summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTim Yamin <plasmaroo@gentoo.org>2004-07-21 22:16:12 +0000
committerTim Yamin <plasmaroo@gentoo.org>2004-07-21 22:16:12 +0000
commit5223d1b2ed58af49764a5417314ff50af43e5eed (patch)
tree2308b6ef14493934566a75ec49f2935b6272143e /sys-kernel
parentWhere did the ppc keyword go? (Manifest recommit) (diff)
downloadgentoo-2-5223d1b2ed58af49764a5417314ff50af43e5eed.tar.gz
gentoo-2-5223d1b2ed58af49764a5417314ff50af43e5eed.tar.bz2
gentoo-2-5223d1b2ed58af49764a5417314ff50af43e5eed.zip
Fixes for CAN-2004-049[56].
Diffstat (limited to 'sys-kernel')
-rw-r--r--sys-kernel/aa-sources/ChangeLog6
-rw-r--r--sys-kernel/aa-sources/aa-sources-2.6.5-r5.ebuild4
-rw-r--r--sys-kernel/aa-sources/files/aa-sources-2.6.5.CAN-2004-0495-0496.patch911
3 files changed, 918 insertions, 3 deletions
diff --git a/sys-kernel/aa-sources/ChangeLog b/sys-kernel/aa-sources/ChangeLog
index 55617f33e627..b67a8ebf3c98 100644
--- a/sys-kernel/aa-sources/ChangeLog
+++ b/sys-kernel/aa-sources/ChangeLog
@@ -1,6 +1,10 @@
# ChangeLog for sys-kernel/aa-sources
# Copyright 2002-2004 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/aa-sources/ChangeLog,v 1.45 2004/07/21 10:23:02 plasmaroo Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/aa-sources/ChangeLog,v 1.46 2004/07/21 22:16:12 plasmaroo Exp $
+
+ 21 Jul 2004; <plasmaroo@gentoo.org> aa-sources-2.6.5-r5.ebuild,
+ +files/aa-sources-2.6.5.CAN-2004-0495-0496.patch:
+ Fixes for CAN-2004-049[56].
21 Jul 2004; <plasmaroo@gentoo.org> aa-sources-2.6.5-r5.ebuild,
+files/aa-sources-2.6.5.CAN-2004-0596.patch:
diff --git a/sys-kernel/aa-sources/aa-sources-2.6.5-r5.ebuild b/sys-kernel/aa-sources/aa-sources-2.6.5-r5.ebuild
index f64b756d70bf..1010bc7294df 100644
--- a/sys-kernel/aa-sources/aa-sources-2.6.5-r5.ebuild
+++ b/sys-kernel/aa-sources/aa-sources-2.6.5-r5.ebuild
@@ -1,8 +1,8 @@
# Copyright 1999-2004 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/aa-sources/aa-sources-2.6.5-r5.ebuild,v 1.9 2004/07/21 10:23:02 plasmaroo Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/aa-sources/aa-sources-2.6.5-r5.ebuild,v 1.10 2004/07/21 22:16:12 plasmaroo Exp $
-UNIPATCH_LIST="${DISTDIR}/${KV}.bz2 ${FILESDIR}/${P}.CAN-2004-0075.patch ${FILESDIR}/${P}.CAN-2004-0228.patch ${FILESDIR}/${P}.CAN-2004-0229.patch ${FILESDIR}/${P}.CAN-2004-0427.patch ${FILESDIR}/${PN}.CAN-2004-0497.patch ${FILESDIR}/${P}.FPULockup-53804.patch ${FILESDIR}/${P}.IPTables-RDoS.patch ${FILESDIR}/${P}.ProcPerms.patch ${FILESDIR}/${P}.CAN-2004-0596.patch"
+UNIPATCH_LIST="${DISTDIR}/${KV}.bz2 ${FILESDIR}/${P}.CAN-2004-0075.patch ${FILESDIR}/${P}.CAN-2004-0228.patch ${FILESDIR}/${P}.CAN-2004-0229.patch ${FILESDIR}/${P}.CAN-2004-0427.patch ${FILESDIR}/${PN}.CAN-2004-0497.patch ${FILESDIR}/${P}.FPULockup-53804.patch ${FILESDIR}/${P}.IPTables-RDoS.patch ${FILESDIR}/${P}.ProcPerms.patch ${FILESDIR}/${P}.CAN-2004-0596.patch ${FILESDIR}/${P}.CAN-2004-0495-0496.patch"
K_PREPATCHED="yes"
UNIPATCH_STRICTORDER="yes"
diff --git a/sys-kernel/aa-sources/files/aa-sources-2.6.5.CAN-2004-0495-0496.patch b/sys-kernel/aa-sources/files/aa-sources-2.6.5.CAN-2004-0495-0496.patch
new file mode 100644
index 000000000000..6f67f9fdc912
--- /dev/null
+++ b/sys-kernel/aa-sources/files/aa-sources-2.6.5.CAN-2004-0495-0496.patch
@@ -0,0 +1,911 @@
+# <plasmaroo@gentoo.org>
+# This is a patch which should fix both CAN-2004-0495 and CAN-2004-0496 on 2.6...
