Re: [PATCH 12/12] v4l2-compat-ioctl32.c: refactor, fix security bug in compat ioctl32

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Sakari,

On 01/29/2018 06:06 PM, Sakari Ailus wrote:
> Hi Hans,
> 
> Thanks for your efforts on this patch and the patchset. Please see my comments below.
> 
> On Fri, Jan 26, 2018 at 01:43:27PM +0100, Hans Verkuil wrote:
>> From: Daniel Mentz <danielmentz@xxxxxxxxxx>
>>
>> The 32-bit compat v4l2 ioctl is implemented based on its 64-bit
> 
> s/v4l2 ioctl/V4L2 IOCTL handling/
> 
> ?
> 
>> equivalent. It converts 32-bit data structures into its 64-bit
>> equivalents and needs to provide the data to the 64-bit ioctl in user
>> space memory which is commonly allocated using
>> compat_alloc_user_space(). However, due to how that function is
>> implemented, it can only be called a single time for every syscall
>> invocation.  Supposedly to avoid this limitation, the existing code uses
>> a mix of memory from the kernel stack and memory allocated through
>> compat_alloc_user_space(). Under normal circumstances, this would not
>> work, because the 64-bit ioctl expects all pointers to point to user
>> space memory. As a workaround, set_fs(KERNEL_DS) is called to
>> temporarily disable this extra safety check and allow kernel pointers.
>> However, this might introduce a security vulnerability: The
>> result of the 32-bit to 64-bit conversion is writeable by user space
>> because the output buffer has been allocated via
>> compat_alloc_user_space(). A malicious user space process could then
>> manipulate pointers inside this output buffer, and due to the previous
>> set_fs(KERNEL_DS) call, functions like get_user() or put_user() no longer
>> prevent kernel memory access.
>>
>> The new approach is to pre-calculate the total amount of user space
>> memory that is needed, allocate it using compat_alloc_user_space() and
>> then divide up the allocated memory to accommodate all data structures
>> that need to be converted.
>>
>> An alternative approach would have been to retain the union type karg
>> that they allocated on the kernel stack in do_video_ioctl(), copy all
>> data from user space into karg and then back to user space. However,
>> we decided against this approach because it does not align with other
>> compat syscall implementations. Instead, we tried to replicate the
>> get_user/put_user pairs as found in other places in the kernel:
>>
>> if (get_user(clipcount, &up->clipcount) ||
>>     put_user(clipcount, &kp->clipcount)) return -EFAULT;
>>
>> Notes from hans.verkuil@xxxxxxxxx:
>>
>> This patch was taken from
>> https://github.com/LineageOS/android_kernel_samsung_apq8084/commit/97b733953c06e4f0398ade18850f0817778255f7
>>
>> Clearly nobody could be bothered to upstream this patch or at minimum
>> tell us :-( We only heard about this a week ago.
> 
> This is very sad indeed. I would really hope that we'll never run into
> something this again!
> 
>>
>> This patch was rebased and cleaned up. Compared to the original I
>> also swapped the order of the convert_in_user arguments so that they
>> matched copy_in_user. It was hard to review otherwise. I also replaced
>> the ALLOC_USER_SPACE/ALLOC_AND_GET by a normal function.
> 
> The result looks more complicated than it should be.
> 
> I wonder if the result could be made cleaner by separating the argument
> checking and copying from / to user space in video_usercopy. That
> separation almost completely exists already. Rather than mangling the
> compat argument struct to look like a user-provided 64-bit argument struct,
> copying the arguments from and to the user space would be separately done
> to 32-bit compat IOCTL arguments.
> 
> I suppose that wouldn't be a trivial change either, so for now I'd maintain
> the approach and later consider how to make this more maintainable in the
> future. Still, that approach is quite different and it'd be easier to
> switch from status quo rather than this last patch, suggesting to start
> with a revert, should we embark into this direction.
> 
> What do you think?
> 
>>
>> Signed-off-by: Daniel Mentz <danielmentz@xxxxxxxxxx>
>> Signed-off-by: Hans Verkuil <hans.verkuil@xxxxxxxxx>
>> ---
>>  drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 700 ++++++++++++++++----------
>>  1 file changed, 448 insertions(+), 252 deletions(-)
>>
>> diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
>> index 2aa9b43daf60..27a5a0961cbd 100644
>> --- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
>> +++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
>> @@ -22,6 +22,14 @@
>>  #include <media/v4l2-ctrls.h>
>>  #include <media/v4l2-ioctl.h>
>>  
>> +/* Use the same argument order as copy_in_user */
>> +#define convert_in_user(to, from)			\
> 
> This doesn't really convert anything. How about calling it assign_in_user,
> for example?

Done.

> 
>> +({							\
>> +	typeof(*from) val;				\
> 
> "val" is very short, easily leading to hard-to-find namespace collisions.
> At least the versions of GCC I've used happily get this wrong without a
> warning.
> 
> How about __convert_in_user_tmp instead?

I stuck to __assign_tmp, I think __convert_in_user_tmp is overly paranoid :-)

> 
>> +							\
>> +	get_user(val, from) || put_user(val, to);	\

I'm keeping this. I thought about changing || to '? :' but I chickened out making
that change. I'll fix the G/S_INPUT/OUTPUT handling instead.

>> +})
>> +
>>  static long native_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
>>  {
>>  	long ret = -ENOIOCTLCMD;
>> @@ -48,37 +56,41 @@ struct v4l2_window32 {
>>  	__u8                    global_alpha;
>>  };
>>  
>> -static int get_v4l2_window32(struct v4l2_window *kp, struct v4l2_window32 __user *up)
>> +static int get_v4l2_window32(struct v4l2_window __user *kp,
>> +			     struct v4l2_window32 __user *up,
>> +			     void __user *aux_buf, int aux_space)
>>  {
>>  	struct v4l2_clip32 __user *uclips;
>>  	struct v4l2_clip __user *kclips;
>>  	compat_caddr_t p;
>> -	u32 n;
>> +	u32 clipcount;
>>  
>>  	if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
>> -	    copy_from_user(&kp->w, &up->w, sizeof(up->w)) ||
>> -	    get_user(kp->field, &up->field) ||
>> -	    get_user(kp->chromakey, &up->chromakey) ||
>> -	    get_user(kp->clipcount, &up->clipcount) ||
>> -	    get_user(kp->global_alpha, &up->global_alpha))
>> +	    copy_in_user(&kp->w, &up->w, sizeof(up->w)) ||
>> +	    convert_in_user(&kp->field, &up->field) ||
>> +	    convert_in_user(&kp->chromakey, &up->chromakey) ||
>> +	    convert_in_user(&kp->global_alpha, &up->global_alpha) ||
>> +	    get_user(clipcount, &up->clipcount) ||
>> +	    put_user(clipcount, &kp->clipcount))
>>  		return -EFAULT;
>> -	if (kp->clipcount > 2048)
>> +	if (clipcount > 2048)
>>  		return -EINVAL;
>> -	if (!kp->clipcount) {
>> -		kp->clips = NULL;
>> -		return 0;
>> -	}
>> +	if (!clipcount)
>> +		return put_user(NULL, &kp->clips) ? -EFAULT : 0;
> 
> Isn't this what put_user would return anyway?

Changed.

