync */
96 }
97- return (*(int *) arg = timer_mode);
98+ if (put_user(timer_mode, p))
99+ return -EFAULT;
100+ return timer_mode;
101 }
102 break;
103
104@@ -1557,10 +1561,13 @@
105 {
106 int val;
107
108- val = *(int *) arg;
109+ if (get_user(val, p))
110+ return -EFAULT;
111 if (val)
112 set_timebase(midi_dev, val);
113- return (*(int *) arg = curr_timebase);
114+ if (put_user(curr_timebase, p))
115+ return -EFAULT;
116+ return curr_timebase;
117 }
118 break;
119
120@@ -1569,7 +1576,8 @@
121 int val;
122 int ret;
123
124- val = *(int *) arg;
125+ if (get_user(val, p))
126+ return -EFAULT;
127
128 if (val)
129 {
130@@ -1584,7 +1592,9 @@
131 }
132 curr_tempo = val;
133 }
134- return (*(int *) arg = curr_tempo);
135+ if (put_user(curr_tempo, p))
136+ return -EFAULT;
137+ return curr_tempo;
138 }
139 break;
140
141@@ -1592,18 +1602,25 @@
142 {
143 int val;
144
145- val = *(int *) arg;
146+ if (get_user(val, p))
147+ return -EFAULT;
148 if (val != 0) /* Can't change */
149 return -EINVAL;
150- return (*(int *) arg = ((curr_tempo * curr_timebase) + 30) / 60);
151+ val = (curr_tempo * curr_timebase + 30) / 60;
152+ if (put_user(val, p))
153+ return -EFAULT;
154+ return val;
155 }
156 break;
157
158 case SNDCTL_SEQ_GETTIME:
159- return (*(int *) arg = curr_ticks);
160+ if (put_user(curr_ticks, p))
161+ return -EFAULT;
162+ return curr_ticks;
163
164 case SNDCTL_TMR_METRONOME:
165- metronome_mode = *(int *) arg;
166+ if (get_user(metronome_mode, p))
167+ return -EFAULT;
168 setup_metronome(midi_dev);
169 return 0;
170
171# This is a BitKeeper generated diff -Nru style patch.
172#
173# ChangeSet
174# 2004/06/23 09:11:47-03:00 marcelo@logos.cnet
175# Al Viro sparse fixes: msnd user pointer dereference & assorted fixes
176#
177# drivers/sound/msnd.c
178# 2004/06/16 02:42:38-03:00 marcelo@logos.cnet +4 -18
179# Import patch msnd-fix
180#
181# drivers/sound/msnd.h
182# 2004/06/16 02:42:26-03:00 marcelo@logos.cnet +2 -2
183# Import patch msnd-fix
184#
185# drivers/sound/msnd_pinnacle.c
186# 2004/06/16 02:42:11-03:00 marcelo@logos.cnet +56 -32
187# Import patch msnd-fix
188#
189diff -Nru a/drivers/sound/msnd.c b/drivers/sound/msnd.c
190--- a/drivers/sound/msnd.c 2004-06-25 05:15:38 -07:00
191+++ b/drivers/sound/msnd.c 2004-06-25 05:15:38 -07:00
192@@ -155,13 +155,10 @@
193 f->len = f->tail = f->head = 0;
194 }
195
196-int msnd_fifo_write(msnd_fifo *f, const char *buf, size_t len, int user)
197+int msnd_fifo_write(msnd_fifo *f, const char *buf, size_t len)
198 {
199 int count = 0;
200
201- if (f->len == f->n)
202- return 0;
203-
204 while ((count < len) && (f->len != f->n)) {
205
206 int nwritten;
207@@ -177,11 +174,7 @@
208 nwritten = len - count;
209 }
210
211- if (user) {
212- if (copy_from_user(f->data + f->tail, buf, nwritten))
213- return -EFAULT;
214- } else
215- isa_memcpy_fromio(f->data + f->tail, (unsigned long) buf, nwritten);
216+ isa_memcpy_fromio(f->data + f->tail, (unsigned long) buf, nwritten);
217
218 count += nwritten;
219 buf += nwritten;
220@@ -193,13 +186,10 @@
221 return count;
222 }
223
224-int msnd_fifo_read(msnd_fifo *f, char *buf, size_t len, int user)
