]>
Commit | Line | Data |
---|---|---|
655f500d JB |
1 | # This is a BitKeeper generated diff -Nru style patch. |
2 | # | |
3 | # ChangeSet | |
4 | # 2004/06/23 09:08:01-03:00 marcelo@logos.cnet | |
5 | # Al Viro sparse fixes: decnet user pointer dereference | |
6 | # | |
7 | # net/decnet/dn_dev.c | |
8 | # 2004/06/15 23:54:14-03:00 marcelo@logos.cnet +15 -7 | |
9 | # Import patch decnet-fix | |
10 | # | |
11 | diff -Nru a/net/decnet/dn_dev.c b/net/decnet/dn_dev.c | |
12 | --- a/net/decnet/dn_dev.c 2004-06-25 05:11:19 -07:00 | |
13 | +++ b/net/decnet/dn_dev.c 2004-06-25 05:11:19 -07:00 | |
14 | @@ -1061,31 +1061,39 @@ | |
15 | { | |
16 | struct dn_dev *dn_db = (struct dn_dev *)dev->dn_ptr; | |
17 | struct dn_ifaddr *ifa; | |
18 | - struct ifreq *ifr = (struct ifreq *)buf; | |
19 | + char buffer[DN_IFREQ_SIZE]; | |
20 | + struct ifreq *ifr = (struct ifreq *)buffer; | |
21 | + struct sockaddr_dn *addr = (struct sockaddr_dn *)&ifr->ifr_addr; | |
22 | int done = 0; | |
23 | ||
24 | if ((dn_db == NULL) || ((ifa = dn_db->ifa_list) == NULL)) | |
25 | return 0; | |
26 | ||
27 | for(; ifa; ifa = ifa->ifa_next) { | |
28 | - if (!ifr) { | |
29 | + if (!buf) { | |
30 | done += sizeof(DN_IFREQ_SIZE); | |
31 | continue; | |
32 | } | |
33 | if (len < DN_IFREQ_SIZE) | |
34 | return done; | |
35 | - memset(ifr, 0, DN_IFREQ_SIZE); | |
36 | + memset(buffer, 0, DN_IFREQ_SIZE); | |
37 | ||
38 | if (ifa->ifa_label) | |
39 | strcpy(ifr->ifr_name, ifa->ifa_label); | |
40 | else | |
41 | strcpy(ifr->ifr_name, dev->name); | |
42 | ||
43 | - (*(struct sockaddr_dn *) &ifr->ifr_addr).sdn_family = AF_DECnet; | |
44 | - (*(struct sockaddr_dn *) &ifr->ifr_addr).sdn_add.a_len = 2; | |
45 | - (*(dn_address *)(*(struct sockaddr_dn *) &ifr->ifr_addr).sdn_add.a_addr) = ifa->ifa_local; | |
46 | + addr->sdn_family = AF_DECnet; | |
47 | + addr->sdn_add.a_len = 2; | |
48 | + memcpy(addr->sdn_add.a_addr, &ifa->ifa_local, | |
49 | + sizeof(dn_address)); | |
50 | ||
51 | - ifr = (struct ifreq *)((char *)ifr + DN_IFREQ_SIZE); | |
52 | + if (copy_to_user(buf, buffer, DN_IFREQ_SIZE)) { | |
53 | + done = -EFAULT; | |
54 | + break; | |
55 | + } | |
56 | + | |
57 | + buf += DN_IFREQ_SIZE; | |
58 | len -= DN_IFREQ_SIZE; | |
59 | done += DN_IFREQ_SIZE; | |
60 | } | |
61 | # This is a BitKeeper generated diff -Nru style patch. | |
62 | # | |
63 | # ChangeSet | |
64 | # 2004/06/23 09:09:39-03:00 marcelo@logos.cnet | |
65 | # Al Viro sparse fixes: mpu401 user pointer dereference | |
66 | # | |
67 | # drivers/sound/mpu401.c | |
68 | # 2004/06/16 00:07:29-03:00 marcelo@logos.cnet +28 -11 | |
69 | # Import patch mpu401-fix | |
70 | # | |
71 | diff -Nru a/drivers/sound/mpu401.c b/drivers/sound/mpu401.c | |
72 | --- a/drivers/sound/mpu401.c 2004-06-25 05:15:29 -07:00 | |
73 | +++ b/drivers/sound/mpu401.c 2004-06-25 05:15:29 -07:00 | |
74 | @@ -1513,14 +1513,16 @@ | |
75 | static int mpu_timer_ioctl(int dev, unsigned int command, caddr_t arg) | |
76 | { | |
77 | int midi_dev = sound_timer_devs[dev]->devlink; | |
78 | + int *p = (int *)arg; | |
79 | ||
80 | switch (command) | |
81 | { | |
82 | case SNDCTL_TMR_SOURCE: | |
83 | { | |
84 | int parm; | |
85 | - | |
86 | - parm = *(int *) arg; | |
87 | + | |
88 | + if (get_user(parm, p)) | |
89 | + return -EFAULT; | |
90 | parm &= timer_caps; | |
91 | ||
92 | if (parm != 0) | |
93 | @@ -1532,7 +1534,9 @@ | |
94 | else if (timer_mode & TMR_MODE_SMPTE) | |
95 | mpu_cmd(midi_dev, 0x3d, 0); /* Use SMPTE sync */ | |
96 | } | |
97 | - return (*(int *) arg = timer_mode); | |