+
+# * -0495 applies to 2.4 as well; use a separate patch for that.
+# * -0496 is a 2.6 only issue which this patch addresses.
+
+--- 1.20/net/decnet/dn_dev.c 2004-07-21 14:50:27 -07:00
++++ 1.21/net/decnet/dn_dev.c 2004-07-21 14:50:27 -07:00
+@@ -1294,35 +1294,43 @@
+ * it as a compile time option. Probably you should use the
+ * rtnetlink interface instead.
+ */
+-int dnet_gifconf(struct net_device *dev, char *buf, int len)
++int dnet_gifconf(struct net_device *dev, char __user *buf, int len)
+ {
+ struct dn_dev *dn_db = (struct dn_dev *)dev->dn_ptr;
+ struct dn_ifaddr *ifa;
+- struct ifreq *ifr = (struct ifreq *)buf;
++ char buffer[DN_IFREQ_SIZE];
++ struct ifreq *ifr = (struct ifreq *)buffer;
++ struct sockaddr_dn *addr = (struct sockaddr_dn *)&ifr->ifr_addr;
+ int done = 0;
+
+ if ((dn_db == NULL) || ((ifa = dn_db->ifa_list) == NULL))
+ return 0;
+
+ for(; ifa; ifa = ifa->ifa_next) {
+- if (!ifr) {
++ if (!buf) {
+ done += sizeof(DN_IFREQ_SIZE);
+ continue;
+ }
+ if (len < DN_IFREQ_SIZE)
+ return done;
+- memset(ifr, 0, DN_IFREQ_SIZE);
++ memset(buffer, 0, DN_IFREQ_SIZE);
+
+ if (ifa->ifa_label)
+ strcpy(ifr->ifr_name, ifa->ifa_label);
+ else
+ strcpy(ifr->ifr_name, dev->name);
+
+- (*(struct sockaddr_dn *) &ifr->ifr_addr).sdn_family = AF_DECnet;
+- (*(struct sockaddr_dn *) &ifr->ifr_addr).sdn_add.a_len = 2;
+- (*(dn_address *)(*(struct sockaddr_dn *) &ifr->ifr_addr).sdn_add.a_addr) = ifa->ifa_local;
++ addr->sdn_family = AF_DECnet;
++ addr->sdn_add.a_len = 2;
++ memcpy(addr->sdn_add.a_addr, &ifa->ifa_local,
++ sizeof(dn_address));
+
+- ifr = (struct ifreq *)((char *)ifr + DN_IFREQ_SIZE);
++ if (copy_to_user(buf, buffer, DN_IFREQ_SIZE)) {
++ done = -EFAULT;
++ break;
++ }
++
++ buf += DN_IFREQ_SIZE;
+ len -= DN_IFREQ_SIZE;
+ done += DN_IFREQ_SIZE;
+ }
+--- 1.90/drivers/net/wireless/airo.c 2004-07-21 14:48:16 -07:00
++++ 1.91/drivers/net/wireless/airo.c 2004-07-21 14:48:16 -07:00
+@@ -4272,12 +4272,12 @@
+ */
+
+ static ssize_t proc_read( struct file *file,
+- char *buffer,
++ char __user *buffer,
+ size_t len,
+ loff_t *offset);
+
+ static ssize_t proc_write( struct file *file,
+- const char *buffer,
++ const char __user *buffer,
+ size_t len,
+ loff_t *offset );
+ static int proc_close( struct inode *inode, struct file *file );
+@@ -4482,23 +4482,26 @@
+ * to supply the data.
+ */
+ static ssize_t proc_read( struct file *file,
+- char *buffer,
++ char __user *buffer,
+ size_t len,
+ loff_t *offset )
+ {
+- int i;
+- int pos;
++ loff_t pos = *offset;
+ struct proc_data *priv = (struct proc_data*)file->private_data;
+
+- if( !priv->rbuffer ) return -EINVAL;
++ if (!priv->rbuffer)
++ return -EINVAL;
+
+- pos = *offset;
+- for( i = 0; i+pos < priv->readlen && i < len; i++ ) {
+- if (put_user( priv->rbuffer[i+pos], buffer+i ))
+- return -EFAULT;
+- }
+- *offset += i;
+- return i;
++ if (pos < 0)
++ return -EINVAL;
++ if (pos >= priv->readlen)
++ return 0;
++ if (len > priv->readlen - pos)
++ len = priv->readlen - pos;
++ if (copy_to_user(buffer, priv->rbuffer + pos, len))
++ return -EFAULT;
++ *offset = pos + len;
++ return len;
+ }
+
+ /*
+@@ -4506,28 +4509,26 @@
+ * to supply the data.
