1 # This is a BitKeeper generated diff -Nru style patch.
4 # 2004/06/23 09:08:01-03:00 marcelo@logos.cnet
5 # Al Viro sparse fixes: decnet user pointer dereference
8 # 2004/06/15 23:54:14-03:00 marcelo@logos.cnet +15 -7
9 # Import patch decnet-fix
11 diff -Nru a/net/decnet/dn_dev.c b/net/decnet/dn_dev.c
12 --- a/net/decnet/dn_dev.c 2004-06-25 05:11:19 -07:00
13 +++ b/net/decnet/dn_dev.c 2004-06-25 05:11:19 -07:00
14 @@ -1061,31 +1061,39 @@
16 struct dn_dev *dn_db = (struct dn_dev *)dev->dn_ptr;
17 struct dn_ifaddr *ifa;
18 - struct ifreq *ifr = (struct ifreq *)buf;
19 + char buffer[DN_IFREQ_SIZE];
20 + struct ifreq *ifr = (struct ifreq *)buffer;
21 + struct sockaddr_dn *addr = (struct sockaddr_dn *)&ifr->ifr_addr;
24 if ((dn_db == NULL) || ((ifa = dn_db->ifa_list) == NULL))
27 for(; ifa; ifa = ifa->ifa_next) {
30 done += sizeof(DN_IFREQ_SIZE);
33 if (len < DN_IFREQ_SIZE)
35 - memset(ifr, 0, DN_IFREQ_SIZE);
36 + memset(buffer, 0, DN_IFREQ_SIZE);
39 strcpy(ifr->ifr_name, ifa->ifa_label);
41 strcpy(ifr->ifr_name, dev->name);
43 - (*(struct sockaddr_dn *) &ifr->ifr_addr).sdn_family = AF_DECnet;
44 - (*(struct sockaddr_dn *) &ifr->ifr_addr).sdn_add.a_len = 2;
45 - (*(dn_address *)(*(struct sockaddr_dn *) &ifr->ifr_addr).sdn_add.a_addr) = ifa->ifa_local;
46 + addr->sdn_family = AF_DECnet;
47 + addr->sdn_add.a_len = 2;
48 + memcpy(addr->sdn_add.a_addr, &ifa->ifa_local,
49 + sizeof(dn_address));
51 - ifr = (struct ifreq *)((char *)ifr + DN_IFREQ_SIZE);
52 + if (copy_to_user(buf, buffer, DN_IFREQ_SIZE)) {
57 + buf += DN_IFREQ_SIZE;
59 done += DN_IFREQ_SIZE;
61 # This is a BitKeeper generated diff -Nru style patch.
64 # 2004/06/23 09:09:39-03:00 marcelo@logos.cnet
65 # Al Viro sparse fixes: mpu401 user pointer dereference
67 # drivers/sound/mpu401.c
68 # 2004/06/16 00:07:29-03:00 marcelo@logos.cnet +28 -11
69 # Import patch mpu401-fix
71 diff -Nru a/drivers/sound/mpu401.c b/drivers/sound/mpu401.c
72 --- a/drivers/sound/mpu401.c 2004-06-25 05:15:29 -07:00
73 +++ b/drivers/sound/mpu401.c 2004-06-25 05:15:29 -07:00
74 @@ -1513,14 +1513,16 @@
75 static int mpu_timer_ioctl(int dev, unsigned int command, caddr_t arg)
77 int midi_dev = sound_timer_devs[dev]->devlink;
78 + int *p = (int *)arg;
82 case SNDCTL_TMR_SOURCE:
86 - parm = *(int *) arg;
88 + if (get_user(parm, p))
94 else if (timer_mode & TMR_MODE_SMPTE)
95 mpu_cmd(midi_dev, 0x3d, 0); /* Use SMPTE sync */
97 - return (*(int *) arg = timer_mode);
98 + if (put_user(timer_mode, p))
104 @@ -1557,10 +1561,13 @@
108 - val = *(int *) arg;
109 + if (get_user(val, p))
112 set_timebase(midi_dev, val);
113 - return (*(int *) arg = curr_timebase);
114 + if (put_user(curr_timebase, p))
116 + return curr_timebase;
120 @@ -1569,7 +1576,8 @@
124 - val = *(int *) arg;
125 + if (get_user(val, p))
130 @@ -1584,7 +1592,9 @@
134 - return (*(int *) arg = curr_tempo);
135 + if (put_user(curr_tempo, p))
141 @@ -1592,18 +1602,25 @@
145 - val = *(int *) arg;
146 + if (get_user(val, p))
148 if (val != 0) /* Can't change */
150 - return (*(int *) arg = ((curr_tempo * curr_timebase) + 30) / 60);
151 + val = (curr_tempo * curr_timebase + 30) / 60;
152 + if (put_user(val, p))
158 case SNDCTL_SEQ_GETTIME:
159 - return (*(int *) arg = curr_ticks);
160 + if (put_user(curr_ticks, p))
164 case SNDCTL_TMR_METRONOME:
165 - metronome_mode = *(int *) arg;
166 + if (get_user(metronome_mode, p))
168 setup_metronome(midi_dev);
171 # This is a BitKeeper generated diff -Nru style patch.
