media: v4l2-ioctl: fix some "too small" warnings (912d2f82) · Commits · 戴 / test

drivers/media/v4l2-core/v4l2-ioctl.c

+8 −7

Original line number	Diff line number	Diff line
		@@ -2833,14 +2833,15 @@ video_usercopy(struct file *file, unsigned int cmd, unsigned long arg,
		size_t array_size = 0;
		void __user *user_ptr = NULL;
		void **kernel_ptr = NULL;
		size_t size = _IOC_SIZE(cmd);

		/* Copy arguments into temp kernel buffer */
		if (_IOC_DIR(cmd) != _IOC_NONE) {
		if (_IOC_SIZE(cmd) <= sizeof(sbuf)) {
		if (size <= sizeof(sbuf)) {
		parg = sbuf;
		} else {
		/* too big to allocate from stack */
		mbuf = kvmalloc(_IOC_SIZE(cmd), GFP_KERNEL);
		mbuf = kvmalloc(size, GFP_KERNEL);
		if (NULL == mbuf)
		return -ENOMEM;
		parg = mbuf;
		@@ -2848,7 +2849,7 @@ video_usercopy(struct file *file, unsigned int cmd, unsigned long arg,

		err = -EFAULT;
		if (_IOC_DIR(cmd) & _IOC_WRITE) {
		unsigned int n = _IOC_SIZE(cmd);
		unsigned int n = size;

		/*
		* In some cases, only a few fields are used as input,
		@@ -2869,11 +2870,11 @@ video_usercopy(struct file *file, unsigned int cmd, unsigned long arg,
		goto out;

		/* zero out anything we don't copy from userspace */
		if (n < _IOC_SIZE(cmd))
		memset((u8 *)parg + n, 0, _IOC_SIZE(cmd) - n);
		if (n < size)
		memset((u8 *)parg + n, 0, size - n);
		} else {
		/* read-only ioctl */
		memset(parg, 0, _IOC_SIZE(cmd));
		memset(parg, 0, size);
		}
		}

		@@ -2931,7 +2932,7 @@ out_array_args:
		switch (_IOC_DIR(cmd)) {
		case _IOC_READ:
		case (_IOC_WRITE \| _IOC_READ):
		if (copy_to_user((void __user *)arg, parg, _IOC_SIZE(cmd)))
		if (copy_to_user((void __user *)arg, parg, size))
		err = -EFAULT;
		break;
		}