+ */
+ static ssize_t proc_write( struct file *file,
+- const char *buffer,
++ const char __user *buffer,
+ size_t len,
+ loff_t *offset )
+ {
+- int i;
+- int pos;
++ loff_t pos = *offset;
+ struct proc_data *priv = (struct proc_data*)file->private_data;
+
+- if ( !priv->wbuffer ) {
++ if (!priv->wbuffer)
+ return -EINVAL;
+- }
+-
+- pos = *offset;
+
+- for( i = 0; i + pos < priv->maxwritelen &&
+- i < len; i++ ) {
+- if (get_user( priv->wbuffer[i+pos], buffer + i ))
+- return -EFAULT;
+- }
+- if ( i+pos > priv->writelen ) priv->writelen = i+file->f_pos;
+- *offset += i;
+- return i;
++ if (pos < 0)
++ return -EINVAL;
++ if (pos >= priv->maxwritelen)
++ return 0;
++ if (len > priv->maxwritelen - pos)
++ len = priv->maxwritelen - pos;
++ if (copy_from_user(priv->wbuffer + pos, buffer, len))
++ return -EFAULT;
++ *offset = pos + len;
++ return len;
+ }
+
+ static int proc_status_open( struct inode *inode, struct file *file ) {
+--- 1.14/sound/oss/mpu401.c 2004-07-21 14:44:27 -07:00
++++ 1.15/sound/oss/mpu401.c 2004-07-21 14:44:27 -07:00
+@@ -728,7 +728,7 @@
+ return 0;
+ }
+
+-static int mpu401_ioctl(int dev, unsigned cmd, caddr_t arg)
++static int mpu401_ioctl(int dev, unsigned cmd, void __user *arg)
+ {
+ struct mpu_config *devc;
+ mpu_command_rec rec;
+@@ -742,7 +742,7 @@
+ printk(KERN_WARNING "mpu401: Intelligent mode not supported by the HW\n");
+ return -EINVAL;
+ }
+- if (get_user(val, (int *)arg))
++ if (get_user(val, (int __user *)arg))
+ return -EFAULT;
+ set_uart_mode(dev, devc, !val);
+ return 0;
+@@ -772,8 +772,7 @@
+ */
+ }
+
+-static int mpu_synth_ioctl(int dev,
+- unsigned int cmd, caddr_t arg)
++static int mpu_synth_ioctl(int dev, unsigned int cmd, void __user *arg)
+ {
+ int midi_dev;
+ struct mpu_config *devc;
+@@ -789,8 +788,7 @@
+ {
+
+ case SNDCTL_SYNTH_INFO:
+- if (copy_to_user((&((char *) arg)[0]),
+- (char *) &mpu_synth_info[midi_dev],
++ if (copy_to_user(arg, &mpu_synth_info[midi_dev],
+ sizeof(struct synth_info)))
+ return -EFAULT;
+ return 0;
+@@ -1508,17 +1506,19 @@
+ return curr_ticks;
+ }
+
+-static int mpu_timer_ioctl(int dev, unsigned int command, caddr_t arg)
++static int mpu_timer_ioctl(int dev, unsigned int command, void __user *arg)
+ {
+ int midi_dev = sound_timer_devs[dev]->devlink;
++ int __user *p = (int __user *)arg;
+
+ switch (command)
+ {
+ case SNDCTL_TMR_SOURCE:
+ {
+ int parm;
+-
+- parm = *(int *) arg;
++
++ if (get_user(parm, p))
++ return -EFAULT;
+ parm &= timer_caps;
+
+ if (parm != 0)
+@@ -1530,7 +1530,9 @@
+ else if (timer_mode & TMR_MODE_SMPTE)
+ mpu_cmd(midi_dev, 0x3d, 0); /* Use SMPTE sync */
+ }
+- return (*(int *) arg = timer_mode);
++ if (put_user(timer_mode, p))
++ return -EFAULT;
++ return timer_mode;
+ }
+ break;
+
+@@ -1554,11 +1556,13 @@
+ case SNDCTL_TMR_TIMEBASE:
+ {
+ int val;
+-
+- val = *(int *) arg;
++ if (get_user(val, p))
++ return -EFAULT;
+ if (val)
+ set_timebase(midi_dev, val);
+- return (*(int *) arg = curr_timebase);
++ if (put_user(curr_timebase, p))
++ return -EFAULT;
++ return curr_timebase;
+ }
+ break;
+
+@@ -1567,7 +1571,8 @@
+ int val;
+ int ret;
+
+- val = *(int *) arg;
++ if (get_user(val, p))
++ return -EFAULT;
+
+ if (val)
+ {
+@@ -1582,26 +1587,35 @@
+ }
+ curr_tempo = val;
+ }
+- return (*(int *) arg = curr_tempo);
++ if (put_user(curr_tempo, p))
++ return -EFAULT;
++ return curr_tempo;
+ }
+ break;
+
+ case SNDCTL_SEQ_CTRLRATE:
+ {
+ int val;
++ if (get_user(val, p))
++ return -EFAULT;
+
+- val = *(int *) arg;
+ if (val != 0) /* Can't change */
+ return -EINVAL;