174 # 2004/06/23 09:11:47-03:00 marcelo@logos.cnet
175 # Al Viro sparse fixes: msnd user pointer dereference & assorted fixes
177 # drivers/sound/msnd.c
178 # 2004/06/16 02:42:38-03:00 marcelo@logos.cnet +4 -18
179 # Import patch msnd-fix
181 # drivers/sound/msnd.h
182 # 2004/06/16 02:42:26-03:00 marcelo@logos.cnet +2 -2
183 # Import patch msnd-fix
185 # drivers/sound/msnd_pinnacle.c
186 # 2004/06/16 02:42:11-03:00 marcelo@logos.cnet +56 -32
187 # Import patch msnd-fix
189 diff -Nru a/drivers/sound/msnd.c b/drivers/sound/msnd.c
190 --- a/drivers/sound/msnd.c 2004-06-25 05:15:38 -07:00
191 +++ b/drivers/sound/msnd.c 2004-06-25 05:15:38 -07:00
192 @@ -155,13 +155,10 @@
193 f->len = f->tail = f->head = 0;
196 -int msnd_fifo_write(msnd_fifo *f, const char *buf, size_t len, int user)
197 +int msnd_fifo_write(msnd_fifo *f, const char *buf, size_t len)
201 - if (f->len == f->n)
204 while ((count < len) && (f->len != f->n)) {
208 nwritten = len - count;
212 - if (copy_from_user(f->data + f->tail, buf, nwritten))
215 - isa_memcpy_fromio(f->data + f->tail, (unsigned long) buf, nwritten);
216 + isa_memcpy_fromio(f->data + f->tail, (unsigned long) buf, nwritten);
220 @@ -193,13 +186,10 @@
224 -int msnd_fifo_read(msnd_fifo *f, char *buf, size_t len, int user)
225 +int msnd_fifo_read(msnd_fifo *f, char *buf, size_t len)
232 while ((count < len) && (f->len > 0)) {
240 - if (copy_to_user(buf, f->data + f->head, nread))
243 - isa_memcpy_toio((unsigned long) buf, f->data + f->head, nread);
244 + isa_memcpy_toio((unsigned long) buf, f->data + f->head, nread);
248 diff -Nru a/drivers/sound/msnd.h b/drivers/sound/msnd.h
249 --- a/drivers/sound/msnd.h 2004-06-25 05:15:38 -07:00
250 +++ b/drivers/sound/msnd.h 2004-06-25 05:15:38 -07:00
252 void msnd_fifo_free(msnd_fifo *f);
253 int msnd_fifo_alloc(msnd_fifo *f, size_t n);
254 void msnd_fifo_make_empty(msnd_fifo *f);
255 -int msnd_fifo_write(msnd_fifo *f, const char *buf, size_t len, int user);
256 -int msnd_fifo_read(msnd_fifo *f, char *buf, size_t len, int user);
257 +int msnd_fifo_write(msnd_fifo *f, const char *buf, size_t len);
258 +int msnd_fifo_read(msnd_fifo *f, char *buf, size_t len);
260 int msnd_wait_TXDE(multisound_dev_t *dev);
261 int msnd_wait_HC0(multisound_dev_t *dev);
262 diff -Nru a/drivers/sound/msnd_pinnacle.c b/drivers/sound/msnd_pinnacle.c
263 --- a/drivers/sound/msnd_pinnacle.c 2004-06-25 05:15:38 -07:00
264 +++ b/drivers/sound/msnd_pinnacle.c 2004-06-25 05:15:38 -07:00
267 static __inline__ int pack_DARQ_to_DARF(register int bank)
269 - register int size, n, timeout = 3;
270 + register int size, timeout = 3;
274 @@ -825,13 +825,10 @@
275 /* Read data from the head (unprotected bank 1 access okay
276 since this is only called inside an interrupt) */
277 outb(HPBLKSEL_1, dev.io + HP_BLKS);
278 - if ((n = msnd_fifo_write(
281 (char *)(dev.base + bank * DAR_BUFF_SIZE),
283 - outb(HPBLKSEL_0, dev.io + HP_BLKS);
287 outb(HPBLKSEL_0, dev.io + HP_BLKS);
290 @@ -853,21 +850,16 @@