225+int msnd_fifo_read(msnd_fifo *f, char *buf, size_t len)
226 {
227 int count = 0;
228
229- if (f->len == 0)
230- return f->len;
231-
232 while ((count < len) && (f->len > 0)) {
233
234 int nread;
235@@ -215,11 +205,7 @@
236 nread = len - count;
237 }
238
239- if (user) {
240- if (copy_to_user(buf, f->data + f->head, nread))
241- return -EFAULT;
242- } else
243- isa_memcpy_toio((unsigned long) buf, f->data + f->head, nread);
244+ isa_memcpy_toio((unsigned long) buf, f->data + f->head, nread);
245
246 count += nread;
247 buf += nread;
248diff -Nru a/drivers/sound/msnd.h b/drivers/sound/msnd.h
249--- a/drivers/sound/msnd.h 2004-06-25 05:15:38 -07:00
250+++ b/drivers/sound/msnd.h 2004-06-25 05:15:38 -07:00
251@@ -266,8 +266,8 @@
252 void msnd_fifo_free(msnd_fifo *f);
253 int msnd_fifo_alloc(msnd_fifo *f, size_t n);
254 void msnd_fifo_make_empty(msnd_fifo *f);
255-int msnd_fifo_write(msnd_fifo *f, const char *buf, size_t len, int user);
256-int msnd_fifo_read(msnd_fifo *f, char *buf, size_t len, int user);
257+int msnd_fifo_write(msnd_fifo *f, const char *buf, size_t len);
258+int msnd_fifo_read(msnd_fifo *f, char *buf, size_t len);
259
260 int msnd_wait_TXDE(multisound_dev_t *dev);
261 int msnd_wait_HC0(multisound_dev_t *dev);
262diff -Nru a/drivers/sound/msnd_pinnacle.c b/drivers/sound/msnd_pinnacle.c
263--- a/drivers/sound/msnd_pinnacle.c 2004-06-25 05:15:38 -07:00
264+++ b/drivers/sound/msnd_pinnacle.c 2004-06-25 05:15:38 -07:00
265@@ -804,7 +804,7 @@
266
267 static __inline__ int pack_DARQ_to_DARF(register int bank)
268 {
269- register int size, n, timeout = 3;
270+ register int size, timeout = 3;
271 register WORD wTmp;
272 LPDAQD DAQD;
273
274@@ -825,13 +825,10 @@
275 /* Read data from the head (unprotected bank 1 access okay
276 since this is only called inside an interrupt) */
277 outb(HPBLKSEL_1, dev.io + HP_BLKS);
278- if ((n = msnd_fifo_write(
279+ msnd_fifo_write(
280 &dev.DARF,
281 (char *)(dev.base + bank * DAR_BUFF_SIZE),
282- size, 0)) <= 0) {
283- outb(HPBLKSEL_0, dev.io + HP_BLKS);
284- return n;
285- }
286+ size);
287 outb(HPBLKSEL_0, dev.io + HP_BLKS);
288
289 return 1;
290@@ -853,21 +850,16 @@
291 if (protect) {
292 /* Critical section: protect fifo in non-interrupt */
293 spin_lock_irqsave(&dev.lock, flags);
294- if ((n = msnd_fifo_read(
295+ n = msnd_fifo_read(
296 &dev.DAPF,
297 (char *)(dev.base + bank_num * DAP_BUFF_SIZE),
298- DAP_BUFF_SIZE, 0)) < 0) {
299- spin_unlock_irqrestore(&dev.lock, flags);
300- return n;
301- }
302+ DAP_BUFF_SIZE);
303 spin_unlock_irqrestore(&dev.lock, flags);
304 } else {
305- if ((n = msnd_fifo_read(
306+ n = msnd_fifo_read(
307 &dev.DAPF,
308 (char *)(dev.base + bank_num * DAP_BUFF_SIZE),
309- DAP_BUFF_SIZE, 0)) < 0) {
310- return n;
311- }
312+ DAP_BUFF_SIZE);
313 }
314 if (!n)
315 break;
316@@ -894,30 +886,43 @@
317 static int dsp_read(char *buf, size_t len)
318 {
319 int count = len;
320+ char *page = (char *)__get_free_page(PAGE_SIZE);
321+
322+ if (!page)
323+ return -ENOMEM;
324
325 while (count > 0) {
326- int n;
327+ int n, k;
328 unsigned long flags;