+- return (*(int *) arg = ((curr_tempo * curr_timebase) + 30) / 60);
++ val = ((curr_tempo * curr_timebase) + 30)/60;
++ if (put_user(val, p))
++ return -EFAULT;
++ return val;
+ }
+ break;
+
+ case SNDCTL_SEQ_GETTIME:
+- return (*(int *) arg = curr_ticks);
++ if (put_user(curr_ticks, p))
++ return -EFAULT;
++ return curr_ticks;
+
+ case SNDCTL_TMR_METRONOME:
+- metronome_mode = *(int *) arg;
++ if (get_user(metronome_mode, p))
++ return -EFAULT;
+ setup_metronome(midi_dev);
+ return 0;
+
+--- 1.11/drivers/acpi/asus_acpi.c 2004-07-21 14:16:19 -07:00
++++ 1.12/drivers/acpi/asus_acpi.c 2004-07-21 14:16:19 -07:00
+@@ -40,6 +40,7 @@
+ #include <linux/proc_fs.h>
+ #include <acpi/acpi_drivers.h>
+ #include <acpi/acpi_bus.h>
++#include <asm/uaccess.h>
+
+ #define ASUS_ACPI_VERSION "0.28"
+
+@@ -480,16 +481,31 @@
+ return (hotk->status & ledmask) ? 1 : 0;
+ }
+
++static int parse_arg(const char __user *buf, unsigned long count, int *val)
++{
++ char s[32];
++ if (!count)
++ return 0;
++ if (count > 31)
++ return -EINVAL;
++ if (copy_from_user(s, buf, count))
++ return -EFAULT;
++ s[count] = 0;
++ if (sscanf(s, "%i", val) != 1)
++ return -EINVAL;
++ return count;
++}
+
+ /* FIXME: kill extraneous args so it can be called independently */
+ static int
+-write_led(const char *buffer, unsigned long count, struct asus_hotk *hotk,
++write_led(const char __user *buffer, unsigned long count, struct asus_hotk *hotk,
+ char *ledname, int ledmask, int invert)
+ {
+ int value;
+ int led_out = 0;
+
+- if (sscanf(buffer, "%i", &value) == 1)
++ count = parse_arg(buffer, count, &value);
++ if (count > 0)
+ led_out = value ? 1 : 0;
+
+ hotk->status =
+@@ -518,7 +534,7 @@
+
+
+ static int
+-proc_write_mled(struct file *file, const char *buffer,
++proc_write_mled(struct file *file, const char __user *buffer,
+ unsigned long count, void *data)
+ {
+ struct asus_hotk *hotk = (struct asus_hotk *) data;
+@@ -537,7 +553,7 @@
+ }
+
+ static int
+-proc_write_wled(struct file *file, const char *buffer,
++proc_write_wled(struct file *file, const char __user *buffer,
+ unsigned long count, void *data)
+ {
+ struct asus_hotk *hotk = (struct asus_hotk *) data;
+@@ -556,7 +572,7 @@
+ }
+
+ static int
+-proc_write_tled(struct file *file, const char *buffer,
++proc_write_tled(struct file *file, const char __user *buffer,
+ unsigned long count, void *data)
+ {
+ struct asus_hotk *hotk = (struct asus_hotk *) data;
+@@ -640,13 +656,14 @@
+
+
+ static int
+-proc_write_lcd(struct file *file, const char *buffer,
++proc_write_lcd(struct file *file, const char __user *buffer,
+ unsigned long count, void *data)
+ {
+ int value;
+ struct asus_hotk *hotk = (struct asus_hotk *) data;
+
+- if (sscanf(buffer, "%i", &value) == 1)
++ count = parse_arg(buffer, count, &value);
++ if (count > 0)
+ set_lcd_state(hotk, value);
+ return count;
+ }
+@@ -707,17 +724,18 @@
+ }
+
+ static int
+-proc_write_brn(struct file *file, const char *buffer,
++proc_write_brn(struct file *file, const char __user *buffer,
+ unsigned long count, void *data)
+ {
+ int value;
+ struct asus_hotk *hotk = (struct asus_hotk *) data;
+
+- if (sscanf(buffer, "%d", &value) == 1) {
++ count = parse_arg(buffer, count, &value);
++ if (count > 0) {
+ value = (0 < value) ? ((15 < value) ? 15 : value) : 0;
+ /* 0 <= value <= 15 */
+ set_brightness(value, hotk);
+- } else {
++ } else if (count < 0) {
+ printk(KERN_WARNING "Asus ACPI: Error reading user input\n");
+ }
+
+@@ -756,17 +774,17 @@
+ * simultaneously, so be warned. See the acpi4asus README for more info.