> 
>>  
>> -	n = kp->clipcount;
>>  	if (get_user(p, &up->clips))
>>  		return -EFAULT;
>>  	uclips = compat_ptr(p);
>> -	kclips = compat_alloc_user_space(n * sizeof(*kclips));
>> -	kp->clips = kclips;
>> -	while (n--) {
>> +	if (aux_space < clipcount * sizeof(*kclips))
>> +		return -EFAULT;
>> +	kclips = aux_buf;
>> +	if (put_user(kclips, &kp->clips))
>> +		return -EFAULT;
>> +
>> +	while (clipcount--) {
>>  		if (copy_in_user(&kclips->c, &uclips->c, sizeof(uclips->c)))
>>  			return -EFAULT;
>> -		if (put_user(n ? kclips + 1 : NULL, &kclips->next))
>> +		if (put_user(clipcount ? kclips + 1 : NULL, &kclips->next))
>>  			return -EFAULT;
>>  		uclips++;
>>  		kclips++;
>> @@ -86,26 +98,28 @@ static int get_v4l2_window32(struct v4l2_window *kp, struct v4l2_window32 __user
>>  	return 0;
>>  }
>>  
>> -static int put_v4l2_window32(struct v4l2_window *kp, struct v4l2_window32 __user *up)
>> +static int put_v4l2_window32(struct v4l2_window __user *kp,
>> +			     struct v4l2_window32 __user *up)
>>  {
>>  	struct v4l2_clip __user *kclips = kp->clips;
>>  	struct v4l2_clip32 __user *uclips;
>> -	int n = kp->clipcount;
>>  	compat_caddr_t p;
>> -
>> -	if (copy_to_user(&up->w, &kp->w, sizeof(kp->w)) ||
>> -	    put_user(kp->field, &up->field) ||
>> -	    put_user(kp->chromakey, &up->chromakey) ||
>> -	    put_user(kp->clipcount, &up->clipcount) ||
>> -	    put_user(kp->global_alpha, &up->global_alpha))
>> +	u32 clipcount;
>> +
>> +	if (copy_in_user(&up->w, &kp->w, sizeof(kp->w)) ||
>> +	    convert_in_user(&up->field, &kp->field) ||
>> +	    convert_in_user(&up->chromakey, &kp->chromakey) ||
>> +	    convert_in_user(&up->global_alpha, &kp->global_alpha) ||
>> +	    get_user(clipcount, &kp->clipcount) ||
>> +	    put_user(clipcount, &up->clipcount))
>>  		return -EFAULT;
>> -	if (!kp->clipcount)
>> +	if (!clipcount)
>>  		return 0;
>>  
>>  	if (get_user(p, &up->clips))
>>  		return -EFAULT;
>>  	uclips = compat_ptr(p);
>> -	while (n--) {
>> +	while (clipcount--) {
>>  		if (copy_in_user(&uclips->c, &kclips->c, sizeof(uclips->c)))
>>  			return -EFAULT;
>>  		uclips++;
>> @@ -145,107 +159,161 @@ struct v4l2_create_buffers32 {
>>  	__u32			reserved[8];
>>  };
>>  
>> -static int __get_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up)
>> +static int __bufsize_v4l2_format32(struct v4l2_format32 __user *up)
> 
> This is effectively returning the size of the non-compat struct, or just
> the part of which is variable. How about calling it __bufsize_v4l2_format
> instead? The same for other such functions.

Done.

> 
> I'd also separate the size calculated by the function and the return value.

Done. Much nicer indeed.

> 
>>  {
>> -	if (get_user(kp->type, &up->type))
>> +	u32 type;
>> +
>> +	if (get_user(type, &up->type))
>>  		return -EFAULT;
>>  
>> -	switch (kp->type) {
>> +	switch (type) {
>> +	case V4L2_BUF_TYPE_VIDEO_OVERLAY:
>> +	case V4L2_BUF_TYPE_VIDEO_OUTPUT_OVERLAY: {
>> +		u32 clipcount;
>> +
>> +		if (get_user(clipcount, &up->fmt.win.clipcount))
>> +			return -EFAULT;
>> +		if (clipcount > 2048)
>> +			return -EINVAL;
>> +		return clipcount * sizeof(struct v4l2_clip);
>> +	}
>> +	default:
>> +		return 0;
>> +	}
>> +}
>> +
>> +static int bufsize_v4l2_format32(struct v4l2_format32 __user *up)
>> +{
>> +	if (!access_ok(VERIFY_READ, up, sizeof(*up)))
>> +		return -EFAULT;
> 
> Newline?

Didn't do this. I didn't think it improved the code.

> 
>> +	return __bufsize_v4l2_format32(up);
>> +}
>> +
>> +static int __get_v4l2_format32(struct v4l2_format __user *kp,
>> +			       struct v4l2_format32 __user *up,
>> +			       void __user *aux_buf, int aux_space)
>> +{
>> +	u32 type;
>> +
>> +	if (get_user(type, &up->type) || put_user(type, &kp->type))
>> +		return -EFAULT;
>> +
>> +	switch (type) {
>>  	case V4L2_BUF_TYPE_VIDEO_CAPTURE:
>>  	case V4L2_BUF_TYPE_VIDEO_OUTPUT:
>> -		return copy_from_user(&kp->fmt.pix, &up->fmt.pix,
>> -				      sizeof(kp->fmt.pix)) ? -EFAULT : 0;
>> +		return copy_in_user(&kp->fmt.pix, &up->fmt.pix,
>> +				    sizeof(kp->fmt.pix)) ? -EFAULT : 0;
>>  	case V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE:
>>  	case V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE:
>> -		return copy_from_user(&kp->fmt.pix_mp, &up->fmt.pix_mp,
>> -				      sizeof(kp->fmt.pix_mp)) ? -EFAULT : 0;
>> +		return copy_in_user(&kp->fmt.pix_mp, &up->fmt.pix_mp,
>> +				    sizeof(kp->fmt.pix_mp)) ? -EFAULT : 0;
>>  	case V4L2_BUF_TYPE_VIDEO_OVERLAY:
>>  	case V4L2_BUF_TYPE_VIDEO_OUTPUT_OVERLAY:
>> -		return get_v4l2_window32(&kp->fmt.win, &up->fmt.win);
>> +		return get_v4l2_window32(&kp->fmt.win, &up->fmt.win,
>> +					 aux_buf, aux_space);
>>  	case V4L2_BUF_TYPE_VBI_CAPTURE:
>>  	case V4L2_BUF_TYPE_VBI_OUTPUT:
>> -		return copy_from_user(&kp->fmt.vbi, &up->fmt.vbi,
>> -				      sizeof(kp->fmt.vbi)) ? -EFAULT : 0;
>> +		return copy_in_user(&kp->fmt.vbi, &up->fmt.vbi,
>> +				    sizeof(kp->fmt.vbi)) ? -EFAULT : 0;
>>  	case V4L2_BUF_TYPE_SLICED_VBI_CAPTURE:
>>  	case V4L2_BUF_TYPE_SLICED_VBI_OUTPUT:
>> -		return copy_from_user(&kp->fmt.sliced, &up->fmt.sliced,
>> -				      sizeof(kp->fmt.sliced)) ? -EFAULT : 0;
>> +		return copy_in_user(&kp->fmt.sliced, &up->fmt.sliced,
>> +				    sizeof(kp->fmt.sliced)) ? -EFAULT : 0;
>>  	case V4L2_BUF_TYPE_SDR_CAPTURE:
>>  	case V4L2_BUF_TYPE_SDR_OUTPUT:
>> -		return copy_from_user(&kp->fmt.sdr, &up->fmt.sdr,
>> -				      sizeof(kp->fmt.sdr)) ? -EFAULT : 0;
>> +		return copy_in_user(&kp->fmt.sdr, &up->fmt.sdr,
>> +				    sizeof(kp->fmt.sdr)) ? -EFAULT : 0;
>>  	case V4L2_BUF_TYPE_META_CAPTURE:
>> -		return copy_from_user(&kp->fmt.meta, &up->fmt.meta,
>> -				      sizeof(kp->fmt.meta)) ? -EFAULT : 0;
>> +		return copy_in_user(&kp->fmt.meta, &up->fmt.meta,
>> +				    sizeof(kp->fmt.meta)) ? -EFAULT : 0;
>>  	default:
>>  		return -EINVAL;
>>  	}
>>  }
>>  
>> -static int get_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up)
>> +static int get_v4l2_format32(struct v4l2_format __user *kp,
>> +			     struct v4l2_format32 __user *up,
>> +			     void __user *aux_buf, int aux_space)
>> +{
>> +	if (!access_ok(VERIFY_READ, up, sizeof(*up)))
>> +		return -EFAULT;
>> +	return __get_v4l2_format32(kp, up, aux_buf, aux_space);
>> +}
>> +
>> +static int bufsize_v4l2_create32(struct v4l2_create_buffers32 __user *up)
>>  {
>>  	if (!access_ok(VERIFY_READ, up, sizeof(*up)))
>>  		return -EFAULT;
>> -	return __get_v4l2_format32(kp, up);
>> +	return __bufsize_v4l2_format32(&up->format);
>>  }
>>  
>> -static int get_v4l2_create32(struct v4l2_create_buffers *kp, struct v4l2_create_buffers32 __user *up)
>> +static int get_v4l2_create32(struct v4l2_create_buffers __user *kp,
>> +			     struct v4l2_create_buffers32 __user *up,
>> +			     void __user *aux_buf, int aux_space)
>>  {
>>  	if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
>> -	    copy_from_user(kp, up, offsetof(struct v4l2_create_buffers32, format)))
>> +	    copy_in_user(kp, up,
>> +			 offsetof(struct v4l2_create_buffers32, format)))
>>  		return -EFAULT;
>> -	return __get_v4l2_format32(&kp->format, &up->format);
>> +	return __get_v4l2_format32(&kp->format, &up->format,
>> +				   aux_buf, aux_space);
>>  }
>>  
>> -static int __put_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up)
>> +static int __put_v4l2_format32(struct v4l2_format __user *kp,
>> +			       struct v4l2_format32 __user *up)
>>  {
>> -	if (put_user(kp->type, &up->type))
>> +	u32 type;
>> +
>> +	if (get_user(type, &kp->type))
>>  		return -EFAULT;
>>  
>> -	switch (kp->type) {
>> +	switch (type) {
>>  	case V4L2_BUF_TYPE_VIDEO_CAPTURE:
>>  	case V4L2_BUF_TYPE_VIDEO_OUTPUT:
>> -		return copy_to_user(&up->fmt.pix, &kp->fmt.pix,
>> -				    sizeof(kp->fmt.pix)) ?  -EFAULT : 0;
>> +		return copy_in_user(&up->fmt.pix, &kp->fmt.pix,
>> +				    sizeof(kp->fmt.pix)) ? -EFAULT : 0;
>>  	case V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE:
>>  	case V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE:
>> -		return copy_to_user(&up->fmt.pix_mp, &kp->fmt.pix_mp,
>> -				    sizeof(kp->fmt.pix_mp)) ?  -EFAULT : 0;
>> +		return copy_in_user(&up->fmt.pix_mp, &kp->fmt.pix_mp,
>> +				    sizeof(kp->fmt.pix_mp)) ? -EFAULT : 0;
>>  	case V4L2_BUF_TYPE_VIDEO_OVERLAY:
>>  	case V4L2_BUF_TYPE_VIDEO_OUTPUT_OVERLAY:
>>  		return put_v4l2_window32(&kp->fmt.win, &up->fmt.win);
>>  	case V4L2_BUF_TYPE_VBI_CAPTURE:
>>  	case V4L2_BUF_TYPE_VBI_OUTPUT:
>> -		return copy_to_user(&up->fmt.vbi, &kp->fmt.vbi,
>> -				    sizeof(kp->fmt.vbi)) ?  -EFAULT : 0;
>> +		return copy_in_user(&up->fmt.vbi, &kp->fmt.vbi,
>> +				    sizeof(kp->fmt.vbi)) ? -EFAULT : 0;
>>  	case V4L2_BUF_TYPE_SLICED_VBI_CAPTURE:
>>  	case V4L2_BUF_TYPE_SLICED_VBI_OUTPUT:
>> -		return copy_to_user(&up->fmt.sliced, &kp->fmt.sliced,
>> -				    sizeof(kp->fmt.sliced)) ?  -EFAULT : 0;
>> +		return copy_in_user(&up->fmt.sliced, &kp->fmt.sliced,
>> +				    sizeof(kp->fmt.sliced)) ? -EFAULT : 0;
>>  	case V4L2_BUF_TYPE_SDR_CAPTURE:
>>  	case V4L2_BUF_TYPE_SDR_OUTPUT:
>> -		return copy_to_user(&up->fmt.sdr, &kp->fmt.sdr,
>> -				    sizeof(kp->fmt.sdr)) ?  -EFAULT : 0;
>> +		return copy_in_user(&up->fmt.sdr, &kp->fmt.sdr,
>> +				    sizeof(kp->fmt.sdr)) ? -EFAULT : 0;
>>  	case V4L2_BUF_TYPE_META_CAPTURE:
>> -		return copy_to_user(&up->fmt.meta, &kp->fmt.meta,
>> -				    sizeof(kp->fmt.meta)) ?  -EFAULT : 0;
>> +		return copy_in_user(&up->fmt.meta, &kp->fmt.meta,
>> +				    sizeof(kp->fmt.meta)) ? -EFAULT : 0;
>>  	default:
>>  		return -EINVAL;
>>  	}
>>  }
>>  
>> -static int put_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up)
>> +static int put_v4l2_format32(struct v4l2_format __user *kp,
>> +			     struct v4l2_format32 __user *up)
>>  {
>>  	if (!access_ok(VERIFY_WRITE, up, sizeof(*up)))
> 
> For some pointers we do perform such checks, for others we don't. While
> this patch doesn't change this, it'd be good to align this by either
> introducing it everywhere or removing it everywhere.
> 
> I guess that can be done separately.