292 /* Critical section: protect fifo in non-interrupt */
293 spin_lock_irqsave(&dev.lock, flags);
294 - if ((n = msnd_fifo_read(
295 + n = msnd_fifo_read(
297 (char *)(dev.base + bank_num * DAP_BUFF_SIZE),
298 - DAP_BUFF_SIZE, 0)) < 0) {
299 - spin_unlock_irqrestore(&dev.lock, flags);
303 spin_unlock_irqrestore(&dev.lock, flags);
305 - if ((n = msnd_fifo_read(
306 + n = msnd_fifo_read(
308 (char *)(dev.base + bank_num * DAP_BUFF_SIZE),
309 - DAP_BUFF_SIZE, 0)) < 0) {
316 @@ -894,30 +886,43 @@
317 static int dsp_read(char *buf, size_t len)
320 + char *page = (char *)__get_free_page(PAGE_SIZE);
334 /* Critical section: protect fifo in non-interrupt */
335 spin_lock_irqsave(&dev.lock, flags);
336 - if ((n = msnd_fifo_read(&dev.DARF, buf, count, 1)) < 0) {
337 - printk(KERN_WARNING LOGNAME ": FIFO read error\n");
338 - spin_unlock_irqrestore(&dev.lock, flags);
341 + n = msnd_fifo_read(&dev.DARF, page, k);
342 spin_unlock_irqrestore(&dev.lock, flags);
343 + if (copy_to_user(buf, page, n)) {
344 + free_page((unsigned long)page);
350 + if (n == k && count)
353 if (!test_bit(F_READING, &dev.flags) && dev.mode & FMODE_READ) {
354 dev.last_recbank = -1;
355 if (chk_send_dsp_cmd(&dev, HDEX_RECORD_START) == 0)
356 set_bit(F_READING, &dev.flags);
359 - if (dev.rec_ndelay)
360 + if (dev.rec_ndelay) {
361 + free_page((unsigned long)page);
362 return count == len ? -EAGAIN : len - count;
366 set_bit(F_READBLOCK, &dev.flags);
367 @@ -926,41 +931,57 @@
368 get_rec_delay_jiffies(DAR_BUFF_SIZE)))
369 clear_bit(F_READING, &dev.flags);
370 clear_bit(F_READBLOCK, &dev.flags);
371 - if (signal_pending(current))
372 + if (signal_pending(current)) {
373 + free_page((unsigned long)page);
379 + free_page((unsigned long)page);
383 static int dsp_write(const char *buf, size_t len)
386 + char *page = (char *)__get_free_page(GFP_KERNEL);
400 + if (copy_from_user(page, buf, k)) {
401 + free_page((unsigned long)page);
405 /* Critical section: protect fifo in non-interrupt */
406 spin_lock_irqsave(&dev.lock, flags);
407 - if ((n = msnd_fifo_write(&dev.DAPF, buf, count, 1)) < 0) {
408 - printk(KERN_WARNING LOGNAME ": FIFO write error\n");
409 - spin_unlock_irqrestore(&dev.lock, flags);
412 + n = msnd_fifo_write(&dev.DAPF, page, k);
413 spin_unlock_irqrestore(&dev.lock, flags);
417 + if (count && n == k)
420 if (!test_bit(F_WRITING, &dev.flags) && (dev.mode & FMODE_WRITE)) {
421 dev.last_playbank = -1;
422 if (pack_DAPF_to_DAPQ(1) > 0)
423 set_bit(F_WRITING, &dev.flags);
426 - if (dev.play_ndelay)
427 + if (dev.play_ndelay) {
428 + free_page((unsigned long)page);
429 return count == len ? -EAGAIN : len - count;
433 set_bit(F_WRITEBLOCK, &dev.flags);
434 @@ -968,11 +989,14 @@
436 get_play_delay_jiffies(DAP_BUFF_SIZE));
437 clear_bit(F_WRITEBLOCK, &dev.flags);
438 - if (signal_pending(current))
439 + if (signal_pending(current)) {
440 + free_page((unsigned long)page);
446 + free_page((unsigned long)page);
450 # This is a BitKeeper generated diff -Nru style patch.