329
330+ k = PAGE_SIZE;
331+ if (k > count)
332+ k = count;
333+
334 /* Critical section: protect fifo in non-interrupt */
335 spin_lock_irqsave(&dev.lock, flags);
336- if ((n = msnd_fifo_read(&dev.DARF, buf, count, 1)) < 0) {
337- printk(KERN_WARNING LOGNAME ": FIFO read error\n");
338- spin_unlock_irqrestore(&dev.lock, flags);
339- return n;
340- }
341+ n = msnd_fifo_read(&dev.DARF, page, k);
342 spin_unlock_irqrestore(&dev.lock, flags);
343+ if (copy_to_user(buf, page, n)) {
344+ free_page((unsigned long)page);
345+ return -EFAULT;
346+ }
347 buf += n;
348 count -= n;
349
350+ if (n == k && count)
351+ continue;
352+
353 if (!test_bit(F_READING, &dev.flags) && dev.mode & FMODE_READ) {
354 dev.last_recbank = -1;
355 if (chk_send_dsp_cmd(&dev, HDEX_RECORD_START) == 0)
356 set_bit(F_READING, &dev.flags);
357 }
358
359- if (dev.rec_ndelay)
360+ if (dev.rec_ndelay) {
361+ free_page((unsigned long)page);
362 return count == len ? -EAGAIN : len - count;
363+ }
364
365 if (count > 0) {
366 set_bit(F_READBLOCK, &dev.flags);
367@@ -926,41 +931,57 @@
368 get_rec_delay_jiffies(DAR_BUFF_SIZE)))
369 clear_bit(F_READING, &dev.flags);
370 clear_bit(F_READBLOCK, &dev.flags);
371- if (signal_pending(current))
372+ if (signal_pending(current)) {
373+ free_page((unsigned long)page);
374 return -EINTR;
375+ }
376 }
377 }
378-
379+ free_page((unsigned long)page);
380 return len - count;
381 }
382
383 static int dsp_write(const char *buf, size_t len)
384 {
385 int count = len;
386+ char *page = (char *)__get_free_page(GFP_KERNEL);
387+
388+ if (!page)
389+ return -ENOMEM;
390
391 while (count > 0) {
392- int n;
393+ int n, k;
394 unsigned long flags;
395
396+ k = PAGE_SIZE;
397+ if (k > count)
398+ k = count;
399+
400+ if (copy_from_user(page, buf, k)) {
401+ free_page((unsigned long)page);
402+ return -EFAULT;
403+ }
404+
405 /* Critical section: protect fifo in non-interrupt */
406 spin_lock_irqsave(&dev.lock, flags);
407- if ((n = msnd_fifo_write(&dev.DAPF, buf, count, 1)) < 0) {
408- printk(KERN_WARNING LOGNAME ": FIFO write error\n");
409- spin_unlock_irqrestore(&dev.lock, flags);
410- return n;
411- }
412+ n = msnd_fifo_write(&dev.DAPF, page, k);
413 spin_unlock_irqrestore(&dev.lock, flags);
414 buf += n;
415 count -= n;
416
417+ if (count && n == k)
418+ continue;
419+
420 if (!test_bit(F_WRITING, &dev.flags) && (dev.mode & FMODE_WRITE)) {
421 dev.last_playbank = -1;
422 if (pack_DAPF_to_DAPQ(1) > 0)
423 set_bit(F_WRITING, &dev.flags);
424 }
425
426- if (dev.play_ndelay)
427+ if (dev.play_ndelay) {
428+ free_page((unsigned long)page);
429 return count == len ? -EAGAIN : len - count;
430+ }
431
432 if (count > 0) {
433 set_bit(F_WRITEBLOCK, &dev.flags);
434@@ -968,11 +989,14 @@
435 &dev.writeblock,
436 get_play_delay_jiffies(DAP_BUFF_SIZE));
437 clear_bit(F_WRITEBLOCK, &dev.flags);
438- if (signal_pending(current))
439+ if (signal_pending(current)) {
440+ free_page((unsigned long)page);
441 return -EINTR;
442+ }
443 }
444 }
445
446+ free_page((unsigned long)page);
447 return len - count;
448 }
449
450# This is a BitKeeper generated diff -Nru style patch.