98 | + if (put_user(timer_mode, p)) | |
99 | + return -EFAULT; | |
100 | + return timer_mode; | |
101 | } | |
102 | break; | |
103 | ||
104 | @@ -1557,10 +1561,13 @@ | |
105 | { | |
106 | int val; | |
107 | ||
108 | - val = *(int *) arg; | |
109 | + if (get_user(val, p)) | |
110 | + return -EFAULT; | |
111 | if (val) | |
112 | set_timebase(midi_dev, val); | |
113 | - return (*(int *) arg = curr_timebase); | |
114 | + if (put_user(curr_timebase, p)) | |
115 | + return -EFAULT; | |
116 | + return curr_timebase; | |
117 | } | |
118 | break; | |
119 | ||
120 | @@ -1569,7 +1576,8 @@ | |
121 | int val; | |
122 | int ret; | |
123 | ||
124 | - val = *(int *) arg; | |
125 | + if (get_user(val, p)) | |
126 | + return -EFAULT; | |
127 | ||
128 | if (val) | |
129 | { | |
130 | @@ -1584,7 +1592,9 @@ | |
131 | } | |
132 | curr_tempo = val; | |
133 | } | |
134 | - return (*(int *) arg = curr_tempo); | |
135 | + if (put_user(curr_tempo, p)) | |
136 | + return -EFAULT; | |
137 | + return curr_tempo; | |
138 | } | |
139 | break; | |
140 | ||
141 | @@ -1592,18 +1602,25 @@ | |
142 | { | |
143 | int val; | |
144 | ||
145 | - val = *(int *) arg; | |
146 | + if (get_user(val, p)) | |
147 | + return -EFAULT; | |
148 | if (val != 0) /* Can't change */ | |
149 | return -EINVAL; | |
150 | - return (*(int *) arg = ((curr_tempo * curr_timebase) + 30) / 60); | |
151 | + val = (curr_tempo * curr_timebase + 30) / 60; | |
152 | + if (put_user(val, p)) | |
153 | + return -EFAULT; | |
154 | + return val; | |
155 | } | |
156 | break; | |
157 | ||
158 | case SNDCTL_SEQ_GETTIME: | |
159 | - return (*(int *) arg = curr_ticks); | |
160 | + if (put_user(curr_ticks, p)) | |
161 | + return -EFAULT; | |
162 | + return curr_ticks; | |
163 | ||
164 | case SNDCTL_TMR_METRONOME: | |
165 | - metronome_mode = *(int *) arg; | |
166 | + if (get_user(metronome_mode, p)) | |
167 | + return -EFAULT; | |
168 | setup_metronome(midi_dev); | |
169 | return 0; | |
170 | ||
171 | # This is a BitKeeper generated diff -Nru style patch. | |
172 | # | |
173 | # ChangeSet | |
174 | # 2004/06/23 09:11:47-03:00 marcelo@logos.cnet | |
175 | # Al Viro sparse fixes: msnd user pointer dereference & assorted fixes | |
176 | # | |
177 | # drivers/sound/msnd.c | |
178 | # 2004/06/16 02:42:38-03:00 marcelo@logos.cnet +4 -18 | |
179 | # Import patch msnd-fix | |
180 | # | |
181 | # drivers/sound/msnd.h | |
182 | # 2004/06/16 02:42:26-03:00 marcelo@logos.cnet +2 -2 | |
183 | # Import patch msnd-fix | |
184 | # | |
185 | # drivers/sound/msnd_pinnacle.c | |
186 | # 2004/06/16 02:42:11-03:00 marcelo@logos.cnet +56 -32 | |
187 | # Import patch msnd-fix | |
188 | # | |
189 | diff -Nru a/drivers/sound/msnd.c b/drivers/sound/msnd.c | |
190 | --- a/drivers/sound/msnd.c 2004-06-25 05:15:38 -07:00 | |
191 | +++ b/drivers/sound/msnd.c 2004-06-25 05:15:38 -07:00 | |
192 | @@ -155,13 +155,10 @@ | |
193 | f->len = f->tail = f->head = 0; | |
194 | } | |
195 | ||
196 | -int msnd_fifo_write(msnd_fifo *f, const char *buf, size_t len, int user) | |
197 | +int msnd_fifo_write(msnd_fifo *f, const char *buf, size_t len) | |
198 | { | |
199 | int count = 0; | |
200 | ||
201 | - if (f->len == f->n) | |
202 | - return 0; | |
203 | - | |
204 | while ((count < len) && (f->len != f->n)) { | |
205 | ||
206 | int nwritten; | |
207 | @@ -177,11 +174,7 @@ | |
208 | nwritten = len - count; | |
209 | } | |
210 | ||
211 | - if (user) { | |
212 | - if (copy_from_user(f->data + f->tail, buf, nwritten)) | |
213 | - return -EFAULT; | |
214 | - } else | |