453 # 2004/06/23 09:13:13-03:00 marcelo@logos.cnet
454 # Al Viro sparse fixes: pss user pointer dereference
456 # drivers/sound/pss.c
457 # 2004/06/16 00:31:33-03:00 marcelo@logos.cnet +63 -29
458 # Import patch pss-fix
460 diff -Nru a/drivers/sound/pss.c b/drivers/sound/pss.c
461 --- a/drivers/sound/pss.c 2004-06-25 05:15:47 -07:00
462 +++ b/drivers/sound/pss.c 2004-06-25 05:15:47 -07:00
463 @@ -450,20 +450,36 @@
467 -static void arg_to_volume_mono(unsigned int volume, int *aleft)
468 +static int set_volume_mono(caddr_t p, int *aleft)
472 + if (get_user(volume, (unsigned *)p))
475 - left = volume & 0x00ff;
476 + left = volume & 0xff;
483 -static void arg_to_volume_stereo(unsigned int volume, int *aleft, int *aright)
484 +static int set_volume_stereo(caddr_t p, int *aleft, int *aright)
486 - arg_to_volume_mono(volume, aleft);
487 - arg_to_volume_mono(volume >> 8, aright);
490 + if (get_user(volume, (unsigned *)p))
493 + left = volume & 0xff;
496 + right = (volume >> 8) & 0xff;
504 static int ret_vol_mono(int left)
505 @@ -510,33 +526,38 @@
506 return call_ad_mixer(devc, cmd, arg);
509 - if (*(int *)arg != 0)
511 + if (get_user(v, (int *)arg))
517 case SOUND_MIXER_VOLUME:
518 - arg_to_volume_stereo(*(unsigned int *)arg, &devc->mixer.volume_l,
519 - &devc->mixer.volume_r);
520 + if (set_volume_stereo(arg,
521 + &devc->mixer.volume_l,
522 + &devc->mixer.volume_r))
524 set_master_volume(devc, devc->mixer.volume_l,
525 devc->mixer.volume_r);
526 return ret_vol_stereo(devc->mixer.volume_l,
527 devc->mixer.volume_r);
529 case SOUND_MIXER_BASS:
530 - arg_to_volume_mono(*(unsigned int *)arg,
531 - &devc->mixer.bass);
532 + if (set_volume_mono(arg, &devc->mixer.bass))
534 set_bass(devc, devc->mixer.bass);
535 return ret_vol_mono(devc->mixer.bass);
537 case SOUND_MIXER_TREBLE:
538 - arg_to_volume_mono(*(unsigned int *)arg,
539 - &devc->mixer.treble);
540 + if (set_volume_mono(arg, &devc->mixer.treble))
542 set_treble(devc, devc->mixer.treble);
543 return ret_vol_mono(devc->mixer.treble);
545 case SOUND_MIXER_SYNTH:
546 - arg_to_volume_mono(*(unsigned int *)arg,
547 - &devc->mixer.synth);
548 + if (set_volume_mono(arg, &devc->mixer.synth))
550 set_synth_volume(devc, devc->mixer.synth);
551 return ret_vol_mono(devc->mixer.synth);
553 @@ -546,54 +567,67 @@
557 + int val, and_mask = 0, or_mask = 0;
564 case SOUND_MIXER_DEVMASK:
565 if (call_ad_mixer(devc, cmd, arg) == -EINVAL)
566 - *(int *)arg = 0; /* no mixer devices */
567 - return (*(int *)arg |= SOUND_MASK_VOLUME | SOUND_MASK_BASS | SOUND_MASK_TREBLE | SOUND_MASK_SYNTH);
570 + or_mask = SOUND_MASK_VOLUME | SOUND_MASK_BASS | SOUND_MASK_TREBLE | SOUND_MASK_SYNTH;
573 case SOUND_MIXER_STEREODEVS:
574 if (call_ad_mixer(devc, cmd, arg) == -EINVAL)
575 - *(int *)arg = 0; /* no stereo devices */
576 - return (*(int *)arg |= SOUND_MASK_VOLUME);
579 + or_mask = SOUND_MASK_VOLUME;
582 case SOUND_MIXER_RECMASK:
583 if (devc->ad_mixer_dev != NO_WSS_MIXER)
584 return call_ad_mixer(devc, cmd, arg);
586 - return (*(int *)arg = 0); /* no record devices */
589 case SOUND_MIXER_CAPS:
590 if (devc->ad_mixer_dev != NO_WSS_MIXER)
591 return call_ad_mixer(devc, cmd, arg);
593 - return (*(int *)arg = SOUND_CAP_EXCL_INPUT);
594 + or_mask = SOUND_CAP_EXCL_INPUT;
597 case SOUND_MIXER_RECSRC:
598 if (devc->ad_mixer_dev != NO_WSS_MIXER)
599 return call_ad_mixer(devc, cmd, arg);
601 - return (*(int *)arg = 0); /* no record source */
604 case SOUND_MIXER_VOLUME:
605 - return (*(int *)arg = ret_vol_stereo(devc->mixer.volume_l, devc->mixer.volume_r));
606 + or_mask = ret_vol_stereo(devc->mixer.volume_l, devc->mixer.volume_r);
609 case SOUND_MIXER_BASS:
610 - return (*(int *)arg = ret_vol_mono(devc->mixer.bass));
611 + or_mask = ret_vol_mono(devc->mixer.bass);
614 case SOUND_MIXER_TREBLE:
615 - return (*(int *)arg = ret_vol_mono(devc->mixer.treble));
616 + or_mask = ret_vol_mono(devc->mixer.treble);
619 case SOUND_MIXER_SYNTH:
620 - return (*(int *)arg = ret_vol_mono(devc->mixer.synth));
621 + or_mask = ret_vol_mono(devc->mixer.synth);
626 + if (get_user(val, (int *)arg))
630 + if (put_user(val, (int *)arg))
636 # This is a BitKeeper generated diff -Nru style patch.
639 # 2004/06/23 09:14:50-03:00 marcelo@logos.cnet
640 # Al Viro sparse fixes: aironet
642 # drivers/net/wireless/airo.c
643 # 2004/06/16 02:34:27-03:00 marcelo@logos.cnet +27 -24
644 # Import patch airo-fix
646 diff -Nru a/drivers/net/wireless/airo.c b/drivers/net/wireless/airo.c
647 --- a/drivers/net/wireless/airo.c 2004-06-25 05:15:55 -07:00
648 +++ b/drivers/net/wireless/airo.c 2004-06-25 05:15:55 -07:00
649 @@ -3666,19 +3666,22 @@
655 + loff_t pos = *offset;
656 struct proc_data *priv = (struct proc_data*)file->private_data;
658 - if( !priv->rbuffer ) return -EINVAL;
659 + if (!priv->rbuffer)
663 - for( i = 0; i+pos < priv->readlen && i < len; i++ ) {
664 - if (put_user( priv->rbuffer[i+pos], buffer+i ))
671 + if (pos >= priv->readlen)
673 + if (len > priv->readlen - pos)
674 + len = priv->readlen - pos;
675 + if (copy_to_user(buffer, priv->rbuffer + pos, len))
677 + *offset = pos + len;
682 @@ -3690,24 +3693,24 @@
688 + loff_t pos = *offset;
689 struct proc_data *priv = (struct proc_data*)file->private_data;
691 - if ( !priv->wbuffer ) {
692 + if (!priv->wbuffer)
698 - for( i = 0; i + pos < priv->maxwritelen &&
700 - if (get_user( priv->wbuffer[i+pos], buffer + i ))
703 - if ( i+pos > priv->writelen ) priv->writelen = i+file->f_pos;
708 + if (pos >= priv->maxwritelen)
710 + if (len > priv->maxwritelen - pos)
711 + len = priv->maxwritelen - pos;
712 + if (copy_from_user(priv->wbuffer + pos, buffer, len))
714 + if (pos + len > priv->writelen)
715 + priv->writelen = pos + len;
716 + *offset = pos + len;
720 static int proc_status_open( struct inode *inode, struct file *file ) {
721 # This is a BitKeeper generated diff -Nru style patch.