+ */
+ static int
+-proc_write_disp(struct file *file, const char *buffer,
++proc_write_disp(struct file *file, const char __user *buffer,
+ unsigned long count, void *data)
+ {
+ int value;
+ struct asus_hotk *hotk = (struct asus_hotk *) data;
+
+- if (sscanf(buffer, "%d", &value) == 1)
++ count = parse_arg(buffer, count, &value);
++ if (count > 0)
+ set_display(value, hotk);
+- else {
++ else if (count < 0)
+ printk(KERN_WARNING "Asus ACPI: Error reading user input\n");
+- }
+
+ return count;
+ }
+@@ -774,7 +792,7 @@
+
+ typedef int (proc_readfunc)(char *page, char **start, off_t off, int count,
+ int *eof, void *data);
+-typedef int (proc_writefunc)(struct file *file, const char *buffer,
++typedef int (proc_writefunc)(struct file *file, const char __user *buffer,
+ unsigned long count, void *data);
+
+ static int
+--- 1.30/sound/core/timer.c 2004-07-21 14:22:06 -07:00
++++ 1.31/sound/core/timer.c 2004-07-21 14:22:06 -07:00
+@@ -1437,7 +1437,7 @@
+ err = -ENODEV;
+ }
+ up(&register_mutex);
+- if (err >= 0 && copy_from_user(_gstatus, &gstatus, sizeof(gstatus)))
++ if (err >= 0 && copy_to_user(_gstatus, &gstatus, sizeof(gstatus)))
+ err = -EFAULT;
+ return err;
+ }
+--- 1.11/sound/oss/pss.c 2004-07-21 14:25:23 -07:00
++++ 1.12/sound/oss/pss.c 2004-07-21 14:25:23 -07:00
+@@ -453,20 +453,36 @@
+ }
+ }
+
+-static void arg_to_volume_mono(unsigned int volume, int *aleft)
++static int set_volume_mono(unsigned __user *p, int *aleft)
+ {
+ int left;
++ unsigned volume;
++ if (get_user(volume, p))
++ return -EFAULT;
+
+- left = volume & 0x00ff;
++ left = volume & 0xff;
+ if (left > 100)
+ left = 100;
+ *aleft = left;
++ return 0;
+ }
+
+-static void arg_to_volume_stereo(unsigned int volume, int *aleft, int *aright)
++static int set_volume_stereo(unsigned __user *p, int *aleft, int *aright)
+ {
+- arg_to_volume_mono(volume, aleft);
+- arg_to_volume_mono(volume >> 8, aright);
++ int left, right;
++ unsigned volume;
++ if (get_user(volume, p))
++ return -EFAULT;
++
++ left = volume & 0xff;
++ if (left > 100)
++ left = 100;
++ right = (volume >> 8) & 0xff;
++ if (right > 100)
++ right = 100;
++ *aleft = left;
++ *aright = right;
++ return 0;
+ }
+
+ static int ret_vol_mono(int left)
+@@ -479,7 +495,7 @@
+ return ((right << 8) | left);
+ }
+
+-static int call_ad_mixer(pss_confdata *devc,unsigned int cmd, caddr_t arg)
++static int call_ad_mixer(pss_confdata *devc,unsigned int cmd, void __user *arg)
+ {
+ if (devc->ad_mixer_dev != NO_WSS_MIXER)
+ return mixer_devs[devc->ad_mixer_dev]->ioctl(devc->ad_mixer_dev, cmd, arg);
+@@ -487,7 +503,7 @@
+ return -EINVAL;
+ }
+
+-static int pss_mixer_ioctl (int dev, unsigned int cmd, caddr_t arg)
++static int pss_mixer_ioctl (int dev, unsigned int cmd, void __user *arg)
+ {
+ pss_confdata *devc = mixer_devs[dev]->devc;
+ int cmdf = cmd & 0xff;
+@@ -513,33 +529,38 @@
+ return call_ad_mixer(devc, cmd, arg);
+ else
+ {
+- if (*(int *)arg != 0)
++ int v;
++ if (get_user(v, (int __user *)arg))
++ return -EFAULT;
++ if (v != 0)
+ return -EINVAL;
+ return 0;
+ }
+ case SOUND_MIXER_VOLUME:
+- arg_to_volume_stereo(*(unsigned int *)arg, &devc->mixer.volume_l,
+- &devc->mixer.volume_r);
++ if (set_volume_stereo(arg,
++ &devc->mixer.volume_l,
++ &devc->mixer.volume_r))