Didn't touch this. It wouldn't hurt to review the code. I'll see if I can do
that later this week.

> 
>>  		return -EFAULT;
>>  	return __put_v4l2_format32(kp, up);
>>  }
>>  
>> -static int put_v4l2_create32(struct v4l2_create_buffers *kp, struct v4l2_create_buffers32 __user *up)
>> +static int put_v4l2_create32(struct v4l2_create_buffers __user *kp,
>> +			     struct v4l2_create_buffers32 __user *up)
>>  {
>>  	if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) ||
>> -	    copy_to_user(up, kp, offsetof(struct v4l2_create_buffers32, format)) ||
>> -	    copy_to_user(up->reserved, kp->reserved, sizeof(kp->reserved)))
>> +	    copy_in_user(up, kp,
>> +			 offsetof(struct v4l2_create_buffers32, format)) ||
>> +	    copy_in_user(up->reserved, kp->reserved, sizeof(kp->reserved)))
>>  		return -EFAULT;
>>  	return __put_v4l2_format32(&kp->format, &up->format);
>>  }
>> @@ -259,25 +327,27 @@ struct v4l2_standard32 {
>>  	__u32		     reserved[4];
>>  };
>>  
>> -static int get_v4l2_standard32(struct v4l2_standard *kp, struct v4l2_standard32 __user *up)
>> +static int get_v4l2_standard32(struct v4l2_standard __user *kp,
>> +			       struct v4l2_standard32 __user *up)
>>  {
>>  	/* other fields are not set by the user, nor used by the driver */
>>  	if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
>> -	    get_user(kp->index, &up->index))
>> +	    convert_in_user(&kp->index, &up->index))
>>  		return -EFAULT;
>>  	return 0;
>>  }
>>  
>> -static int put_v4l2_standard32(struct v4l2_standard *kp, struct v4l2_standard32 __user *up)
>> +static int put_v4l2_standard32(struct v4l2_standard __user *kp,
>> +			       struct v4l2_standard32 __user *up)
>>  {
>>  	if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) ||
>> -	    put_user(kp->index, &up->index) ||
>> -	    put_user(kp->id, &up->id) ||
>> -	    copy_to_user(up->name, kp->name, 24) ||
>> -	    copy_to_user(&up->frameperiod, &kp->frameperiod,
>> -			 sizeof(kp->frameperiod)) ||
>> -	    put_user(kp->framelines, &up->framelines) ||
>> -	    copy_to_user(up->reserved, kp->reserved, sizeof(kp->reserved)))
>> +	    convert_in_user(&up->index, &kp->index) ||
>> +	    copy_in_user(&up->id, &kp->id, sizeof(up->id)) ||
> 
> Why not convert_in_user()?

Changed.

> 
>> +	    copy_in_user(up->name, kp->name, 24) ||
>> +	    copy_in_user(&up->frameperiod, &kp->frameperiod,
>> +			 sizeof(up->frameperiod)) ||
>> +	    convert_in_user(&up->framelines, &kp->framelines) ||
>> +	    copy_in_user(up->reserved, kp->reserved, sizeof(up->reserved)))
>>  		return -EFAULT;
>>  	return 0;
>>  }
>> @@ -317,10 +387,10 @@ struct v4l2_buffer32 {
>>  	__u32			reserved;
>>  };
>>  
>> -static int get_v4l2_plane32(struct v4l2_plane __user *up, struct v4l2_plane32 __user *up32,
>> +static int get_v4l2_plane32(struct v4l2_plane __user *up,
>> +			    struct v4l2_plane32 __user *up32,
>>  			    enum v4l2_memory memory)
>>  {
>> -	void __user *up_pln;
>>  	compat_long_t p;
> 
> Shouldn't this be compat_ulong_t?