215 | - isa_memcpy_fromio(f->data + f->tail, (unsigned long) buf, nwritten); | |
216 | + isa_memcpy_fromio(f->data + f->tail, (unsigned long) buf, nwritten); | |
217 | ||
218 | count += nwritten; | |
219 | buf += nwritten; | |
220 | @@ -193,13 +186,10 @@ | |
221 | return count; | |
222 | } | |
223 | ||
224 | -int msnd_fifo_read(msnd_fifo *f, char *buf, size_t len, int user) | |
225 | +int msnd_fifo_read(msnd_fifo *f, char *buf, size_t len) | |
226 | { | |
227 | int count = 0; | |
228 | ||
229 | - if (f->len == 0) | |
230 | - return f->len; | |
231 | - | |
232 | while ((count < len) && (f->len > 0)) { | |
233 | ||
234 | int nread; | |
235 | @@ -215,11 +205,7 @@ | |
236 | nread = len - count; | |
237 | } | |
238 | ||
239 | - if (user) { | |
240 | - if (copy_to_user(buf, f->data + f->head, nread)) | |
241 | - return -EFAULT; | |
242 | - } else | |
243 | - isa_memcpy_toio((unsigned long) buf, f->data + f->head, nread); | |
244 | + isa_memcpy_toio((unsigned long) buf, f->data + f->head, nread); | |
245 | ||
246 | count += nread; | |
247 | buf += nread; | |
248 | diff -Nru a/drivers/sound/msnd.h b/drivers/sound/msnd.h | |
249 | --- a/drivers/sound/msnd.h 2004-06-25 05:15:38 -07:00 | |
250 | +++ b/drivers/sound/msnd.h 2004-06-25 05:15:38 -07:00 | |
251 | @@ -266,8 +266,8 @@ | |
252 | void msnd_fifo_free(msnd_fifo *f); | |
253 | int msnd_fifo_alloc(msnd_fifo *f, size_t n); | |
254 | void msnd_fifo_make_empty(msnd_fifo *f); | |
255 | -int msnd_fifo_write(msnd_fifo *f, const char *buf, size_t len, int user); | |
256 | -int msnd_fifo_read(msnd_fifo *f, char *buf, size_t len, int user); | |
257 | +int msnd_fifo_write(msnd_fifo *f, const char *buf, size_t len); | |
258 | +int msnd_fifo_read(msnd_fifo *f, char *buf, size_t len); | |
259 | ||
260 | int msnd_wait_TXDE(multisound_dev_t *dev); | |
261 | int msnd_wait_HC0(multisound_dev_t *dev); | |
262 | diff -Nru a/drivers/sound/msnd_pinnacle.c b/drivers/sound/msnd_pinnacle.c | |
263 | --- a/drivers/sound/msnd_pinnacle.c 2004-06-25 05:15:38 -07:00 | |
264 | +++ b/drivers/sound/msnd_pinnacle.c 2004-06-25 05:15:38 -07:00 | |
265 | @@ -804,7 +804,7 @@ | |
266 | ||
267 | static __inline__ int pack_DARQ_to_DARF(register int bank) | |
268 | { | |
269 | - register int size, n, timeout = 3; | |
270 | + register int size, timeout = 3; | |
271 | register WORD wTmp; | |
272 | LPDAQD DAQD; | |
273 | ||
274 | @@ -825,13 +825,10 @@ | |
275 | /* Read data from the head (unprotected bank 1 access okay | |
276 | since this is only called inside an interrupt) */ | |
277 | outb(HPBLKSEL_1, dev.io + HP_BLKS); | |
278 | - if ((n = msnd_fifo_write( | |
279 | + msnd_fifo_write( | |
280 | &dev.DARF, | |
281 | (char *)(dev.base + bank * DAR_BUFF_SIZE), | |
282 | - size, 0)) <= 0) { | |
283 | - outb(HPBLKSEL_0, dev.io + HP_BLKS); | |
284 | - return n; | |
285 | - } | |
286 | + size); | |
287 | outb(HPBLKSEL_0, dev.io + HP_BLKS); | |
288 | ||
289 | return 1; | |
290 | @@ -853,21 +850,16 @@ | |
291 | if (protect) { | |
292 | /* Critical section: protect fifo in non-interrupt */ | |
293 | spin_lock_irqsave(&dev.lock, flags); | |
294 | - if ((n = msnd_fifo_read( | |
295 | + n = msnd_fifo_read( | |
296 | &dev.DAPF, | |
297 | (char *)(dev.base + bank_num * DAP_BUFF_SIZE), | |
298 | - DAP_BUFF_SIZE, 0)) < 0) { | |
299 | - spin_unlock_irqrestore(&dev.lock, flags); | |
300 | - return n; | |
301 | - } | |
302 | + DAP_BUFF_SIZE); | |
303 | spin_unlock_irqrestore(&dev.lock, flags); | |
304 | } else { | |
305 | - if ((n = msnd_fifo_read( | |
306 | + n = msnd_fifo_read( | |
307 | &dev.DAPF, | |