451#
452# ChangeSet
453# 2004/06/23 09:13:13-03:00 marcelo@logos.cnet
454# Al Viro sparse fixes: pss user pointer dereference
455#
456# drivers/sound/pss.c
457# 2004/06/16 00:31:33-03:00 marcelo@logos.cnet +63 -29
458# Import patch pss-fix
459#
460diff -Nru a/drivers/sound/pss.c b/drivers/sound/pss.c
461--- a/drivers/sound/pss.c 2004-06-25 05:15:47 -07:00
462+++ b/drivers/sound/pss.c 2004-06-25 05:15:47 -07:00
463@@ -450,20 +450,36 @@
464 }
465 }
466
467-static void arg_to_volume_mono(unsigned int volume, int *aleft)
468+static int set_volume_mono(caddr_t p, int *aleft)
469 {
470 int left;
471+ unsigned volume;
472+ if (get_user(volume, (unsigned *)p))
473+ return -EFAULT;
474
475- left = volume & 0x00ff;
476+ left = volume & 0xff;
477 if (left > 100)
478 left = 100;
479 *aleft = left;
480+ return 0;
481 }
482
483-static void arg_to_volume_stereo(unsigned int volume, int *aleft, int *aright)
484+static int set_volume_stereo(caddr_t p, int *aleft, int *aright)
485 {
486- arg_to_volume_mono(volume, aleft);
487- arg_to_volume_mono(volume >> 8, aright);
488+ int left, right;
489+ unsigned volume;
490+ if (get_user(volume, (unsigned *)p))
491+ return -EFAULT;
492+
493+ left = volume & 0xff;
494+ if (left > 100)
495+ left = 100;
496+ right = (volume >> 8) & 0xff;
497+ if (right > 100)
498+ right = 100;
499+ *aleft = left;
500+ *aright = right;
501+ return 0;
502 }
503
504 static int ret_vol_mono(int left)
505@@ -510,33 +526,38 @@
506 return call_ad_mixer(devc, cmd, arg);
507 else
508 {
509- if (*(int *)arg != 0)
510+ int v;
511+ if (get_user(v, (int *)arg))
512+ return -EFAULT;
513+ if (v != 0)
514 return -EINVAL;
515 return 0;
516 }
517 case SOUND_MIXER_VOLUME:
518- arg_to_volume_stereo(*(unsigned int *)arg, &devc->mixer.volume_l,
519- &devc->mixer.volume_r);
520+ if (set_volume_stereo(arg,
521+ &devc->mixer.volume_l,
522+ &devc->mixer.volume_r))
523+ return -EFAULT;
524 set_master_volume(devc, devc->mixer.volume_l,
525 devc->mixer.volume_r);
526 return ret_vol_stereo(devc->mixer.volume_l,
527 devc->mixer.volume_r);
528
529 case SOUND_MIXER_BASS:
530- arg_to_volume_mono(*(unsigned int *)arg,
531- &devc->mixer.bass);
532+ if (set_volume_mono(arg, &devc->mixer.bass))
533+ return -EFAULT;
534 set_bass(devc, devc->mixer.bass);
535 return ret_vol_mono(devc->mixer.bass);
536
537 case SOUND_MIXER_TREBLE:
538- arg_to_volume_mono(*(unsigned int *)arg,
539- &devc->mixer.treble);
540+ if (set_volume_mono(arg, &devc->mixer.treble))
541+ return -EFAULT;
542 set_treble(devc, devc->mixer.treble);
543 return ret_vol_mono(devc->mixer.treble);
544
545 case SOUND_MIXER_SYNTH:
546- arg_to_volume_mono(*(unsigned int *)arg,
547- &devc->mixer.synth);
548+ if (set_volume_mono(arg, &devc->mixer.synth))
549+ return -EFAULT;
550 set_synth_volume(devc, devc->mixer.synth);
551 return ret_vol_mono(devc->mixer.synth);
552
553@@ -546,54 +567,67 @@
554 }
555 else
556 {
557+ int val, and_mask = 0, or_mask = 0;
558 /*
559 * Return parameters
560 */
561 switch (cmdf)
562 {
563-
564 case SOUND_MIXER_DEVMASK:
565 if (call_ad_mixer(devc, cmd, arg) == -EINVAL)
566- *(int *)arg = 0; /* no mixer devices */
567- return (*(int *)arg |= SOUND_MASK_VOLUME | SOUND_MASK_BASS | SOUND_MASK_TREBLE | SOUND_MASK_SYNTH);
568+ break;
569+ and_mask = ~0;
570+ or_mask = SOUND_MASK_VOLUME | SOUND_MASK_BASS | SOUND_MASK_TREBLE | SOUND_MASK_SYNTH;
571+ break;
572
573 case SOUND_MIXER_STEREODEVS:
574 if (call_ad_mixer(devc, cmd, arg) == -EINVAL)
575- *(int *)arg = 0; /* no stereo devices */
576- return (*(int *)arg |= SOUND_MASK_VOLUME);
577+ break;
578+ and_mask = ~0;
579+ or_mask = SOUND_MASK_VOLUME;
580+ break;
581
582 case SOUND_MIXER_RECMASK:
583 if (devc->ad_mixer_dev != NO_WSS_MIXER)
584 return call_ad_mixer(devc, cmd, arg);
585- else
586- return (*(int *)arg = 0); /* no record devices */
587+ break;
588
589 case SOUND_MIXER_CAPS:
590 if (devc->ad_mixer_dev != NO_WSS_MIXER)
591 return call_ad_mixer(devc, cmd, arg);
592- else
593- return (*(int *)arg = SOUND_CAP_EXCL_INPUT);
594+ or_mask = SOUND_CAP_EXCL_INPUT;
595+ break;
596
597 case SOUND_MIXER_RECSRC:
598 if (devc->ad_mixer_dev != NO_WSS_MIXER)
599 return call_ad_mixer(devc, cmd, arg);
600- else
601- return (*(int *)arg = 0); /* no record source */
602+ break;
603
604 case SOUND_MIXER_VOLUME:
605- return (*(int *)arg = ret_vol_stereo(devc->mixer.volume_l, devc->mixer.volume_r));
606+ or_mask = ret_vol_stereo(devc->mixer.volume_l, devc->mixer.volume_r);
607+ break;
608
609 case SOUND_MIXER_BASS:
610- return (*(int *)arg = ret_vol_mono(devc->mixer.bass));
611+ or_mask = ret_vol_mono(devc->mixer.bass);
612+ break;
613
614 case SOUND_MIXER_TREBLE:
615- return (*(int *)arg = ret_vol_mono(devc->mixer.treble));
616+ or_mask = ret_vol_mono(devc->mixer.treble);
617+ break;
618
619 case SOUND_MIXER_SYNTH:
620- return (*(int *)arg = ret_vol_mono(devc->mixer.synth));
621+ or_mask = ret_vol_mono(devc->mixer.synth);
622+ break;
623 default:
624 return -EINVAL;
625 }
626+ if (get_user(val, (int *)arg))
627+ return -EFAULT;
628+ val &= and_mask;
629+ val |= or_mask;
630+ if (put_user(val, (int *)arg))
631+ return -EFAULT;
632+ return val;
633 }
634 }
635
636# This is a BitKeeper generated diff -Nru style patch.