++ return -EFAULT;
+ set_master_volume(devc, devc->mixer.volume_l,
+ devc->mixer.volume_r);
+ return ret_vol_stereo(devc->mixer.volume_l,
+ devc->mixer.volume_r);
+
+ case SOUND_MIXER_BASS:
+- arg_to_volume_mono(*(unsigned int *)arg,
+- &devc->mixer.bass);
++ if (set_volume_mono(arg, &devc->mixer.bass))
++ return -EFAULT;
+ set_bass(devc, devc->mixer.bass);
+ return ret_vol_mono(devc->mixer.bass);
+
+ case SOUND_MIXER_TREBLE:
+- arg_to_volume_mono(*(unsigned int *)arg,
+- &devc->mixer.treble);
++ if (set_volume_mono(arg, &devc->mixer.treble))
++ return -EFAULT;
+ set_treble(devc, devc->mixer.treble);
+ return ret_vol_mono(devc->mixer.treble);
+
+ case SOUND_MIXER_SYNTH:
+- arg_to_volume_mono(*(unsigned int *)arg,
+- &devc->mixer.synth);
++ if (set_volume_mono(arg, &devc->mixer.synth))
++ return -EFAULT;
+ set_synth_volume(devc, devc->mixer.synth);
+ return ret_vol_mono(devc->mixer.synth);
+
+@@ -549,54 +570,67 @@
+ }
+ else
+ {
++ int val, and_mask = 0, or_mask = 0;
+ /*
+ * Return parameters
+ */
+ switch (cmdf)
+ {
+-
+ case SOUND_MIXER_DEVMASK:
+ if (call_ad_mixer(devc, cmd, arg) == -EINVAL)
+- *(int *)arg = 0; /* no mixer devices */
+- return (*(int *)arg |= SOUND_MASK_VOLUME | SOUND_MASK_BASS | SOUND_MASK_TREBLE | SOUND_MASK_SYNTH);
++ break;
++ and_mask = ~0;
++ or_mask = SOUND_MASK_VOLUME | SOUND_MASK_BASS | SOUND_MASK_TREBLE | SOUND_MASK_SYNTH;
++ break;
+
+ case SOUND_MIXER_STEREODEVS:
+ if (call_ad_mixer(devc, cmd, arg) == -EINVAL)
+- *(int *)arg = 0; /* no stereo devices */
+- return (*(int *)arg |= SOUND_MASK_VOLUME);
++ break;
++ and_mask = ~0;
++ or_mask = SOUND_MASK_VOLUME;
++ break;
+
+ case SOUND_MIXER_RECMASK:
+ if (devc->ad_mixer_dev != NO_WSS_MIXER)
+ return call_ad_mixer(devc, cmd, arg);
+- else
+- return (*(int *)arg = 0); /* no record devices */
++ break;
+
+ case SOUND_MIXER_CAPS:
+ if (devc->ad_mixer_dev != NO_WSS_MIXER)
+ return call_ad_mixer(devc, cmd, arg);
+- else
+- return (*(int *)arg = SOUND_CAP_EXCL_INPUT);
++ or_mask = SOUND_CAP_EXCL_INPUT;
++ break;
+
+ case SOUND_MIXER_RECSRC:
+ if (devc->ad_mixer_dev != NO_WSS_MIXER)
+ return call_ad_mixer(devc, cmd, arg);
+- else
+- return (*(int *)arg = 0); /* no record source */
++ break;
+
+ case SOUND_MIXER_VOLUME:
+- return (*(int *)arg = ret_vol_stereo(devc->mixer.volume_l, devc->mixer.volume_r));
++ or_mask = ret_vol_stereo(devc->mixer.volume_l, devc->mixer.volume_r);
++ break;
+
+ case SOUND_MIXER_BASS:
+- return (*(int *)arg = ret_vol_mono(devc->mixer.bass));
++ or_mask = ret_vol_mono(devc->mixer.bass);
++ break;
+
+ case SOUND_MIXER_TREBLE:
+- return (*(int *)arg = ret_vol_mono(devc->mixer.treble));
++ or_mask = ret_vol_mono(devc->mixer.treble);
++ break;
+
+ case SOUND_MIXER_SYNTH:
+- return (*(int *)arg = ret_vol_mono(devc->mixer.synth));
++ or_mask = ret_vol_mono(devc->mixer.synth);
++ break;
+ default:
+ return -EINVAL;
+ }
++ if (get_user(val, (int __user *)arg))
++ return -EFAULT;
++ val &= and_mask;
++ val |= or_mask;
++ if (put_user(val, (int __user *)arg))
++ return -EFAULT;
++ return val;
+ }
+ }
+
+@@ -803,7 +837,7 @@
+ return 0;
+ }
+
+-static int pss_coproc_ioctl(void *dev_info, unsigned int cmd, caddr_t arg, int local)
++static int pss_coproc_ioctl(void *dev_info, unsigned int cmd, void __user *arg, int local)