308 | (char *)(dev.base + bank_num * DAP_BUFF_SIZE), | |
309 | - DAP_BUFF_SIZE, 0)) < 0) { | |
310 | - return n; | |
311 | - } | |
312 | + DAP_BUFF_SIZE); | |
313 | } | |
314 | if (!n) | |
315 | break; | |
316 | @@ -894,30 +886,43 @@ | |
317 | static int dsp_read(char *buf, size_t len) | |
318 | { | |
319 | int count = len; | |
320 | + char *page = (char *)__get_free_page(PAGE_SIZE); | |
321 | + | |
322 | + if (!page) | |
323 | + return -ENOMEM; | |
324 | ||
325 | while (count > 0) { | |
326 | - int n; | |
327 | + int n, k; | |
328 | unsigned long flags; | |
329 | ||
330 | + k = PAGE_SIZE; | |
331 | + if (k > count) | |
332 | + k = count; | |
333 | + | |
334 | /* Critical section: protect fifo in non-interrupt */ | |
335 | spin_lock_irqsave(&dev.lock, flags); | |
336 | - if ((n = msnd_fifo_read(&dev.DARF, buf, count, 1)) < 0) { | |
337 | - printk(KERN_WARNING LOGNAME ": FIFO read error\n"); | |
338 | - spin_unlock_irqrestore(&dev.lock, flags); | |
339 | - return n; | |
340 | - } | |
341 | + n = msnd_fifo_read(&dev.DARF, page, k); | |
342 | spin_unlock_irqrestore(&dev.lock, flags); | |
343 | + if (copy_to_user(buf, page, n)) { | |
344 | + free_page((unsigned long)page); | |
345 | + return -EFAULT; | |
346 | + } | |
347 | buf += n; | |
348 | count -= n; | |
349 | ||
350 | + if (n == k && count) | |
351 | + continue; | |
352 | + | |
353 | if (!test_bit(F_READING, &dev.flags) && dev.mode & FMODE_READ) { | |
354 | dev.last_recbank = -1; | |
355 | if (chk_send_dsp_cmd(&dev, HDEX_RECORD_START) == 0) | |
356 | set_bit(F_READING, &dev.flags); | |
357 | } | |
358 | ||
359 | - if (dev.rec_ndelay) | |
360 | + if (dev.rec_ndelay) { | |
361 | + free_page((unsigned long)page); | |
362 | return count == len ? -EAGAIN : len - count; | |
363 | + } | |
364 | ||
365 | if (count > 0) { | |
366 | set_bit(F_READBLOCK, &dev.flags); | |
367 | @@ -926,41 +931,57 @@ | |
368 | get_rec_delay_jiffies(DAR_BUFF_SIZE))) | |
369 | clear_bit(F_READING, &dev.flags); | |
370 | clear_bit(F_READBLOCK, &dev.flags); | |
371 | - if (signal_pending(current)) | |
372 | + if (signal_pending(current)) { | |
373 | + free_page((unsigned long)page); | |
374 | return -EINTR; | |
375 | + } | |
376 | } | |
377 | } | |
378 | - | |
379 | + free_page((unsigned long)page); | |
380 | return len - count; | |
381 | } | |
382 | ||
383 | static int dsp_write(const char *buf, size_t len) | |
384 | { | |
385 | int count = len; | |
386 | + char *page = (char *)__get_free_page(GFP_KERNEL); | |
387 | + | |
388 | + if (!page) | |
389 | + return -ENOMEM; | |
390 | ||
391 | while (count > 0) { | |
392 | - int n; | |
393 | + int n, k; | |
394 | unsigned long flags; | |
395 | ||
396 | + k = PAGE_SIZE; | |
397 | + if (k > count) | |
398 | + k = count; | |
399 | + | |
400 | + if (copy_from_user(page, buf, k)) { | |
401 | + free_page((unsigned long)page); | |
402 | + return -EFAULT; | |
403 | + } | |
404 | + | |
405 | /* Critical section: protect fifo in non-interrupt */ | |
406 | spin_lock_irqsave(&dev.lock, flags); | |
407 | - if ((n = msnd_fifo_write(&dev.DAPF, buf, count, 1)) < 0) { | |
408 | - printk(KERN_WARNING LOGNAME ": FIFO write error\n"); | |
409 | - spin_unlock_irqrestore(&dev.lock, flags); | |
410 | - return n; | |
411 | - } | |
412 | + n = msnd_fifo_write(&dev.DAPF, page, k); | |
413 | spin_unlock_irqrestore(&dev.lock, flags); | |
414 | buf += n; | |
415 | count -= n; | |
416 | ||
417 | + if (count && n == k) | |
418 | + continue; | |
419 | + | |
420 | if (!test_bit(F_WRITING, &dev.flags) && (dev.mode & FMODE_WRITE)) { | |
