diff options
author | Tim Yamin <plasmaroo@gentoo.org> | 2004-07-21 22:16:12 +0000 |
---|---|---|
committer | Tim Yamin <plasmaroo@gentoo.org> | 2004-07-21 22:16:12 +0000 |
commit | 5223d1b2ed58af49764a5417314ff50af43e5eed (patch) | |
tree | 2308b6ef14493934566a75ec49f2935b6272143e /sys-kernel | |
parent | Where did the ppc keyword go? (Manifest recommit) (diff) | |
download | gentoo-2-5223d1b2ed58af49764a5417314ff50af43e5eed.tar.gz gentoo-2-5223d1b2ed58af49764a5417314ff50af43e5eed.tar.bz2 gentoo-2-5223d1b2ed58af49764a5417314ff50af43e5eed.zip |
Fixes for CAN-2004-049[56].
Diffstat (limited to 'sys-kernel')
-rw-r--r-- | sys-kernel/aa-sources/ChangeLog | 6 | ||||
-rw-r--r-- | sys-kernel/aa-sources/aa-sources-2.6.5-r5.ebuild | 4 | ||||
-rw-r--r-- | sys-kernel/aa-sources/files/aa-sources-2.6.5.CAN-2004-0495-0496.patch | 911 |
3 files changed, 918 insertions, 3 deletions
diff --git a/sys-kernel/aa-sources/ChangeLog b/sys-kernel/aa-sources/ChangeLog index 55617f33e627..b67a8ebf3c98 100644 --- a/sys-kernel/aa-sources/ChangeLog +++ b/sys-kernel/aa-sources/ChangeLog @@ -1,6 +1,10 @@ # ChangeLog for sys-kernel/aa-sources # Copyright 2002-2004 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sys-kernel/aa-sources/ChangeLog,v 1.45 2004/07/21 10:23:02 plasmaroo Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-kernel/aa-sources/ChangeLog,v 1.46 2004/07/21 22:16:12 plasmaroo Exp $ + + 21 Jul 2004; <plasmaroo@gentoo.org> aa-sources-2.6.5-r5.ebuild, + +files/aa-sources-2.6.5.CAN-2004-0495-0496.patch: + Fixes for CAN-2004-049[56]. 21 Jul 2004; <plasmaroo@gentoo.org> aa-sources-2.6.5-r5.ebuild, +files/aa-sources-2.6.5.CAN-2004-0596.patch: diff --git a/sys-kernel/aa-sources/aa-sources-2.6.5-r5.ebuild b/sys-kernel/aa-sources/aa-sources-2.6.5-r5.ebuild index f64b756d70bf..1010bc7294df 100644 --- a/sys-kernel/aa-sources/aa-sources-2.6.5-r5.ebuild +++ b/sys-kernel/aa-sources/aa-sources-2.6.5-r5.ebuild @@ -1,8 +1,8 @@ # Copyright 1999-2004 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-kernel/aa-sources/aa-sources-2.6.5-r5.ebuild,v 1.9 2004/07/21 10:23:02 plasmaroo Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-kernel/aa-sources/aa-sources-2.6.5-r5.ebuild,v 1.10 2004/07/21 22:16:12 plasmaroo Exp $ -UNIPATCH_LIST="${DISTDIR}/${KV}.bz2 ${FILESDIR}/${P}.CAN-2004-0075.patch ${FILESDIR}/${P}.CAN-2004-0228.patch ${FILESDIR}/${P}.CAN-2004-0229.patch ${FILESDIR}/${P}.CAN-2004-0427.patch ${FILESDIR}/${PN}.CAN-2004-0497.patch ${FILESDIR}/${P}.FPULockup-53804.patch ${FILESDIR}/${P}.IPTables-RDoS.patch ${FILESDIR}/${P}.ProcPerms.patch ${FILESDIR}/${P}.CAN-2004-0596.patch" +UNIPATCH_LIST="${DISTDIR}/${KV}.bz2 ${FILESDIR}/${P}.CAN-2004-0075.patch ${FILESDIR}/${P}.CAN-2004-0228.patch ${FILESDIR}/${P}.CAN-2004-0229.patch ${FILESDIR}/${P}.CAN-2004-0427.patch ${FILESDIR}/${PN}.CAN-2004-0497.patch ${FILESDIR}/${P}.FPULockup-53804.patch ${FILESDIR}/${P}.IPTables-RDoS.patch ${FILESDIR}/${P}.ProcPerms.patch ${FILESDIR}/${P}.CAN-2004-0596.patch ${FILESDIR}/${P}.CAN-2004-0495-0496.patch" K_PREPATCHED="yes" UNIPATCH_STRICTORDER="yes" diff --git a/sys-kernel/aa-sources/files/aa-sources-2.6.5.CAN-2004-0495-0496.patch b/sys-kernel/aa-sources/files/aa-sources-2.6.5.CAN-2004-0495-0496.patch new file mode 100644 index 000000000000..6f67f9fdc912 --- /dev/null +++ b/sys-kernel/aa-sources/files/aa-sources-2.6.5.CAN-2004-0495-0496.patch @@ -0,0 +1,911 @@ +# <plasmaroo@gentoo.org> +# This is a patch which should fix both CAN-2004-0495 and CAN-2004-0496 on 2.6... + +# * -0495 applies to 2.4 as well; use a separate patch for that. +# * -0496 is a 2.6 only issue which this patch addresses. + +--- 1.20/net/decnet/dn_dev.c 2004-07-21 14:50:27 -07:00 ++++ 1.21/net/decnet/dn_dev.c 2004-07-21 14:50:27 -07:00 +@@ -1294,35 +1294,43 @@ + * it as a compile time option. Probably you should use the + * rtnetlink interface instead. + */ +-int dnet_gifconf(struct net_device *dev, char *buf, int len) ++int dnet_gifconf(struct net_device *dev, char __user *buf, int len) + { + struct dn_dev *dn_db = (struct dn_dev *)dev->dn_ptr; + struct dn_ifaddr *ifa; +- struct ifreq *ifr = (struct ifreq *)buf; ++ char buffer[DN_IFREQ_SIZE]; ++ struct ifreq *ifr = (struct ifreq *)buffer; ++ struct sockaddr_dn *addr = (struct sockaddr_dn *)&ifr->ifr_addr; + int done = 0; + + if ((dn_db == NULL) || ((ifa = dn_db->ifa_list) == NULL)) + return 0; + + for(; ifa; ifa = ifa->ifa_next) { +- if (!ifr) { ++ if (!buf) { + done += sizeof(DN_IFREQ_SIZE); + continue; + } + if (len < DN_IFREQ_SIZE) + return done; +- memset(ifr, 0, DN_IFREQ_SIZE); ++ memset(buffer, 0, DN_IFREQ_SIZE); + + if (ifa->ifa_label) + strcpy(ifr->ifr_name, ifa->ifa_label); + else + strcpy(ifr->ifr_name, dev->name); + +- (*(struct sockaddr_dn *) &ifr->ifr_addr).sdn_family = AF_DECnet; +- (*(struct sockaddr_dn *) &ifr->ifr_addr).sdn_add.a_len = 2; +- (*(dn_address *)(*(struct sockaddr_dn *) &ifr->ifr_addr).sdn_add.a_addr) = ifa->ifa_local; ++ addr->sdn_family = AF_DECnet; ++ addr->sdn_add.a_len = 2; ++ memcpy(addr->sdn_add.a_addr, &ifa->ifa_local, ++ sizeof(dn_address)); + +- ifr = (struct ifreq *)((char *)ifr + DN_IFREQ_SIZE); ++ if (copy_to_user(buf, buffer, DN_IFREQ_SIZE)) { ++ done = -EFAULT; ++ break; ++ } ++ ++ buf += DN_IFREQ_SIZE; + len -= DN_IFREQ_SIZE; + done += DN_IFREQ_SIZE; + } +--- 1.90/drivers/net/wireless/airo.c 2004-07-21 14:48:16 -07:00 ++++ 1.91/drivers/net/wireless/airo.c 2004-07-21 14:48:16 -07:00 +@@ -4272,12 +4272,12 @@ + */ + + static ssize_t proc_read( struct file *file, +- char *buffer, ++ char __user *buffer, + size_t len, + loff_t *offset); + + static ssize_t proc_write( struct file *file, +- const char *buffer, ++ const char __user *buffer, + size_t len, + loff_t *offset ); + static int proc_close( struct inode *inode, struct file *file ); +@@ -4482,23 +4482,26 @@ + * to supply the data. + */ + static ssize_t proc_read( struct file *file, +- char *buffer, ++ char __user *buffer, + size_t len, + loff_t *offset ) + { +- int i; +- int pos; ++ loff_t pos = *offset; + struct proc_data *priv = (struct proc_data*)file->private_data; + +- if( !priv->rbuffer ) return -EINVAL; ++ if (!priv->rbuffer) ++ return -EINVAL; + +- pos = *offset; +- for( i = 0; i+pos < priv->readlen && i < len; i++ ) { +- if (put_user( priv->rbuffer[i+pos], buffer+i )) +- return -EFAULT; +- } +- *offset += i; +- return i; ++ if (pos < 0) ++ return -EINVAL; ++ if (pos >= priv->readlen) ++ return 0; ++ if (len > priv->readlen - pos) ++ len = priv->readlen - pos; ++ if (copy_to_user(buffer, priv->rbuffer + pos, len)) ++ return -EFAULT; ++ *offset = pos + len; ++ return len; + } + + /* +@@ -4506,28 +4509,26 @@ + * to supply the data. + */ + static ssize_t proc_write( struct file *file, +- const char *buffer, ++ const char __user *buffer, + size_t len, + loff_t *offset ) + { +- int i; +- int pos; ++ loff_t pos = *offset; + struct proc_data *priv = (struct proc_data*)file->private_data; + +- if ( !priv->wbuffer ) { ++ if (!priv->wbuffer) + return -EINVAL; +- } +- +- pos = *offset; + +- for( i = 0; i + pos < priv->maxwritelen && +- i < len; i++ ) { +- if (get_user( priv->wbuffer[i+pos], buffer + i )) +- return -EFAULT; +- } +- if ( i+pos > priv->writelen ) priv->writelen = i+file->f_pos; +- *offset += i; +- return i; ++ if (pos < 0) ++ return -EINVAL; ++ if (pos >= priv->maxwritelen) ++ return 0; ++ if (len > priv->maxwritelen - pos) ++ len = priv->maxwritelen - pos; ++ if (copy_from_user(priv->wbuffer + pos, buffer, len)) ++ return -EFAULT; ++ *offset = pos + len; ++ return len; + } + + static int proc_status_open( struct inode *inode, struct file *file ) { +--- 1.14/sound/oss/mpu401.c 2004-07-21 14:44:27 -07:00 ++++ 1.15/sound/oss/mpu401.c 2004-07-21 14:44:27 -07:00 +@@ -728,7 +728,7 @@ + return 0; + } + +-static int mpu401_ioctl(int dev, unsigned cmd, caddr_t arg) ++static int mpu401_ioctl(int dev, unsigned cmd, void __user *arg) + { + struct mpu_config *devc; + mpu_command_rec rec; +@@ -742,7 +742,7 @@ + printk(KERN_WARNING "mpu401: Intelligent mode not supported by the HW\n"); + return -EINVAL; + } +- if (get_user(val, (int *)arg)) ++ if (get_user(val, (int __user *)arg)) + return -EFAULT; + set_uart_mode(dev, devc, !val); + return 0; +@@ -772,8 +772,7 @@ + */ + } + +-static int mpu_synth_ioctl(int dev, +- unsigned int cmd, caddr_t arg) ++static int mpu_synth_ioctl(int dev, unsigned int cmd, void __user *arg) + { + int midi_dev; + struct mpu_config *devc; +@@ -789,8 +788,7 @@ + { + + case SNDCTL_SYNTH_INFO: +- if (copy_to_user((&((char *) arg)[0]), +- (char *) &mpu_synth_info[midi_dev], ++ if (copy_to_user(arg, &mpu_synth_info[midi_dev], + sizeof(struct synth_info))) + return -EFAULT; + return 0; +@@ -1508,17 +1506,19 @@ + return curr_ticks; + } + +-static int mpu_timer_ioctl(int dev, unsigned int command, caddr_t arg) ++static int mpu_timer_ioctl(int dev, unsigned int command, void __user *arg) + { + int midi_dev = sound_timer_devs[dev]->devlink; ++ int __user *p = (int __user *)arg; + + switch (command) + { + case SNDCTL_TMR_SOURCE: + { + int parm; +- +- parm = *(int *) arg; ++ ++ if (get_user(parm, p)) ++ return -EFAULT; + parm &= timer_caps; + + if (parm != 0) +@@ -1530,7 +1530,9 @@ + else if (timer_mode & TMR_MODE_SMPTE) + mpu_cmd(midi_dev, 0x3d, 0); /* Use SMPTE sync */ + } +- return (*(int *) arg = timer_mode); ++ if (put_user(timer_mode, p)) ++ return -EFAULT; ++ return timer_mode; + } + break; + +@@ -1554,11 +1556,13 @@ + case SNDCTL_TMR_TIMEBASE: + { + int val; +- +- val = *(int *) arg; ++ if (get_user(val, p)) ++ return -EFAULT; + if (val) + set_timebase(midi_dev, val); +- return (*(int *) arg = curr_timebase); ++ if (put_user(curr_timebase, p)) ++ return -EFAULT; ++ return curr_timebase; + } + break; + +@@ -1567,7 +1571,8 @@ + int val; + int ret; + +- val = *(int *) arg; ++ if (get_user(val, p)) ++ return -EFAULT; + + if (val) + { +@@ -1582,26 +1587,35 @@ + } + curr_tempo = val; + } +- return (*(int *) arg = curr_tempo); ++ if (put_user(curr_tempo, p)) ++ return -EFAULT; ++ return curr_tempo; + } + break; + + case SNDCTL_SEQ_CTRLRATE: + { + int val; ++ if (get_user(val, p)) ++ return -EFAULT; + +- val = *(int *) arg; + if (val != 0) /* Can't change */ + return -EINVAL; +- return (*(int *) arg = ((curr_tempo * curr_timebase) + 30) / 60); ++ val = ((curr_tempo * curr_timebase) + 30)/60; ++ if (put_user(val, p)) ++ return -EFAULT; ++ return val; + } + break; + + case SNDCTL_SEQ_GETTIME: +- return (*(int *) arg = curr_ticks); ++ if (put_user(curr_ticks, p)) ++ return -EFAULT; ++ return curr_ticks; + + case SNDCTL_TMR_METRONOME: +- metronome_mode = *(int *) arg; ++ if (get_user(metronome_mode, p)) ++ return -EFAULT; + setup_metronome(midi_dev); + return 0; + +--- 1.11/drivers/acpi/asus_acpi.c 2004-07-21 14:16:19 -07:00 ++++ 1.12/drivers/acpi/asus_acpi.c 2004-07-21 14:16:19 -07:00 +@@ -40,6 +40,7 @@ + #include <linux/proc_fs.h> + #include <acpi/acpi_drivers.h> + #include <acpi/acpi_bus.h> ++#include <asm/uaccess.h> + + #define ASUS_ACPI_VERSION "0.28" + +@@ -480,16 +481,31 @@ + return (hotk->status & ledmask) ? 1 : 0; + } + ++static int parse_arg(const char __user *buf, unsigned long count, int *val) ++{ ++ char s[32]; ++ if (!count) ++ return 0; ++ if (count > 31) ++ return -EINVAL; ++ if (copy_from_user(s, buf, count)) ++ return -EFAULT; ++ s[count] = 0; ++ if (sscanf(s, "%i", val) != 1) ++ return -EINVAL; ++ return count; ++} + + /* FIXME: kill extraneous args so it can be called independently */ + static int +-write_led(const char *buffer, unsigned long count, struct asus_hotk *hotk, ++write_led(const char __user *buffer, unsigned long count, struct asus_hotk *hotk, + char *ledname, int ledmask, int invert) + { + int value; + int led_out = 0; + +- if (sscanf(buffer, "%i", &value) == 1) ++ count = parse_arg(buffer, count, &value); ++ if (count > 0) + led_out = value ? 