724 # 2004/06/23 09:20:50-03:00 marcelo@logos.cnet
725 # Al Viro sparse fixes: asus_acpi user pointer dereference
727 # drivers/acpi/asus_acpi.c
728 # 2004/06/18 23:44:13-03:00 marcelo@logos.cnet +34 -12
729 # Import patch acpi.solar
731 diff -Nru a/drivers/acpi/asus_acpi.c b/drivers/acpi/asus_acpi.c
732 --- a/drivers/acpi/asus_acpi.c 2004-06-25 05:10:44 -07:00
733 +++ b/drivers/acpi/asus_acpi.c 2004-06-25 05:10:44 -07:00
735 #include <linux/proc_fs.h>
736 #include <acpi/acpi_drivers.h>
737 #include <acpi/acpi_bus.h>
738 +#include <asm/uaccess.h>
740 #define ASUS_ACPI_VERSION "0.28"
747 +static int parse_arg(const char *buf, unsigned long count, int *val)
754 + if (copy_from_user(s, buf, count))
757 + if (sscanf(s, "%i", val) != 1)
764 @@ -486,11 +502,14 @@
765 write_led(const char *buffer, unsigned long count, struct asus_hotk *hotk,
766 char *ledname, int ledmask, int invert)
772 - if (sscanf(buffer, "%i", &value) == 1)
773 - led_out = value ? 1 : 0;
774 + retval = parse_arg(buffer, count, &value);
778 + led_out = value ? 1 : 0;
781 (led_out) ? (hotk->status | ledmask) : (hotk->status & ~ledmask);
782 @@ -643,12 +662,13 @@
783 proc_write_lcd(struct file *file, const char *buffer,
784 unsigned long count, void *data)
788 struct asus_hotk *hotk = (struct asus_hotk *) data;
790 - if (sscanf(buffer, "%i", &value) == 1)
791 + retval = parse_arg(buffer, count, &value);
793 set_lcd_state(hotk, value);
799 @@ -710,10 +730,11 @@
800 proc_write_brn(struct file *file, const char *buffer,
801 unsigned long count, void *data)
805 struct asus_hotk *hotk = (struct asus_hotk *) data;
807 - if (sscanf(buffer, "%d", &value) == 1) {
808 + retval = parse_arg(buffer, count, &value);
810 value = (0 < value) ? ((15 < value) ? 15 : value) : 0;
811 /* 0 <= value <= 15 */
812 set_brightness(value, hotk);
814 printk(KERN_WARNING "Asus ACPI: Error reading user input\n");
821 static void set_display(int value, struct asus_hotk *hotk)
822 @@ -759,16 +780,17 @@
823 proc_write_disp(struct file *file, const char *buffer,
824 unsigned long count, void *data)
828 struct asus_hotk *hotk = (struct asus_hotk *) data;
830 - if (sscanf(buffer, "%d", &value) == 1)
831 + retval = parse_arg(buffer, count, &value);
833 set_display(value, hotk);
835 printk(KERN_WARNING "Asus ACPI: Error reading user input\n");