421 | dev.last_playbank = -1; | |
422 | if (pack_DAPF_to_DAPQ(1) > 0) | |
423 | set_bit(F_WRITING, &dev.flags); | |
424 | } | |
425 | ||
426 | - if (dev.play_ndelay) | |
427 | + if (dev.play_ndelay) { | |
428 | + free_page((unsigned long)page); | |
429 | return count == len ? -EAGAIN : len - count; | |
430 | + } | |
431 | ||
432 | if (count > 0) { | |
433 | set_bit(F_WRITEBLOCK, &dev.flags); | |
434 | @@ -968,11 +989,14 @@ | |
435 | &dev.writeblock, | |
436 | get_play_delay_jiffies(DAP_BUFF_SIZE)); | |
437 | clear_bit(F_WRITEBLOCK, &dev.flags); | |
438 | - if (signal_pending(current)) | |
439 | + if (signal_pending(current)) { | |
440 | + free_page((unsigned long)page); | |
441 | return -EINTR; | |
442 | + } | |
443 | } | |
444 | } | |
445 | ||
446 | + free_page((unsigned long)page); | |
447 | return len - count; | |
448 | } | |
449 | ||
450 | # This is a BitKeeper generated diff -Nru style patch. | |
451 | # | |
452 | # ChangeSet | |
453 | # 2004/06/23 09:13:13-03:00 marcelo@logos.cnet | |
454 | # Al Viro sparse fixes: pss user pointer dereference | |
455 | # | |
456 | # drivers/sound/pss.c | |
457 | # 2004/06/16 00:31:33-03:00 marcelo@logos.cnet +63 -29 | |
458 | # Import patch pss-fix | |
459 | # | |
460 | diff -Nru a/drivers/sound/pss.c b/drivers/sound/pss.c | |
461 | --- a/drivers/sound/pss.c 2004-06-25 05:15:47 -07:00 | |
462 | +++ b/drivers/sound/pss.c 2004-06-25 05:15:47 -07:00 | |
463 | @@ -450,20 +450,36 @@ | |
464 | } | |
465 | } | |
466 | ||
467 | -static void arg_to_volume_mono(unsigned int volume, int *aleft) | |
468 | +static int set_volume_mono(caddr_t p, int *aleft) | |
469 | { | |
470 | int left; | |
471 | + unsigned volume; | |
472 | + if (get_user(volume, (unsigned *)p)) | |
473 | + return -EFAULT; | |
474 | ||
475 | - left = volume & 0x00ff; | |
476 | + left = volume & 0xff; | |
477 | if (left > 100) | |
478 | left = 100; | |
479 | *aleft = left; | |
480 | + return 0; | |
481 | } | |
482 | ||
483 | -static void arg_to_volume_stereo(unsigned int volume, int *aleft, int *aright) | |
484 | +static int set_volume_stereo(caddr_t p, int *aleft, int *aright) | |
485 | { | |
486 | - arg_to_volume_mono(volume, aleft); | |
487 | - arg_to_volume_mono(volume >> 8, aright); | |
488 | + int left, right; | |
489 | + unsigned volume; | |
490 | + if (get_user(volume, (unsigned *)p)) | |
491 | + return -EFAULT; | |
492 | + | |
493 | + left = volume & 0xff; | |
494 | + if (left > 100) | |
495 | + left = 100; | |
496 | + right = (volume >> 8) & 0xff; | |
497 | + if (right > 100) | |
498 | + right = 100; | |
499 | + *aleft = left; | |
500 | + *aright = right; | |
501 | + return 0; | |
502 | } | |
503 | ||
504 | static int ret_vol_mono(int left) | |
505 | @@ -510,33 +526,38 @@ | |
506 | return call_ad_mixer(devc, cmd, arg); | |
507 | else | |
508 | { | |
509 | - if (*(int *)arg != 0) | |
510 | + int v; | |
511 | + if (get_user(v, (int *)arg)) | |
512 | + return -EFAULT; | |
513 | + if (v != 0) | |
514 | return -EINVAL; | |
515 | return 0; | |
516 | } | |
517 | case SOUND_MIXER_VOLUME: | |
518 | - arg_to_volume_stereo(*(unsigned int *)arg, &devc->mixer.volume_l, | |
519 | - &devc->mixer.volume_r); | |
520 | + if (set_volume_stereo(arg, | |
521 | + &devc->mixer.volume_l, | |
522 | + &devc->mixer.volume_r)) | |
523 | + return -EFAULT; | |
524 | set_master_volume(devc, devc->mixer.volume_l, | |
525 | devc->mixer.volume_r); | |
526 | return ret_vol_stereo(devc->mixer.volume_l, | |
527 | devc->mixer.volume_r); | |
528 | ||
529 | case SOUND_MIXER_BASS: | |