1 : 0; + + hotk->status = +@@ -518,7 +534,7 @@ + + + static int +-proc_write_mled(struct file *file, const char *buffer, ++proc_write_mled(struct file *file, const char __user *buffer, + unsigned long count, void *data) + { + struct asus_hotk *hotk = (struct asus_hotk *) data; +@@ -537,7 +553,7 @@ + } + + static int +-proc_write_wled(struct file *file, const char *buffer, ++proc_write_wled(struct file *file, const char __user *buffer, + unsigned long count, void *data) + { + struct asus_hotk *hotk = (struct asus_hotk *) data; +@@ -556,7 +572,7 @@ + } + + static int +-proc_write_tled(struct file *file, const char *buffer, ++proc_write_tled(struct file *file, const char __user *buffer, + unsigned long count, void *data) + { + struct asus_hotk *hotk = (struct asus_hotk *) data; +@@ -640,13 +656,14 @@ + + + static int +-proc_write_lcd(struct file *file, const char *buffer, ++proc_write_lcd(struct file *file, const char __user *buffer, + unsigned long count, void *data) + { + int value; + struct asus_hotk *hotk = (struct asus_hotk *) data; + +- if (sscanf(buffer, "%i", &value) == 1) ++ count = parse_arg(buffer, count, &value); ++ if (count > 0) + set_lcd_state(hotk, value); + return count; + } +@@ -707,17 +724,18 @@ + } + + static int +-proc_write_brn(struct file *file, const char *buffer, ++proc_write_brn(struct file *file, const char __user *buffer, + unsigned long count, void *data) + { + int value; + struct asus_hotk *hotk = (struct asus_hotk *) data; + +- if (sscanf(buffer, "%d", &value) == 1) { ++ count = parse_arg(buffer, count, &value); ++ if (count > 0) { + value = (0 < value) ? ((15 < value) ? 15 : value) : 0; + /* 0 <= value <= 15 */ + set_brightness(value, hotk); +- } else { ++ } else if (count < 0) { + printk(KERN_WARNING "Asus ACPI: Error reading user input\n"); + } + +@@ -756,17 +774,17 @@ + * simultaneously, so be warned. See the acpi4asus README for more info. + */ + static int +-proc_write_disp(struct file *file, const char *buffer, ++proc_write_disp(struct file *file, const char __user *buffer, + unsigned long count, void *data) + { + int value; + struct asus_hotk *hotk = (struct asus_hotk *) data; + +- if (sscanf(buffer, "%d", &value) == 1) ++ count = parse_arg(buffer, count, &value); ++ if (count > 0) + set_display(value, hotk); +- else { ++ else if (count < 0) + printk(KERN_WARNING "Asus ACPI: Error reading user input\n"); +- } + + return count; + } +@@ -774,7 +792,7 @@ + + typedef int (proc_readfunc)(char *page, char **start, off_t off, int count, + int *eof, void *data); +-typedef int (proc_writefunc)(struct file *file, const char *buffer, ++typedef int (proc_writefunc)(struct file *file, const char __user *buffer, + unsigned long count, void *data); + + static int +--- 1.30/sound/core/timer.c 2004-07-21 14:22:06 -07:00 ++++ 1.31/sound/core/timer.c 2004-07-21 14:22:06 -07:00 +@@ -1437,7 +1437,7 @@ + err = -ENODEV; + } + up(®ister_mutex); +- if (err >= 0 && copy_from_user(_gstatus, &gstatus, sizeof(gstatus))) ++ if (err >= 0 && copy_to_user(_gstatus, &gstatus, sizeof(gstatus))) + err = -EFAULT; + return err; + } +--- 1.11/sound/oss/pss.c 2004-07-21 14:25:23 -07:00 ++++ 1.12/sound/oss/pss.c 2004-07-21 14:25:23 -07:00 +@@ -453,20 +453,36 @@ + } + } + +-static void arg_to_volume_mono(unsigned int volume, int *aleft) ++static int set_volume_mono(unsigned __user *p, int *aleft) + { + int left; ++ unsigned volume; ++ if (get_user(volume, p)) ++ return -EFAULT; + +- left = volume & 0x00ff; ++ left = volume & 0xff; + if (left > 100) + left = 100; + *aleft = left; ++ return 0; + } + +-static void arg_to_volume_stereo(unsigned int volume, int *aleft, int *aright) ++static int set_volume_stereo(unsigned __user *p, int *aleft, int *aright) + { +- arg_to_volume_mono(volume, aleft); +- arg_to_volume_mono(volume >> 8, aright); ++ int left, right; ++ unsigned volume; ++ if (get_user(volume, p)) ++ return -EFAULT; ++ ++ left = volume & 0xff; ++ if (left > 100) ++ left = 100; ++ right = (volume >> 8) & 0xff; ++ if (right > 100) ++ right = 100; ++ *aleft = left; ++ *aright = right; ++ return 0; + } + + static int ret_vol_mono(int left) +@@ -479,7 +495,7 @@ + return ((right << 8) | left); + } + +-static int call_ad_mixer(pss_confdata *devc,unsigned int cmd, caddr_t arg) ++static int call_ad_mixer(pss_confdata *devc,unsigned int cmd, void __user *arg) + { + if (devc->ad_mixer_dev != NO_WSS_MIXER) + return mixer_devs[devc->ad_mixer_dev]->ioctl(devc->ad_mixer_dev, cmd, arg); +@@ -487,7 +503,7 @@ + return -EINVAL; + } + +-static int pss_mixer_ioctl (int dev, unsigned int cmd, caddr_t arg) ++static int pss_mixer_ioctl (int dev, unsigned int cmd, void __user *arg) + { + pss_confdata *devc = mixer_devs[dev]->devc; + int cmdf = cmd & 0xff; +@@ -513,33 +529,38 @@ + return call_ad_mixer(devc, cmd, arg); + else + { +- if (*(int *)arg != 0) ++ int v; ++ if (get_user(v, (int __user *)arg)) ++ return -EFAULT; ++ if (v != 0) + return -EINVAL; + return 0; + } + case SOUND_MIXER_VOLUME: +- arg_to_volume_stereo(*(unsigned int *)arg, &devc->mixer.volume_l, +- &devc->mixer.volume_r); ++ if (set_volume_stereo(arg, ++ &devc->mixer.volume_l, ++ &devc->mixer.volume_r)) ++ return -EFAULT; + set_master_volume(devc, devc->mixer.volume_l, + devc->mixer.volume_r); + return ret_vol_stereo(devc->mixer.volume_l, + devc->mixer.volume_r); + + case SOUND_MIXER_BASS: +- arg_to_volume_mono(*(unsigned int *)arg, +- &devc->mixer.bass); ++ if (set_volume_mono(arg, &devc->mixer.bass)) ++ return -EFAULT; + set_bass(devc, devc->mixer.bass); + return ret_vol_mono(devc->mixer.bass); + + case