637#
638# ChangeSet
639# 2004/06/23 09:14:50-03:00 marcelo@logos.cnet
640# Al Viro sparse fixes: aironet
641#
642# drivers/net/wireless/airo.c
643# 2004/06/16 02:34:27-03:00 marcelo@logos.cnet +27 -24
644# Import patch airo-fix
645#
646diff -Nru a/drivers/net/wireless/airo.c b/drivers/net/wireless/airo.c
647--- a/drivers/net/wireless/airo.c 2004-06-25 05:15:55 -07:00
648+++ b/drivers/net/wireless/airo.c 2004-06-25 05:15:55 -07:00
649@@ -3666,19 +3666,22 @@
650 size_t len,
651 loff_t *offset )
652 {
653- int i;
654- int pos;
655+ loff_t pos = *offset;
656 struct proc_data *priv = (struct proc_data*)file->private_data;
657
658- if( !priv->rbuffer ) return -EINVAL;
659+ if (!priv->rbuffer)
660+ return -EINVAL;
661
662- pos = *offset;
663- for( i = 0; i+pos < priv->readlen && i < len; i++ ) {
664- if (put_user( priv->rbuffer[i+pos], buffer+i ))
665- return -EFAULT;
666- }
667- *offset += i;
668- return i;
669+ if (pos < 0)
670+ return -EINVAL;
671+ if (pos >= priv->readlen)
672+ return 0;
673+ if (len > priv->readlen - pos)
674+ len = priv->readlen - pos;
675+ if (copy_to_user(buffer, priv->rbuffer + pos, len))
676+ return -EFAULT;
677+ *offset = pos + len;
678+ return len;
679 }
680
681 /*
682@@ -3690,24 +3693,24 @@
683 size_t len,
684 loff_t *offset )
685 {
686- int i;
687- int pos;
688+ loff_t pos = *offset;
689 struct proc_data *priv = (struct proc_data*)file->private_data;
690
691- if ( !priv->wbuffer ) {
692+ if (!priv->wbuffer)
693 return -EINVAL;
694- }
695
696- pos = *offset;
697-
698- for( i = 0; i + pos < priv->maxwritelen &&
699- i < len; i++ ) {
700- if (get_user( priv->wbuffer[i+pos], buffer + i ))
701- return -EFAULT;
702- }
703- if ( i+pos > priv->writelen ) priv->writelen = i+file->f_pos;
704- *offset += i;
705- return i;
706+ if (pos < 0)
707+ return -EINVAL;
708+ if (pos >= priv->maxwritelen)
709+ return 0;
710+ if (len > priv->maxwritelen - pos)
711+ len = priv->maxwritelen - pos;
712+ if (copy_from_user(priv->wbuffer + pos, buffer, len))
713+ return -EFAULT;
714+ if (pos + len > priv->writelen)
715+ priv->writelen = pos + len;
716+ *offset = pos + len;
717+ return len;
718 }
719
720 static int proc_status_open( struct inode *inode, struct file *file ) {
721# This is a BitKeeper generated diff -Nru style patch.