530 | - arg_to_volume_mono(*(unsigned int *)arg, | |
531 | - &devc->mixer.bass); | |
532 | + if (set_volume_mono(arg, &devc->mixer.bass)) | |
533 | + return -EFAULT; | |
534 | set_bass(devc, devc->mixer.bass); | |
535 | return ret_vol_mono(devc->mixer.bass); | |
536 | ||
537 | case SOUND_MIXER_TREBLE: | |
538 | - arg_to_volume_mono(*(unsigned int *)arg, | |
539 | - &devc->mixer.treble); | |
540 | + if (set_volume_mono(arg, &devc->mixer.treble)) | |
541 | + return -EFAULT; | |
542 | set_treble(devc, devc->mixer.treble); | |
543 | return ret_vol_mono(devc->mixer.treble); | |
544 | ||
545 | case SOUND_MIXER_SYNTH: | |
546 | - arg_to_volume_mono(*(unsigned int *)arg, | |
547 | - &devc->mixer.synth); | |
548 | + if (set_volume_mono(arg, &devc->mixer.synth)) | |
549 | + return -EFAULT; | |
550 | set_synth_volume(devc, devc->mixer.synth); | |
551 | return ret_vol_mono(devc->mixer.synth); | |
552 | ||
553 | @@ -546,54 +567,67 @@ | |
554 | } | |
555 | else | |
556 | { | |
557 | + int val, and_mask = 0, or_mask = 0; | |
558 | /* | |
559 | * Return parameters | |
560 | */ | |
561 | switch (cmdf) | |
562 | { | |
563 | - | |
564 | case SOUND_MIXER_DEVMASK: | |
565 | if (call_ad_mixer(devc, cmd, arg) == -EINVAL) | |
566 | - *(int *)arg = 0; /* no mixer devices */ | |
567 | - return (*(int *)arg |= SOUND_MASK_VOLUME | SOUND_MASK_BASS | SOUND_MASK_TREBLE | SOUND_MASK_SYNTH); | |
568 | + break; | |
569 | + and_mask = ~0; | |
570 | + or_mask = SOUND_MASK_VOLUME | SOUND_MASK_BASS | SOUND_MASK_TREBLE | SOUND_MASK_SYNTH; | |
571 | + break; | |
572 | ||
573 | case SOUND_MIXER_STEREODEVS: | |
574 | if (call_ad_mixer(devc, cmd, arg) == -EINVAL) | |
575 | - *(int *)arg = 0; /* no stereo devices */ | |
576 | - return (*(int *)arg |= SOUND_MASK_VOLUME); | |
577 | + break; | |
578 | + and_mask = ~0; | |
579 | + or_mask = SOUND_MASK_VOLUME; | |
580 | + break; | |
581 | ||
582 | case SOUND_MIXER_RECMASK: | |
583 | if (devc->ad_mixer_dev != NO_WSS_MIXER) | |
584 | return call_ad_mixer(devc, cmd, arg); | |
585 | - else | |
586 | - return (*(int *)arg = 0); /* no record devices */ | |
587 | + break; | |
588 | ||
589 | case SOUND_MIXER_CAPS: | |
590 | if (devc->ad_mixer_dev != NO_WSS_MIXER) | |
591 | return call_ad_mixer(devc, cmd, arg); | |
592 | - else | |
593 | - return (*(int *)arg = SOUND_CAP_EXCL_INPUT); | |
594 | + or_mask = SOUND_CAP_EXCL_INPUT; | |
595 | + break; | |
596 | ||
597 | case SOUND_MIXER_RECSRC: | |
598 | if (devc->ad_mixer_dev != NO_WSS_MIXER) | |
599 | return call_ad_mixer(devc, cmd, arg); | |
600 | - else | |
601 | - return (*(int *)arg = 0); /* no record source */ | |
602 | + break; | |
603 | ||
604 | case SOUND_MIXER_VOLUME: | |
605 | - return (*(int *)arg = ret_vol_stereo(devc->mixer.volume_l, devc->mixer.volume_r)); | |
606 | + or_mask = ret_vol_stereo(devc->mixer.volume_l, devc->mixer.volume_r); | |
607 | + break; | |
608 | ||
609 | case SOUND_MIXER_BASS: | |
610 | - return (*(int *)arg = ret_vol_mono(devc->mixer.bass)); | |
611 | + or_mask = ret_vol_mono(devc->mixer.bass); | |
612 | + break; | |
613 | ||
614 | case SOUND_MIXER_TREBLE: | |
615 | - return (*(int *)arg = ret_vol_mono(devc->mixer.treble)); | |
616 | + or_mask = ret_vol_mono(devc->mixer.treble); | |
617 | + break; | |
618 | ||
619 | case SOUND_MIXER_SYNTH: | |
620 | - return (*(int *)arg = ret_vol_mono(devc->mixer.synth)); | |
621 | + or_mask = ret_vol_mono(devc->mixer.synth); | |
622 | + break; | |
623 | default: | |
624 | return -EINVAL; | |
625 | } | |
626 | + if (get_user(val, (int *)arg)) | |