Changed.

> 
>>  
>>  	if (copy_in_user(up, up32, 2 * sizeof(__u32)) ||
>> @@ -336,10 +406,8 @@ static int get_v4l2_plane32(struct v4l2_plane __user *up, struct v4l2_plane32 __
>>  			return -EFAULT;
>>  		break;
>>  	case V4L2_MEMORY_USERPTR:
>> -		if (get_user(p, &up32->m.userptr))
>> -			return -EFAULT;
>> -		up_pln = compat_ptr(p);
>> -		if (put_user((unsigned long)up_pln, &up->m.userptr))
>> +		if (get_user(p, &up32->m.userptr) ||
>> +		    put_user((unsigned long)compat_ptr(p), &up->m.userptr))
>>  			return -EFAULT;
>>  		break;
>>  	case V4L2_MEMORY_DMABUF:
>> @@ -351,7 +419,8 @@ static int get_v4l2_plane32(struct v4l2_plane __user *up, struct v4l2_plane32 __
>>  	return 0;
>>  }
>>  
>> -static int put_v4l2_plane32(struct v4l2_plane __user *up, struct v4l2_plane32 __user *up32,
>> +static int put_v4l2_plane32(struct v4l2_plane __user *up,
>> +			    struct v4l2_plane32 __user *up32,
>>  			    enum v4l2_memory memory)
>>  {
>>  	unsigned long p;
>> @@ -375,8 +444,7 @@ static int put_v4l2_plane32(struct v4l2_plane __user *up, struct v4l2_plane32 __
>>  			return -EFAULT;
>>  		break;
>>  	case V4L2_MEMORY_DMABUF:
>> -		if (copy_in_user(&up32->m.fd, &up->m.fd,
>> -				 sizeof(up->m.fd)))
>> +		if (copy_in_user(&up32->m.fd, &up->m.fd, sizeof(up->m.fd)))
>>  			return -EFAULT;
>>  		break;
>>  	}
>> @@ -384,37 +452,68 @@ static int put_v4l2_plane32(struct v4l2_plane __user *up, struct v4l2_plane32 __
>>  	return 0;
>>  }
>>  
>> -static int get_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user *up)
>> +static int bufsize_v4l2_buffer32(struct v4l2_buffer32 __user *up)
>> +{
>> +	u32 type;
>> +	u32 length;
>> +
>> +	if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
>> +	    get_user(type, &up->type) ||
>> +	    get_user(length, &up->length))
>> +		return -EFAULT;
>> +
>> +	if (V4L2_TYPE_IS_MULTIPLANAR(type)) {
>> +		if (length > VIDEO_MAX_PLANES)
>> +			return -EINVAL;
>> +
>> +		/* We don't really care if userspace decides to kill itself
> 
> /*
>  * ...

Changed here and elsewhere.

> 
>> +		 * by passing a very big length value
>> +		 */
>> +		return length * sizeof(struct v4l2_plane);
>> +	}
>> +	return 0;
>> +}
>> +
>> +static int get_v4l2_buffer32(struct v4l2_buffer __user *kp,
>> +			     struct v4l2_buffer32 __user *up,
>> +			     void __user *aux_buf, int aux_space)
>>  {
>> +	u32 type;
>> +	u32 length;
>> +	enum v4l2_memory memory;
>>  	struct v4l2_plane32 __user *uplane32;
>>  	struct v4l2_plane __user *uplane;
>>  	compat_caddr_t p;
>> +	int num_planes;
> 
> u32?

Changed.

> 
>>  	int ret;
>>  
>>  	if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
>> -	    get_user(kp->index, &up->index) ||
>> -	    get_user(kp->type, &up->type) ||
>> -	    get_user(kp->flags, &up->flags) ||
>> -	    get_user(kp->memory, &up->memory) ||
>> -	    get_user(kp->length, &up->length))
>> +	    convert_in_user(&kp->index, &up->index) ||
>> +	    get_user(type, &up->type) ||
>> +	    put_user(type, &kp->type) ||
>> +	    convert_in_user(&kp->flags, &up->flags) ||
>> +	    get_user(memory, &up->memory) ||
>> +	    put_user(memory, &kp->memory) ||
>> +	    get_user(length, &up->length) ||
>> +	    put_user(length, &kp->length))
>>  		return -EFAULT;
>>  
>> -	if (V4L2_TYPE_IS_OUTPUT(kp->type))
>> -		if (get_user(kp->bytesused, &up->bytesused) ||
>> -		    get_user(kp->field, &up->field) ||
>> -		    get_user(kp->timestamp.tv_sec, &up->timestamp.tv_sec) ||
>> -		    get_user(kp->timestamp.tv_usec, &up->timestamp.tv_usec))
>> +	if (V4L2_TYPE_IS_OUTPUT(type))
>> +		if (convert_in_user(&kp->bytesused, &up->bytesused) ||
>> +		    convert_in_user(&kp->field, &up->field) ||
>> +		    convert_in_user(&kp->timestamp.tv_sec,
>> +				    &up->timestamp.tv_sec) ||
>> +		    convert_in_user(&kp->timestamp.tv_usec,
>> +				    &up->timestamp.tv_usec))
>>  			return -EFAULT;
>>  
>> -	if (V4L2_TYPE_IS_MULTIPLANAR(kp->type)) {
>> -		unsigned int num_planes;
>> -
>> -		if (kp->length == 0) {
>> -			kp->m.planes = NULL;
>> +	if (V4L2_TYPE_IS_MULTIPLANAR(type)) {
>> +		num_planes = length;
> 
> Do you need a local variable for just that?

I moved the u32 num_planes declaration above to here. I still kept it
though since I think it helps understand what 'length' stands for.

> 
>> +		if (num_planes == 0) {
>>  			/* num_planes == 0 is legal, e.g. when userspace doesn't
>>  			 * need planes array on DQBUF*/
>> -			return 0;
>> -		} else if (kp->length > VIDEO_MAX_PLANES) {
>> +			return put_user(NULL, &kp->m.planes);
>> +		} else if (num_planes > VIDEO_MAX_PLANES) {
>>  			return -EINVAL;
>>  		}
>>  
>> @@ -423,40 +522,47 @@ static int get_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user
>>  
>>  		uplane32 = compat_ptr(p);
>>  		if (!access_ok(VERIFY_READ, uplane32,
>> -			       kp->length * sizeof(*uplane32)))
>> +				num_planes * sizeof(*uplane32)))
> 
> Alignment.

Changed.

> 
>>  			return -EFAULT;
>>  
>>  		/* We don't really care if userspace decides to kill itself
>>  		 * by passing a very big num_planes value */
>> -		uplane = compat_alloc_user_space(kp->length * sizeof(*uplane));
>> -		kp->m.planes = (__force struct v4l2_plane *)uplane;
>> +		if (aux_space < num_planes * sizeof(*uplane))
>> +			return -EFAULT;
>> +
>> +		uplane = aux_buf;
>> +		if (put_user((__force struct v4l2_plane *)uplane,
>> +					&kp->m.planes))
>> +			return -EFAULT;
>>  
>> -		for (num_planes = 0; num_planes < kp->length; num_planes++) {
>> -			ret = get_v4l2_plane32(uplane, uplane32, kp->memory);
>> +		while (--num_planes >= 0) {
> 
> while (num_planes--) {
> 
> ?

Changed.

> 
>> +			ret = get_v4l2_plane32(uplane, uplane32, memory);
>>  			if (ret)
>>  				return ret;
>> -			++uplane;
>> -			++uplane32;
>> +			uplane++;
>> +			uplane32++;
>>  		}
>>  	} else {
>> -		switch (kp->memory) {
>> +		switch (memory) {
>>  		case V4L2_MEMORY_MMAP:
>> -		case V4L2_MEMORY_OVERLAY:
>> -			if (get_user(kp->m.offset, &up->m.offset))
>> +			if (convert_in_user(&kp->m.offset, &up->m.offset))
>>  				return -EFAULT;
>>  			break;
>> -		case V4L2_MEMORY_USERPTR:
>> -			{
>> -				compat_long_t tmp;
>> -
>> -				if (get_user(tmp, &up->m.userptr))
>> -					return -EFAULT;
>> +		case V4L2_MEMORY_USERPTR: {
>> +			compat_long_t tmp;
> 
> compat_ulong_t, I'd call it "userptr". The latter is entirely up to you.