722#
723# ChangeSet
724# 2004/06/23 09:20:50-03:00 marcelo@logos.cnet
725# Al Viro sparse fixes: asus_acpi user pointer dereference
726#
727# drivers/acpi/asus_acpi.c
728# 2004/06/18 23:44:13-03:00 marcelo@logos.cnet +34 -12
729# Import patch acpi.solar
730#
731diff -Nru a/drivers/acpi/asus_acpi.c b/drivers/acpi/asus_acpi.c
732--- a/drivers/acpi/asus_acpi.c 2004-06-25 05:10:44 -07:00
733+++ b/drivers/acpi/asus_acpi.c 2004-06-25 05:10:44 -07:00
734@@ -40,6 +40,7 @@
735 #include <linux/proc_fs.h>
736 #include <acpi/acpi_drivers.h>
737 #include <acpi/acpi_bus.h>
738+#include <asm/uaccess.h>
739
740 #define ASUS_ACPI_VERSION "0.28"
741
742@@ -455,6 +456,21 @@
743
744 return len;
745 }
746+
747+static int parse_arg(const char *buf, unsigned long count, int *val)
748+{
749+ char s[32];
750+ if (!count)
751+ return 0;
752+ if (count > 31)
753+ return -EINVAL;
754+ if (copy_from_user(s, buf, count))
755+ return -EFAULT;
756+ s[count] = 0;
757+ if (sscanf(s, "%i", val) != 1)
758+ return -EINVAL;
759+ return count;
760+}
761
762
763 /*
764@@ -486,11 +502,14 @@
765 write_led(const char *buffer, unsigned long count, struct asus_hotk *hotk,
766 char *ledname, int ledmask, int invert)
767 {
768- int value;
769+ int value, retval;
770 int led_out = 0;
771
772- if (sscanf(buffer, "%i", &value) == 1)
773- led_out = value ? 1 : 0;
774+ retval = parse_arg(buffer, count, &value);
775+ if (retval <= 0)
776+ return retval;
777+ count = retval;
778+ led_out = value ? 1 : 0;
779
780 hotk->status =
781 (led_out) ? (hotk->status | ledmask) : (hotk->status & ~ledmask);
782@@ -643,12 +662,13 @@
783 proc_write_lcd(struct file *file, const char *buffer,
784 unsigned long count, void *data)
785 {
786- int value;
787+ int value, retval;
788 struct asus_hotk *hotk = (struct asus_hotk *) data;
789
790- if (sscanf(buffer, "%i", &value) == 1)
791+ retval = parse_arg(buffer, count, &value);
792+ if (retval > 0)
793 set_lcd_state(hotk, value);
794- return count;
795+ return retval;
796 }
797
798
799@@ -710,10 +730,11 @@
800 proc_write_brn(struct file *file, const char *buffer,
801 unsigned long count, void *data)
802 {
803- int value;
804+ int value, retval;
805 struct asus_hotk *hotk = (struct asus_hotk *) data;
806
807- if (sscanf(buffer, "%d", &value) == 1) {
808+ retval = parse_arg(buffer, count, &value);
809+ if (retval > 0) {
810 value = (0 < value) ? ((15 < value) ? 15 : value) : 0;
811 /* 0 <= value <= 15 */
812 set_brightness(value, hotk);
813@@ -721,7 +742,7 @@
814 printk(KERN_WARNING "Asus ACPI: Error reading user input\n");
815 }
816
817- return count;
818+ return retval;
819 }
820
821 static void set_display(int value, struct asus_hotk *hotk)
822@@ -759,16 +780,17 @@
823 proc_write_disp(struct file *file, const char *buffer,
824 unsigned long count, void *data)
825 {
826- int value;
827+ int value, retval;
828 struct asus_hotk *hotk = (struct asus_hotk *) data;
829
830- if (sscanf(buffer, "%d", &value) == 1)
831+ retval = parse_arg(buffer, count, &value);
832+ if (retval > 0)
833 set_display(value, hotk);
834 else {
835 printk(KERN_WARNING "Asus ACPI: Error reading user input\n");
836 }
837
838- return count;
839+ return retval;
840 }
841
842
The Linux kernel (the core of the Linux operating system)
This page took 0.289988 seconds and 4 git commands to generate.