627 | + return -EFAULT; | |
628 | + val &= and_mask; | |
629 | + val |= or_mask; | |
630 | + if (put_user(val, (int *)arg)) | |
631 | + return -EFAULT; | |
632 | + return val; | |
633 | } | |
634 | } | |
635 | ||
636 | # This is a BitKeeper generated diff -Nru style patch. | |
637 | # | |
638 | # ChangeSet | |
639 | # 2004/06/23 09:14:50-03:00 marcelo@logos.cnet | |
640 | # Al Viro sparse fixes: aironet | |
641 | # | |
642 | # drivers/net/wireless/airo.c | |
643 | # 2004/06/16 02:34:27-03:00 marcelo@logos.cnet +27 -24 | |
644 | # Import patch airo-fix | |
645 | # | |
646 | diff -Nru a/drivers/net/wireless/airo.c b/drivers/net/wireless/airo.c | |
647 | --- a/drivers/net/wireless/airo.c 2004-06-25 05:15:55 -07:00 | |
648 | +++ b/drivers/net/wireless/airo.c 2004-06-25 05:15:55 -07:00 | |
649 | @@ -3666,19 +3666,22 @@ | |
650 | size_t len, | |
651 | loff_t *offset ) | |
652 | { | |
653 | - int i; | |
654 | - int pos; | |
655 | + loff_t pos = *offset; | |
656 | struct proc_data *priv = (struct proc_data*)file->private_data; | |
657 | ||
658 | - if( !priv->rbuffer ) return -EINVAL; | |
659 | + if (!priv->rbuffer) | |
660 | + return -EINVAL; | |
661 | ||
662 | - pos = *offset; | |
663 | - for( i = 0; i+pos < priv->readlen && i < len; i++ ) { | |
664 | - if (put_user( priv->rbuffer[i+pos], buffer+i )) | |
665 | - return -EFAULT; | |
666 | - } | |
667 | - *offset += i; | |
668 | - return i; | |
669 | + if (pos < 0) | |
670 | + return -EINVAL; | |
671 | + if (pos >= priv->readlen) | |
672 | + return 0; | |
673 | + if (len > priv->readlen - pos) | |
674 | + len = priv->readlen - pos; | |
675 | + if (copy_to_user(buffer, priv->rbuffer + pos, len)) | |
676 | + return -EFAULT; | |
677 | + *offset = pos + len; | |
678 | + return len; | |
679 | } | |
680 | ||
681 | /* | |
682 | @@ -3690,24 +3693,24 @@ | |
683 | size_t len, | |
684 | loff_t *offset ) | |
685 | { | |
686 | - int i; | |
687 | - int pos; | |
688 | + loff_t pos = *offset; | |
689 | struct proc_data *priv = (struct proc_data*)file->private_data; | |
690 | ||
691 | - if ( !priv->wbuffer ) { | |
692 | + if (!priv->wbuffer) | |
693 | return -EINVAL; | |
694 | - } | |
695 | ||
696 | - pos = *offset; | |
697 | - | |
698 | - for( i = 0; i + pos < priv->maxwritelen && | |
699 | - i < len; i++ ) { | |
700 | - if (get_user( priv->wbuffer[i+pos], buffer + i )) | |
701 | - return -EFAULT; | |
702 | - } | |
703 | - if ( i+pos > priv->writelen ) priv->writelen = i+file->f_pos; | |
704 | - *offset += i; | |
705 | - return i; | |
706 | + if (pos < 0) | |
707 | + return -EINVAL; | |
708 | + if (pos >= priv->maxwritelen) | |
709 | + return 0; | |
710 | + if (len > priv->maxwritelen - pos) | |
711 | + len = priv->maxwritelen - pos; | |
712 | + if (copy_from_user(priv->wbuffer + pos, buffer, len)) | |
713 | + return -EFAULT; | |
714 | + if (pos + len > priv->writelen) | |
715 | + priv->writelen = pos + len; | |
716 | + *offset = pos + len; | |
717 | + return len; | |
718 | } | |
719 | ||
720 | static int proc_status_open( struct inode *inode, struct file *file ) { | |
721 | # This is a BitKeeper generated diff -Nru style patch. | |
722 | # | |
723 | # ChangeSet | |
724 | # 2004/06/23 09:20:50-03:00 marcelo@logos.cnet | |
725 | # Al Viro sparse fixes: asus_acpi user pointer dereference | |
726 | # | |
727 | # drivers/acpi/asus_acpi.c | |
728 | # 2004/06/18 23:44:13-03:00 marcelo@logos.cnet +34 -12 | |
729 | # Import patch acpi.solar | |
730 | # | |
731 | diff -Nru a/drivers/acpi/asus_acpi.c b/drivers/acpi/asus_acpi.c | |