Changed.

> 
>>  
>> -				kp->m.userptr = (unsigned long)compat_ptr(tmp);
>> -			}
>> +			if (get_user(tmp, &up->m.userptr) ||
>> +			    put_user((unsigned long)compat_ptr(tmp),
>> +				     &kp->m.userptr))
>> +				return -EFAULT;
>> +			break;
>> +		}
>> +		case V4L2_MEMORY_OVERLAY:
>> +			if (convert_in_user(&kp->m.offset, &up->m.offset))
>> +				return -EFAULT;
> 
> Is there a reason to split this off from MMAP handling? The code is the
> same.

Changed.

> 
>>  			break;
>>  		case V4L2_MEMORY_DMABUF:
>> -			if (get_user(kp->m.fd, &up->m.fd))
>> +			if (convert_in_user(&kp->m.fd, &up->m.fd))
>>  				return -EFAULT;
>>  			break;
>>  		}
>> @@ -465,8 +571,12 @@ static int get_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user
>>  	return 0;
>>  }
>>  
>> -static int put_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user *up)
>> +static int put_v4l2_buffer32(struct v4l2_buffer __user *kp,
>> +			     struct v4l2_buffer32 __user *up)
>>  {
>> +	u32 type;
>> +	u32 length;
>> +	enum v4l2_memory memory;
>>  	struct v4l2_plane32 __user *uplane32;
>>  	struct v4l2_plane __user *uplane;
>>  	compat_caddr_t p;
>> @@ -474,53 +584,60 @@ static int put_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user
>>  	int ret;
>>  
>>  	if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) ||
>> -	    put_user(kp->index, &up->index) ||
>> -	    put_user(kp->type, &up->type) ||
>> -	    put_user(kp->flags, &up->flags) ||
>> -	    put_user(kp->memory, &up->memory))
>> +	    convert_in_user(&up->index, &kp->index) ||
>> +	    get_user(type, &kp->type) ||
>> +	    put_user(type, &up->type) ||
>> +	    convert_in_user(&up->flags, &kp->flags) ||
>> +	    get_user(memory, &kp->memory) ||
>> +	    put_user(memory, &up->memory))
>>  		return -EFAULT;
>>  
>> -	if (put_user(kp->bytesused, &up->bytesused) ||
>> -	    put_user(kp->field, &up->field) ||
>> -	    put_user(kp->timestamp.tv_sec, &up->timestamp.tv_sec) ||
>> -	    put_user(kp->timestamp.tv_usec, &up->timestamp.tv_usec) ||
>> -	    copy_to_user(&up->timecode, &kp->timecode, sizeof(kp->timecode)) ||
>> -	    put_user(kp->sequence, &up->sequence) ||
>> -	    put_user(kp->reserved2, &up->reserved2) ||
>> -	    put_user(kp->reserved, &up->reserved) ||
>> -	    put_user(kp->length, &up->length))
>> +	if (convert_in_user(&up->bytesused, &kp->bytesused) ||
>> +	    convert_in_user(&up->field, &kp->field) ||
>> +	    convert_in_user(&up->timestamp.tv_sec, &kp->timestamp.tv_sec) ||
>> +	    convert_in_user(&up->timestamp.tv_usec, &kp->timestamp.tv_usec) ||
>> +	    copy_in_user(&up->timecode, &kp->timecode, sizeof(kp->timecode)) ||
>> +	    convert_in_user(&up->sequence, &kp->sequence) ||
>> +	    convert_in_user(&up->reserved2, &kp->reserved2) ||
>> +	    convert_in_user(&up->reserved, &kp->reserved) ||
>> +	    get_user(length, &kp->length) ||
>> +	    put_user(length, &up->length))
>>  		return -EFAULT;
>>  
>> -	if (V4L2_TYPE_IS_MULTIPLANAR(kp->type)) {
>> -		num_planes = kp->length;
>> +	if (V4L2_TYPE_IS_MULTIPLANAR(type)) {
>> +		num_planes = length;
>>  		if (num_planes == 0)
>>  			return 0;
>>  
>> -		uplane = (__force struct v4l2_plane __user *)kp->m.planes;
>> +		if (get_user(uplane, ((__force struct v4l2_plane __user **)&kp->m.planes)))
>> +			return -EFAULT;
>>  		if (get_user(p, &up->m.planes))
>>  			return -EFAULT;
>>  		uplane32 = compat_ptr(p);
>>  
>>  		while (--num_planes >= 0) {
> 
> 
> while (num_planes--) {

Changed.

> 
> Or rather: s/num_planes/length/
> 
> Then you can remove num_planes.

But kept num_planes.

> 
>> -			ret = put_v4l2_plane32(uplane, uplane32, kp->memory);
>> +			ret = put_v4l2_plane32(uplane, uplane32, memory);
>>  			if (ret)
>>  				return ret;
>>  			++uplane;
>>  			++uplane32;
>>  		}
>>  	} else {
>> -		switch (kp->memory) {
>> +		switch (memory) {
>>  		case V4L2_MEMORY_MMAP:
>> -		case V4L2_MEMORY_OVERLAY:
>> -			if (put_user(kp->m.offset, &up->m.offset))
>> +			if (convert_in_user(&up->m.offset, &kp->m.offset))
>>  				return -EFAULT;
>>  			break;
>>  		case V4L2_MEMORY_USERPTR:
>> -			if (put_user(kp->m.userptr, &up->m.userptr))
>> +			if (convert_in_user(&up->m.userptr, &kp->m.userptr))
>> +				return -EFAULT;
>> +			break;
>> +		case V4L2_MEMORY_OVERLAY:
>> +			if (convert_in_user(&up->m.offset, &kp->m.offset))
> 
> Combine with MMAP case?

Changed.

> 
>>  				return -EFAULT;
>>  			break;
>>  		case V4L2_MEMORY_DMABUF:
>> -			if (put_user(kp->m.fd, &up->m.fd))
>> +			if (convert_in_user(&up->m.fd, &kp->m.fd))
>>  				return -EFAULT;
>>  			break;
>>  		}
>> @@ -545,29 +662,32 @@ struct v4l2_framebuffer32 {
>>  	} fmt;
>>  };
>>  
>> -static int get_v4l2_framebuffer32(struct v4l2_framebuffer *kp, struct v4l2_framebuffer32 __user *up)
>> +static int get_v4l2_framebuffer32(struct v4l2_framebuffer __user *kp,
>> +				  struct v4l2_framebuffer32 __user *up)
>>  {
>> -	u32 tmp;
>> +	compat_caddr_t tmp;
>>  
>>  	if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
>>  	    get_user(tmp, &up->base) ||
>> -	    get_user(kp->capability, &up->capability) ||
>> -	    get_user(kp->flags, &up->flags) ||
>> -	    copy_from_user(&kp->fmt, &up->fmt, sizeof(up->fmt)))
>> +	    put_user((__force void *)compat_ptr(tmp), &kp->base) ||
>> +	    convert_in_user(&kp->capability, &up->capability) ||
>> +	    convert_in_user(&kp->flags, &up->flags) ||
>> +	    copy_in_user(&kp->fmt, &up->fmt, sizeof(kp->fmt)))
>>  		return -EFAULT;
>> -	kp->base = (__force void *)compat_ptr(tmp);
>>  	return 0;
>>  }
>>  
>> -static int put_v4l2_framebuffer32(struct v4l2_framebuffer *kp, struct v4l2_framebuffer32 __user *up)
>> +static int put_v4l2_framebuffer32(struct v4l2_framebuffer __user *kp,
>> +				  struct v4l2_framebuffer32 __user *up)
>>  {
>> -	u32 tmp = (u32)((unsigned long)kp->base);
>> +	void *base;
>>  
>>  	if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) ||
>> -	    put_user(tmp, &up->base) ||
>> -	    put_user(kp->capability, &up->capability) ||
>> -	    put_user(kp->flags, &up->flags) ||
>> -	    copy_to_user(&up->fmt, &kp->fmt, sizeof(up->fmt)))
>> +	    get_user(base, &kp->base) ||
>> +	    put_user(ptr_to_compat(base), &up->base) ||
>> +	    convert_in_user(&up->capability, &kp->capability) ||
>> +	    convert_in_user(&up->flags, &kp->flags) ||
>> +	    copy_in_user(&up->fmt, &kp->fmt, sizeof(kp->fmt)))
>>  		return -EFAULT;
>>  	return 0;
>>  }
>> @@ -586,16 +706,18 @@ struct v4l2_input32 {
>>  
>>  /* The 64-bit v4l2_input struct has extra padding at the end of the struct.
>>     Otherwise it is identical to the 32-bit version. */
>> -static inline int get_v4l2_input32(struct v4l2_input *kp, struct v4l2_input32 __user *up)
>> +static inline int get_v4l2_input32(struct v4l2_input __user *kp,
>> +				   struct v4l2_input32 __user *up)
>>  {
>> -	if (copy_from_user(kp, up, sizeof(*up)))
>> +	if (copy_in_user(kp, up, sizeof(*up)))
>>  		return -EFAULT;
>>  	return 0;
>>  }
>>  
>> -static inline int put_v4l2_input32(struct v4l2_input *kp, struct v4l2_input32 __user *up)
>> +static inline int put_v4l2_input32(struct v4l2_input __user *kp,
>> +				   struct v4l2_input32 __user *up)
>>  {
>> -	if (copy_to_user(up, kp, sizeof(*up)))
>> +	if (copy_in_user(up, kp, sizeof(*up)))
>>  		return -EFAULT;
>>  	return 0;
>>  }
>> @@ -648,39 +770,58 @@ static inline bool ctrl_is_pointer(struct file *file, u32 id)
>>  	return !ret && (qec.flags & V4L2_CTRL_FLAG_HAS_PAYLOAD);
>>  }
>>  
>> +static int bufsize_v4l2_ext_controls32(struct v4l2_ext_controls32 __user *up)
>> +{
>> +	u32 count;
>> +
>> +	if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
>> +	    get_user(count, &up->count))
>> +		return -EFAULT;
>> +	if (count > V4L2_CID_MAX_CTRLS)
>> +		return -EINVAL;
>> +	return count * sizeof(struct v4l2_ext_control);
>> +}
>> +
>>  static int get_v4l2_ext_controls32(struct file *file,
>> -				   struct v4l2_ext_controls *kp,
>> -				   struct v4l2_ext_controls32 __user *up)
>> +				   struct v4l2_ext_controls __user *kp,
>> +				   struct v4l2_ext_controls32 __user *up,
>> +				   void __user *aux_buf, int aux_space)
>>  {
>>  	struct v4l2_ext_control32 __user *ucontrols;
>>  	struct v4l2_ext_control __user *kcontrols;
>> +	u32 count;
>>  	unsigned int n;
> 
> u32 n