+ {
+ copr_buffer *buf;
+ copr_msg *mbuf;
+--- 1.15/sound/oss/msnd_pinnacle.c 2004-07-21 14:51:56 -07:00
++++ 1.16/sound/oss/msnd_pinnacle.c 2004-07-21 14:51:56 -07:00
+@@ -809,7 +809,7 @@
+
+ static __inline__ int pack_DARQ_to_DARF(register int bank)
+ {
+- register int size, n, timeout = 3;
++ register int size, timeout = 3;
+ register WORD wTmp;
+ LPDAQD DAQD;
+
+@@ -830,13 +830,10 @@
+ /* Read data from the head (unprotected bank 1 access okay
+ since this is only called inside an interrupt) */
+ outb(HPBLKSEL_1, dev.io + HP_BLKS);
+- if ((n = msnd_fifo_write(
++ msnd_fifo_write(
+ &dev.DARF,
+ (char *)(dev.base + bank * DAR_BUFF_SIZE),
+- size, 0)) <= 0) {
+- outb(HPBLKSEL_0, dev.io + HP_BLKS);
+- return n;
+- }
++ size);
+ outb(HPBLKSEL_0, dev.io + HP_BLKS);
+
+ return 1;
+@@ -858,21 +855,16 @@
+ if (protect) {
+ /* Critical section: protect fifo in non-interrupt */
+ spin_lock_irqsave(&dev.lock, flags);
+- if ((n = msnd_fifo_read(
++ n = msnd_fifo_read(
+ &dev.DAPF,
+ (char *)(dev.base + bank_num * DAP_BUFF_SIZE),
+- DAP_BUFF_SIZE, 0)) < 0) {
+- spin_unlock_irqrestore(&dev.lock, flags);
+- return n;
+- }
++ DAP_BUFF_SIZE);
+ spin_unlock_irqrestore(&dev.lock, flags);
+ } else {
+- if ((n = msnd_fifo_read(
++ n = msnd_fifo_read(
+ &dev.DAPF,
+ (char *)(dev.base + bank_num * DAP_BUFF_SIZE),
+- DAP_BUFF_SIZE, 0)) < 0) {
+- return n;
+- }
++ DAP_BUFF_SIZE);
+ }
+ if (!n)
+ break;
+@@ -899,30 +891,43 @@
+ static int dsp_read(char *buf, size_t len)
+ {
+ int count = len;
++ char *page = (char *)__get_free_page(PAGE_SIZE);
++
++ if (!page)
++ return -ENOMEM;
+
+ while (count > 0) {
+- int n;
++ int n, k;
+ unsigned long flags;
+
++ k = PAGE_SIZE;
++ if (k > count)
++ k = count;
++
+ /* Critical section: protect fifo in non-interrupt */
+ spin_lock_irqsave(&dev.lock, flags);
+- if ((n = msnd_fifo_read(&dev.DARF, buf, count, 1)) < 0) {
+- printk(KERN_WARNING LOGNAME ": FIFO read error\n");
+- spin_unlock_irqrestore(&dev.lock, flags);
+- return n;
+- }
++ n = msnd_fifo_read(&dev.DARF, page, k);
+ spin_unlock_irqrestore(&dev.lock, flags);
++ if (copy_to_user(buf, page, n)) {
++ free_page((unsigned long)page);
++ return -EFAULT;
++ }
+ buf += n;
+ count -= n;
+
++ if (n == k && count)
++ continue;
++
+ if (!test_bit(F_READING, &dev.flags) && dev.mode & FMODE_READ) {
+ dev.last_recbank = -1;
+ if (chk_send_dsp_cmd(&dev, HDEX_RECORD_START) == 0)
+ set_bit(F_READING, &dev.flags);
+ }
+
+- if (dev.rec_ndelay)
++ if (dev.rec_ndelay) {
++ free_page((unsigned long)page);
+ return count == len ? -EAGAIN : len - count;
++ }
+
+ if (count > 0) {
+ set_bit(F_READBLOCK, &dev.flags);
+@@ -931,41 +936,57 @@
+ get_rec_delay_jiffies(DAR_BUFF_SIZE)))
+ clear_bit(F_READING, &dev.flags);
+ clear_bit(F_READBLOCK, &dev.flags);
+- if (signal_pending(current))
++ if (signal_pending(current)) {
++ free_page((unsigned long)page);
+ return -EINTR;
++ }
+ }
+ }
+-
++ free_page((unsigned long)page);
+ return len - count;
+ }
+
+ static int dsp_write(const char *buf, size_t len)
+ {
+ int count = len;
++ char *page = (char *)__get_free_page(GFP_KERNEL);
++
++ if (!page)
++ return -ENOMEM;
+
+ while (count > 0) {
+- int n;
++ int n, k;
+ unsigned long flags;
+
++ k = PAGE_SIZE;
++ if (k > count)