732 | --- a/drivers/acpi/asus_acpi.c 2004-06-25 05:10:44 -07:00 | |
733 | +++ b/drivers/acpi/asus_acpi.c 2004-06-25 05:10:44 -07:00 | |
734 | @@ -40,6 +40,7 @@ | |
735 | #include <linux/proc_fs.h> | |
736 | #include <acpi/acpi_drivers.h> | |
737 | #include <acpi/acpi_bus.h> | |
738 | +#include <asm/uaccess.h> | |
739 | ||
740 | #define ASUS_ACPI_VERSION "0.28" | |
741 | ||
742 | @@ -455,6 +456,21 @@ | |
743 | ||
744 | return len; | |
745 | } | |
746 | + | |
747 | +static int parse_arg(const char *buf, unsigned long count, int *val) | |
748 | +{ | |
749 | + char s[32]; | |
750 | + if (!count) | |
751 | + return 0; | |
752 | + if (count > 31) | |
753 | + return -EINVAL; | |
754 | + if (copy_from_user(s, buf, count)) | |
755 | + return -EFAULT; | |
756 | + s[count] = 0; | |
757 | + if (sscanf(s, "%i", val) != 1) | |
758 | + return -EINVAL; | |
759 | + return count; | |
760 | +} | |
761 | ||
762 | ||
763 | /* | |
764 | @@ -486,11 +502,14 @@ | |
765 | write_led(const char *buffer, unsigned long count, struct asus_hotk *hotk, | |
766 | char *ledname, int ledmask, int invert) | |
767 | { | |
768 | - int value; | |
769 | + int value, retval; | |
770 | int led_out = 0; | |
771 | ||
772 | - if (sscanf(buffer, "%i", &value) == 1) | |
773 | - led_out = value ? 1 : 0; | |
774 | + retval = parse_arg(buffer, count, &value); | |
775 | + if (retval <= 0) | |
776 | + return retval; | |
777 | + count = retval; | |
778 | + led_out = value ? 1 : 0; | |
779 | ||
780 | hotk->status = | |
781 | (led_out) ? (hotk->status | ledmask) : (hotk->status & ~ledmask); | |
782 | @@ -643,12 +662,13 @@ | |
783 | proc_write_lcd(struct file *file, const char *buffer, | |
784 | unsigned long count, void *data) | |
785 | { | |
786 | - int value; | |
787 | + int value, retval; | |
788 | struct asus_hotk *hotk = (struct asus_hotk *) data; | |
789 | ||
790 | - if (sscanf(buffer, "%i", &value) == 1) | |
791 | + retval = parse_arg(buffer, count, &value); | |
792 | + if (retval > 0) | |
793 | set_lcd_state(hotk, value); | |
794 | - return count; | |
795 | + return retval; | |
796 | } | |
797 | ||
798 | ||
799 | @@ -710,10 +730,11 @@ | |
800 | proc_write_brn(struct file *file, const char *buffer, | |
801 | unsigned long count, void *data) | |
802 | { | |
803 | - int value; | |
804 | + int value, retval; | |
805 | struct asus_hotk *hotk = (struct asus_hotk *) data; | |
806 | ||
807 | - if (sscanf(buffer, "%d", &value) == 1) { | |
808 | + retval = parse_arg(buffer, count, &value); | |
809 | + if (retval > 0) { | |
810 | value = (0 < value) ? ((15 < value) ? 15 : value) : 0; | |
811 | /* 0 <= value <= 15 */ | |
812 | set_brightness(value, hotk); | |
813 | @@ -721,7 +742,7 @@ | |
814 | printk(KERN_WARNING "Asus ACPI: Error reading user input\n"); | |
815 | } | |
816 | ||
817 | - return count; | |
818 | + return retval; | |
819 | } | |
820 | ||
821 | static void set_display(int value, struct asus_hotk *hotk) | |
822 | @@ -759,16 +780,17 @@ | |
823 | proc_write_disp(struct file *file, const char *buffer, | |
824 | unsigned long count, void *data) | |
825 | { | |
826 | - int value; | |
827 | + int value, retval; | |
828 | struct asus_hotk *hotk = (struct asus_hotk *) data; | |
829 | ||
830 | - if (sscanf(buffer, "%d", &value) == 1) | |
831 | + retval = parse_arg(buffer, count, &value); | |
832 | + if (retval > 0) | |
833 | set_display(value, hotk); | |
834 | else { | |
835 | printk(KERN_WARNING "Asus ACPI: Error reading user input\n"); | |
836 | } | |
837 | ||
838 | - return count; | |
839 | + return retval; | |
840 | } | |
841 | ||
842 |