Changed.

> 
>>  	compat_caddr_t p;
>>  
>>  	if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
>> -	    get_user(kp->which, &up->which) ||
>> -	    get_user(kp->count, &up->count) ||
>> -	    get_user(kp->error_idx, &up->error_idx) ||
>> -	    copy_from_user(kp->reserved, up->reserved, sizeof(kp->reserved)))
>> +	    convert_in_user(&kp->which, &up->which) ||
>> +	    get_user(count, &up->count) ||
>> +	    put_user(count, &kp->count) ||
>> +	    convert_in_user(&kp->error_idx, &up->error_idx) ||
>> +	    copy_in_user(kp->reserved, up->reserved, sizeof(kp->reserved)))
>>  		return -EFAULT;
>> -	if (kp->count == 0) {
>> -		kp->controls = NULL;
>> -		return 0;
>> -	} else if (kp->count > V4L2_CID_MAX_CTRLS) {
>> +	if (count == 0)
>> +		return put_user(NULL, &kp->controls);
>> +	else if (kp->count > V4L2_CID_MAX_CTRLS)
> 
> count

Changed.

> 
>>  		return -EINVAL;
>> -	}
>>  	if (get_user(p, &up->controls))
>>  		return -EFAULT;
>>  	ucontrols = compat_ptr(p);
>> -	if (!access_ok(VERIFY_READ, ucontrols, kp->count * sizeof(*ucontrols)))
>> +	if (!access_ok(VERIFY_READ, ucontrols, count * sizeof(*ucontrols)))
>> +		return -EFAULT;
>> +	if (aux_space < count * sizeof(*kcontrols))
>>  		return -EFAULT;
>> -	kcontrols = compat_alloc_user_space(kp->count * sizeof(*kcontrols));
>> -	kp->controls = (__force struct v4l2_ext_control *)kcontrols;
>> -	for (n = 0; n < kp->count; n++) {
>> +	kcontrols = aux_buf;
>> +	if (put_user((__force struct v4l2_ext_control *)kcontrols,
>> +		     &kp->controls))
>> +		return -EFAULT;
>> +
>> +	for (n = 0; n < count; n++) {
>>  		u32 id;
>>  
>>  		if (copy_in_user(kcontrols, ucontrols, sizeof(*ucontrols)))
>>  			return -EFAULT;
>> +
>>  		if (get_user(id, &kcontrols->id))
>>  			return -EFAULT;
> 
> Newline here, too? Not really a problem with this patch though.

Changed.

> 
>>  		if (ctrl_is_pointer(file, id)) {
>> @@ -699,36 +840,47 @@ static int get_v4l2_ext_controls32(struct file *file,
>>  }
>>  
>>  static int put_v4l2_ext_controls32(struct file *file,
>> -				   struct v4l2_ext_controls *kp,
>> +				   struct v4l2_ext_controls __user *kp,
>>  				   struct v4l2_ext_controls32 __user *up)
>>  {
>>  	struct v4l2_ext_control32 __user *ucontrols;
>> -	struct v4l2_ext_control __user *kcontrols =
>> -		(__force struct v4l2_ext_control __user *)kp->controls;
>> -	int n = kp->count;
>> +	struct v4l2_ext_control __user *kcontrols;
>> +	u32 count;
>> +	unsigned int n;
> 
> u32 n

Changed.

> 
>>  	compat_caddr_t p;
>>  
>>  	if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) ||
>> -	    put_user(kp->which, &up->which) ||
>> -	    put_user(kp->count, &up->count) ||
>> -	    put_user(kp->error_idx, &up->error_idx) ||
>> -	    copy_to_user(up->reserved, kp->reserved, sizeof(up->reserved)))
>> +	    get_user(kcontrols, &kp->controls) ||
> 
> How about doing this as last? "controls" is the last member of the struct.

Changed.

> 
>> +	    convert_in_user(&up->which, &kp->which) ||
>> +	    get_user(count, &kp->count) ||
>> +	    put_user(count, &up->count) ||
>> +	    convert_in_user(&up->error_idx, &kp->error_idx) ||
>> +	    copy_in_user(up->reserved, kp->reserved, sizeof(up->reserved)))
>>  		return -EFAULT;
>> -	if (!kp->count)
>> +	if (!count)
>>  		return 0;
>>  
>>  	if (get_user(p, &up->controls))
>>  		return -EFAULT;
>>  	ucontrols = compat_ptr(p);
>> -	if (!access_ok(VERIFY_WRITE, ucontrols, n * sizeof(*ucontrols)))
>> +	if (!access_ok(VERIFY_WRITE, ucontrols, count * sizeof(*ucontrols)))
>>  		return -EFAULT;
>>  
>> -	while (--n >= 0) {
>> -		unsigned size = sizeof(*ucontrols);
>> +	for (n = 0; n < count; n++) {
>> +		unsigned int size = sizeof(*ucontrols);
>>  		u32 id;
>>  
>> +		if (copy_in_user(&ucontrols->id, &kcontrols->id,
>> +				 sizeof(ucontrols->id)) ||
> 
> get_user(id, &kcontrols->id) ||
> put_user(id, &ucontrols->id) ||

Changed.

> 
>> +		    copy_in_user(&ucontrols->size, &kcontrols->size,
>> +				 sizeof(ucontrols->size)) ||
> 
> convert_in_user() ?

Changed.

> 
>> +		    copy_in_user(&ucontrols->reserved2, &kcontrols->reserved2,
>> +				 sizeof(ucontrols->reserved2)))
>> +			return -EFAULT;
>> +
>>  		if (get_user(id, &kcontrols->id))
>>  			return -EFAULT;
> 
> ...and the above if () can be removed.

Done.