++ k = count;
++
++ if (copy_from_user(page, buf, k)) {
++ free_page((unsigned long)page);
++ return -EFAULT;
++ }
++
+ /* Critical section: protect fifo in non-interrupt */
+ spin_lock_irqsave(&dev.lock, flags);
+- if ((n = msnd_fifo_write(&dev.DAPF, buf, count, 1)) < 0) {
+- printk(KERN_WARNING LOGNAME ": FIFO write error\n");
+- spin_unlock_irqrestore(&dev.lock, flags);
+- return n;
+- }
++ n = msnd_fifo_write(&dev.DAPF, page, k);
+ spin_unlock_irqrestore(&dev.lock, flags);
+ buf += n;
+ count -= n;
+
++ if (count && n == k)
++ continue;
++
+ if (!test_bit(F_WRITING, &dev.flags) && (dev.mode & FMODE_WRITE)) {
+ dev.last_playbank = -1;
+ if (pack_DAPF_to_DAPQ(1) > 0)
+ set_bit(F_WRITING, &dev.flags);
+ }
+
+- if (dev.play_ndelay)
++ if (dev.play_ndelay) {
++ free_page((unsigned long)page);
+ return count == len ? -EAGAIN : len - count;
++ }
+
+ if (count > 0) {
+ set_bit(F_WRITEBLOCK, &dev.flags);
+@@ -973,11 +994,14 @@
+ &dev.writeblock,
+ get_play_delay_jiffies(DAP_BUFF_SIZE));
+ clear_bit(F_WRITEBLOCK, &dev.flags);
+- if (signal_pending(current))
++ if (signal_pending(current)) {
++ free_page((unsigned long)page);
+ return -EINTR;
++ }
+ }
+ }
+
++ free_page((unsigned long)page);
+ return len - count;
+ }
+
+--- 1.2/sound/oss/msnd.h 2004-07-21 14:52:24 -07:00
++++ 1.3/sound/oss/msnd.h 2004-07-21 14:52:24 -07:00
+@@ -266,8 +266,8 @@
+ void msnd_fifo_free(msnd_fifo *f);
+ int msnd_fifo_alloc(msnd_fifo *f, size_t n);
+ void msnd_fifo_make_empty(msnd_fifo *f);
+-int msnd_fifo_write(msnd_fifo *f, const char *buf, size_t len, int user);
+-int msnd_fifo_read(msnd_fifo *f, char *buf, size_t len, int user);
++int msnd_fifo_write(msnd_fifo *f, const char *buf, size_t len);
++int msnd_fifo_read(msnd_fifo *f, char *buf, size_t len);
+
+ int msnd_wait_TXDE(multisound_dev_t *dev);
+ int msnd_wait_HC0(multisound_dev_t *dev);
+--- 1.8/sound/oss/msnd.c 2004-07-21 14:52:37 -07:00
++++ 1.9/sound/oss/msnd.c 2004-07-21 14:52:37 -07:00
+@@ -139,13 +139,10 @@
+ f->len = f->tail = f->head = 0;
+ }
+
+-int msnd_fifo_write(msnd_fifo *f, const char *buf, size_t len, int user)
++int msnd_fifo_write(msnd_fifo *f, const char *buf, size_t len)
+ {
+ int count = 0;
+
+- if (f->len == f->n)
+- return 0;
+-
+ while ((count < len) && (f->len != f->n)) {
+
+ int nwritten;
+@@ -161,11 +158,7 @@
+ nwritten = len - count;
+ }
+
+- if (user) {
+- if (copy_from_user(f->data + f->tail, buf, nwritten))
+- return -EFAULT;
+- } else
+- isa_memcpy_fromio(f->data + f->tail, (unsigned long) buf, nwritten);
++ isa_memcpy_fromio(f->data + f->tail, (unsigned long) buf, nwritten);
+
+ count += nwritten;
+ buf += nwritten;
+@@ -177,13 +170,10 @@
+ return count;
+ }
+
+-int msnd_fifo_read(msnd_fifo *f, char *buf, size_t len, int user)
++int msnd_fifo_read(msnd_fifo *f, char *buf, size_t len)
+ {
+ int count = 0;
+
+- if (f->len == 0)
+- return f->len;
+-
+ while ((count < len) && (f->len > 0)) {
+
+ int nread;
+@@ -199,11 +189,7 @@
+ nread = len - count;
+ }
+
+- if (user) {
+- if (copy_to_user(buf, f->data + f->head, nread))
+- return -EFAULT;
+- } else
+- isa_memcpy_toio((unsigned long) buf, f->data + f->head, nread);
++ isa_memcpy_toio((unsigned long) buf, f->data + f->head, nread);
+
+ count += nread;
+ buf += nread;