> 
>> +
>>  		/* Do not modify the pointer when copying a pointer control.
>>  		   The contents of the pointer was changed, not the pointer
>>  		   itself. */
>> @@ -736,6 +888,7 @@ static int put_v4l2_ext_controls32(struct file *file,
>>  			size -= sizeof(ucontrols->value64);
> 
> This chunk is yearning for newlines. Not a fault of this patch though.
> 
>>  		if (copy_in_user(ucontrols, kcontrols, size))
>>  			return -EFAULT;
>> +
>>  		ucontrols++;
>>  		kcontrols++;
>>  	}
>> @@ -755,17 +908,18 @@ struct v4l2_event32 {
>>  	__u32				reserved[8];
>>  };
>>  
>> -static int put_v4l2_event32(struct v4l2_event *kp, struct v4l2_event32 __user *up)
>> +static int put_v4l2_event32(struct v4l2_event __user *kp,
>> +			    struct v4l2_event32 __user *up)
>>  {
>>  	if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) ||
>> -	    put_user(kp->type, &up->type) ||
>> -	    copy_to_user(&up->u, &kp->u, sizeof(kp->u)) ||
>> -	    put_user(kp->pending, &up->pending) ||
>> -	    put_user(kp->sequence, &up->sequence) ||
>> -	    put_user(kp->timestamp.tv_sec, &up->timestamp.tv_sec) ||
>> -	    put_user(kp->timestamp.tv_nsec, &up->timestamp.tv_nsec) ||
>> -	    put_user(kp->id, &up->id) ||
>> -	    copy_to_user(up->reserved, kp->reserved, sizeof(kp->reserved)))
>> +	    convert_in_user(&up->type, &kp->type) ||
>> +	    copy_in_user(&up->u, &kp->u, sizeof(kp->u)) ||
>> +	    convert_in_user(&up->pending, &kp->pending) ||
>> +	    convert_in_user(&up->sequence, &kp->sequence) ||
>> +	    convert_in_user(&up->timestamp.tv_sec, &kp->timestamp.tv_sec) ||
>> +	    convert_in_user(&up->timestamp.tv_nsec, &kp->timestamp.tv_nsec) ||
>> +	    convert_in_user(&up->id, &kp->id) ||
>> +	    copy_in_user(up->reserved, kp->reserved, sizeof(up->reserved)))
>>  		return -EFAULT;
>>  	return 0;
>>  }
>> @@ -778,31 +932,34 @@ struct v4l2_edid32 {
>>  	compat_caddr_t edid;
>>  };
>>  
>> -static int get_v4l2_edid32(struct v4l2_edid *kp, struct v4l2_edid32 __user *up)
>> +static int get_v4l2_edid32(struct v4l2_edid __user *kp,
>> +			   struct v4l2_edid32 __user *up)
>>  {
>> -	u32 tmp;
>> +	compat_uptr_t tmp;
>>  
>>  	if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
>> -	    get_user(kp->pad, &up->pad) ||
>> -	    get_user(kp->start_block, &up->start_block) ||
>> -	    get_user(kp->blocks, &up->blocks) ||
>> +	    convert_in_user(&kp->pad, &up->pad) ||
>> +	    convert_in_user(&kp->start_block, &up->start_block) ||
>> +	    convert_in_user(&kp->blocks, &up->blocks) ||
>>  	    get_user(tmp, &up->edid) ||
>> -	    copy_from_user(kp->reserved, up->reserved, sizeof(kp->reserved)))
>> +	    put_user(compat_ptr(tmp), &kp->edid) ||
>> +	    copy_in_user(kp->reserved, up->reserved, sizeof(kp->reserved)))
>>  		return -EFAULT;
>> -	kp->edid = (__force u8 *)compat_ptr(tmp);
>>  	return 0;
>>  }
>>  
>> -static int put_v4l2_edid32(struct v4l2_edid *kp, struct v4l2_edid32 __user *up)
>> +static int put_v4l2_edid32(struct v4l2_edid __user *kp,
>> +			   struct v4l2_edid32 __user *up)
>>  {
>> -	u32 tmp = (u32)((unsigned long)kp->edid);
>> +	void *edid;
>>  
>>  	if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) ||
>> -	    put_user(kp->pad, &up->pad) ||
>> -	    put_user(kp->start_block, &up->start_block) ||
>> -	    put_user(kp->blocks, &up->blocks) ||
>> -	    put_user(tmp, &up->edid) ||
>> -	    copy_to_user(up->reserved, kp->reserved, sizeof(up->reserved)))
>> +	    convert_in_user(&up->pad, &kp->pad) ||
>> +	    convert_in_user(&up->start_block, &kp->start_block) ||
>> +	    convert_in_user(&up->blocks, &kp->blocks) ||
>> +	    get_user(edid, &kp->edid) ||
>> +	    put_user(ptr_to_compat(edid), &up->edid) ||
>> +	    copy_in_user(up->reserved, kp->reserved, sizeof(up->reserved)))
>>  		return -EFAULT;
>>  	return 0;
>>  }
>> @@ -835,22 +992,30 @@ static int put_v4l2_edid32(struct v4l2_edid *kp, struct v4l2_edid32 __user *up)
>>  #define VIDIOC_G_OUTPUT32	_IOR ('V', 46, s32)
>>  #define VIDIOC_S_OUTPUT32	_IOWR('V', 47, s32)
>>  
>> +static void __user *alloc_userspace(unsigned int size, int aux_space, long *err)
> 
> This one is weird. Rather than following the pattern and returning an error
> and assigning the result to a pointer passed to it, it does exactly the
> opposite. I'd change that. I guess this is a matter of opinion to some
> degree at least, though.

Changed. It much nicer now.

> 
>> +{
>> +	void __user *up_native;
>> +
>> +	if (aux_space < 0) {
>> +		*err = aux_space;
>> +		return NULL;
>> +	}
>> +	up_native = compat_alloc_user_space(size + aux_space);
>> +	if (!up_native)
>> +		*err = -ENOMEM;
>> +	else if (clear_user(up_native, size))
>> +		*err = -EFAULT;
>> +	else
>> +		return up_native;
>> +	return NULL;
>> +}
>> +
>>  static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
>>  {
>> -	union {
>> -		struct v4l2_format v2f;
>> -		struct v4l2_buffer v2b;
>> -		struct v4l2_framebuffer v2fb;
>> -		struct v4l2_input v2i;
>> -		struct v4l2_standard v2s;
>> -		struct v4l2_ext_controls v2ecs;
>> -		struct v4l2_event v2ev;
>> -		struct v4l2_create_buffers v2crt;
>> -		struct v4l2_edid v2edid;
>> -		unsigned long vx;
>> -		int vi;
>> -	} karg;
>>  	void __user *up = compat_ptr(arg);
>> +	void __user *up_native = NULL;
>> +	void __user *aux_buf;
>> +	int aux_space;
> 
> size_t?

I went with u32 :-)

> 
>>  	int compatible_arg = 1;
>>  	long err = 0;
>>  
>> @@ -889,30 +1054,47 @@ static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long ar
>>  	case VIDIOC_STREAMOFF:
>>  	case VIDIOC_S_INPUT:
>>  	case VIDIOC_S_OUTPUT:
>> -		err = get_user(karg.vi, (s32 __user *)up);
>> +		up_native = alloc_userspace(sizeof(unsigned int __user),
>> +					    0, &err);
>> +		if (!err && convert_in_user((unsigned int __user *)up_native,
>> +					    (compat_uint_t __user *)up))
>> +			return -EFAULT;
>>  		compatible_arg = 0;
>>  		break;
>>  
>>  	case VIDIOC_G_INPUT:
>>  	case VIDIOC_G_OUTPUT:
>> +		up_native = alloc_userspace(sizeof(unsigned int __user),
>> +					    0, &err);
>>  		compatible_arg = 0;
>>  		break;
>>  
>>  	case VIDIOC_G_EDID:
>>  	case VIDIOC_S_EDID:
>> -		err = get_v4l2_edid32(&karg.v2edid, up);
>> +		up_native = alloc_userspace(sizeof(struct v4l2_edid), 0, &err);
>> +		err = err ? : get_v4l2_edid32(up_native, up);
> 
> I'd write this as:
> 
> 		if (!err)
> 			err = get_v4l2_edid32(native_up, up);
> 
> Same below.

Done.

> 
>>  		compatible_arg = 0;
>>  		break;
>>  
>>  	case VIDIOC_G_FMT:
>>  	case VIDIOC_S_FMT:
>>  	case VIDIOC_TRY_FMT:
>> -		err = get_v4l2_format32(&karg.v2f, up);
>> +		aux_space = bufsize_v4l2_format32(up);
>> +		up_native = alloc_userspace(sizeof(struct v4l2_format),
>> +					    aux_space, &err);
>> +		aux_buf = up_native + sizeof(struct v4l2_format);
>> +		err = err ? : get_v4l2_format32(up_native, up,
>> +						aux_buf, aux_space);
>>  		compatible_arg = 0;
>>  		break;
>>  
>>  	case VIDIOC_CREATE_BUFS:
>> -		err = get_v4l2_create32(&karg.v2crt, up);
>> +		aux_space = bufsize_v4l2_create32(up);
>> +		up_native = alloc_userspace(sizeof(struct v4l2_create_buffers),
>> +					    aux_space, &err);
>> +		aux_buf = up_native + sizeof(struct v4l2_create_buffers);
>> +		err = err ? : get_v4l2_create32(up_native, up,
>> +						aux_buf, aux_space);
>>  		compatible_arg = 0;
>>  		break;
>>  
>> @@ -920,36 +1102,54 @@ static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long ar
>>  	case VIDIOC_QUERYBUF:
>>  	case VIDIOC_QBUF:
>>  	case VIDIOC_DQBUF:
>> -		err = get_v4l2_buffer32(&karg.v2b, up);
>> +		aux_space = bufsize_v4l2_buffer32(up);
>> +		up_native = alloc_userspace(sizeof(struct v4l2_buffer),
>> +					    aux_space, &err);
>> +		aux_buf = up_native + sizeof(struct v4l2_buffer);
>> +		err = err ? : get_v4l2_buffer32(up_native, up,
>> +						aux_buf, aux_space);
>>  		compatible_arg = 0;
>>  		break;
>>  
>>  	case VIDIOC_S_FBUF:
>> -		err = get_v4l2_framebuffer32(&karg.v2fb, up);
>> +		up_native = alloc_userspace(sizeof(struct v4l2_framebuffer),
>> +					    0, &err);
>> +		err = err ? : get_v4l2_framebuffer32(up_native, up);
>>  		compatible_arg = 0;
>>  		break;
>>  
>>  	case VIDIOC_G_FBUF:
>> +		up_native = alloc_userspace(sizeof(struct v4l2_framebuffer),
>> +					    0, &err);
>>  		compatible_arg = 0;
>>  		break;
>>  
>>  	case VIDIOC_ENUMSTD:
>> -		err = get_v4l2_standard32(&karg.v2s, up);
>> +		up_native = alloc_userspace(sizeof(struct v4l2_standard),
>> +					    0, &err);
>> +		err = err ? : get_v4l2_standard32(up_native, up);
>>  		compatible_arg = 0;
>>  		break;
>>  
>>  	case VIDIOC_ENUMINPUT:
>> -		err = get_v4l2_input32(&karg.v2i, up);
>> +		up_native = alloc_userspace(sizeof(struct v4l2_input), 0, &err);
>> +		err = err ? : get_v4l2_input32(up_native, up);
>>  		compatible_arg = 0;
>>  		break;
>>  
>>  	case VIDIOC_G_EXT_CTRLS:
>>  	case VIDIOC_S_EXT_CTRLS:
>>  	case VIDIOC_TRY_EXT_CTRLS:
>> -		err = get_v4l2_ext_controls32(file, &karg.v2ecs, up);
>> +		aux_space = bufsize_v4l2_ext_controls32(up);
>> +		up_native = alloc_userspace(sizeof(struct v4l2_ext_controls),
>> +					    aux_space, &err);
>> +		aux_buf = up_native + sizeof(struct v4l2_ext_controls);
>> +		err = err ? : get_v4l2_ext_controls32(file, up_native, up,
>> +						      aux_buf, aux_space);
>>  		compatible_arg = 0;
>>  		break;
>>  	case VIDIOC_DQEVENT:
>> +		up_native = alloc_userspace(sizeof(struct v4l2_event), 0, &err);
>>  		compatible_arg = 0;
>>  		break;
>>  	}
>> @@ -958,13 +1158,8 @@ static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long ar
>>  
>>  	if (compatible_arg)
>>  		err = native_ioctl(file, cmd, (unsigned long)up);
>> -	else {
>> -		mm_segment_t old_fs = get_fs();
>> -
>> -		set_fs(KERNEL_DS);
>> -		err = native_ioctl(file, cmd, (unsigned long)&karg);
>> -		set_fs(old_fs);
>> -	}
>> +	else
>> +		err = native_ioctl(file, cmd, (unsigned long)up_native);
>>  
>>  	if (err == -ENOTTY || err == -EFAULT || err == -ENOIOCTLCMD)
>>  		return err;
>> @@ -976,11 +1171,11 @@ static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long ar
>>  	case VIDIOC_G_EXT_CTRLS:
>>  	case VIDIOC_S_EXT_CTRLS:
>>  	case VIDIOC_TRY_EXT_CTRLS:
>> -		if (put_v4l2_ext_controls32(file, &karg.v2ecs, up))
>> +		if (put_v4l2_ext_controls32(file, up_native, up))
>>  			err = -EFAULT;
>>  		break;
>>  	case VIDIOC_S_EDID:
>> -		if (put_v4l2_edid32(&karg.v2edid, up))
>> +		if (put_v4l2_edid32(up_native, up))
>>  			err = -EFAULT;
>>  		break;
>>  	}
>> @@ -992,44 +1187,45 @@ static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long ar
>>  	case VIDIOC_S_OUTPUT:
>>  	case VIDIOC_G_INPUT:
>>  	case VIDIOC_G_OUTPUT:
>> -		err = put_user(((s32)karg.vi), (s32 __user *)up);
>> +		err = convert_in_user((compat_uint_t __user *)up,
>> +				      ((unsigned int __user *)up_native));
> 
> Do note that convert_in_user() returns Boolean. This will effectively yield
> 1 in case of an error here. How about changing convert_in_user() to return
> whatever get_user / put_user do, to avoid errors in the future?

As mentioned at the top I decided not to change convert_in_user (now assign_in_user)
and modified this code here instead.

> 
>>  		break;
>>  
>>  	case VIDIOC_G_FBUF:
>> -		err = put_v4l2_framebuffer32(&karg.v2fb, up);
>> +		err = put_v4l2_framebuffer32(up_native, up);
>>  		break;
>>  
>>  	case VIDIOC_DQEVENT:
>> -		err = put_v4l2_event32(&karg.v2ev, up);
>> +		err = put_v4l2_event32(up_native, up);
>>  		break;
>>  
>>  	case VIDIOC_G_EDID:
>> -		err = put_v4l2_edid32(&karg.v2edid, up);
>> +		err = put_v4l2_edid32(up_native, up);
>>  		break;
>>  
>>  	case VIDIOC_G_FMT:
>>  	case VIDIOC_S_FMT:
>>  	case VIDIOC_TRY_FMT:
>> -		err = put_v4l2_format32(&karg.v2f, up);
>> +		err = put_v4l2_format32(up_native, up);
>>  		break;
>>  
>>  	case VIDIOC_CREATE_BUFS:
>> -		err = put_v4l2_create32(&karg.v2crt, up);
>> +		err = put_v4l2_create32(up_native, up);
>>  		break;
>>  
>>  	case VIDIOC_PREPARE_BUF:
>>  	case VIDIOC_QUERYBUF:
>>  	case VIDIOC_QBUF:
>>  	case VIDIOC_DQBUF:
>> -		err = put_v4l2_buffer32(&karg.v2b, up);
>> +		err = put_v4l2_buffer32(up_native, up);
>>  		break;
>>  
>>  	case VIDIOC_ENUMSTD:
>> -		err = put_v4l2_standard32(&karg.v2s, up);
>> +		err = put_v4l2_standard32(up_native, up);
>>  		break;
>>  
>>  	case VIDIOC_ENUMINPUT:
>> -		err = put_v4l2_input32(&karg.v2i, up);
>> +		err = put_v4l2_input32(up_native, up);
>>  		break;
>>  	}
>>  	return err;
> 

Regards,

	Hans




[Index of Archives]     [Linux Input]     [Video for Linux]     [Gstreamer Embedded]     [Mplayer Users]     [Linux USB Devel]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Yosemite Backpacking]
  Powered by Linux