SOUND_MIXER_TREBLE: +- arg_to_volume_mono(*(unsigned int *)arg, +- &devc->mixer.treble); ++ if (set_volume_mono(arg, &devc->mixer.treble)) ++ return -EFAULT; + set_treble(devc, devc->mixer.treble); + return ret_vol_mono(devc->mixer.treble); + + case SOUND_MIXER_SYNTH: +- arg_to_volume_mono(*(unsigned int *)arg, +- &devc->mixer.synth); ++ if (set_volume_mono(arg, &devc->mixer.synth)) ++ return -EFAULT; + set_synth_volume(devc, devc->mixer.synth); + return ret_vol_mono(devc->mixer.synth); + +@@ -549,54 +570,67 @@ + } + else + { ++ int val, and_mask = 0, or_mask = 0; + /* + * Return parameters + */ + switch (cmdf) + { +- + case SOUND_MIXER_DEVMASK: + if (call_ad_mixer(devc, cmd, arg) == -EINVAL) +- *(int *)arg = 0; /* no mixer devices */ +- return (*(int *)arg |= SOUND_MASK_VOLUME | SOUND_MASK_BASS | SOUND_MASK_TREBLE | SOUND_MASK_SYNTH); ++ break; ++ and_mask = ~0; ++ or_mask = SOUND_MASK_VOLUME | SOUND_MASK_BASS | SOUND_MASK_TREBLE | SOUND_MASK_SYNTH; ++ break; + + case SOUND_MIXER_STEREODEVS: + if (call_ad_mixer(devc, cmd, arg) == -EINVAL) +- *(int *)arg = 0; /* no stereo devices */ +- return (*(int *)arg |= SOUND_MASK_VOLUME); ++ break; ++ and_mask = ~0; ++ or_mask = SOUND_MASK_VOLUME; ++ break; + + case SOUND_MIXER_RECMASK: + if (devc->ad_mixer_dev != NO_WSS_MIXER) + return call_ad_mixer(devc, cmd, arg); +- else +- return (*(int *)arg = 0); /* no record devices */ ++ break; + + case SOUND_MIXER_CAPS: + if (devc->ad_mixer_dev != NO_WSS_MIXER) + return call_ad_mixer(devc, cmd, arg); +- else +- return (*(int *)arg = SOUND_CAP_EXCL_INPUT); ++ or_mask = SOUND_CAP_EXCL_INPUT; ++ break; + + case SOUND_MIXER_RECSRC: + if (devc->ad_mixer_dev != NO_WSS_MIXER) + return call_ad_mixer(devc, cmd, arg); +- else +- return (*(int *)arg = 0); /* no record source */ ++ break; + + case SOUND_MIXER_VOLUME: +- return (*(int *)arg = ret_vol_stereo(devc->mixer.volume_l, devc->mixer.volume_r)); ++ or_mask = ret_vol_stereo(devc->mixer.volume_l, devc->mixer.volume_r); ++ break; + + case SOUND_MIXER_BASS: +- return (*(int *)arg = ret_vol_mono(devc->mixer.bass)); ++ or_mask = ret_vol_mono(devc->mixer.bass); ++ break; + + case SOUND_MIXER_TREBLE: +- return (*(int *)arg = ret_vol_mono(devc->mixer.treble)); ++ or_mask = ret_vol_mono(devc->mixer.treble); ++ break; + + case SOUND_MIXER_SYNTH: +- return (*(int *)arg = ret_vol_mono(devc->mixer.synth)); ++ or_mask = ret_vol_mono(devc->mixer.synth); ++ break; + default: + return -EINVAL; + } ++ if (get_user(val, (int __user *)arg)) ++ return -EFAULT; ++ val &= and_mask; ++ val |= or_mask; ++ if (put_user(val, (int __user *)arg)) ++ return -EFAULT; ++ return val; + } + } + +@@ -803,7 +837,7 @@ + return 0; + } + +-static int pss_coproc_ioctl(void *dev_info, unsigned int cmd, caddr_t arg, int local) ++static int pss_coproc_ioctl(void *dev_info, unsigned int cmd, void __user *arg, int local) + { + copr_buffer *buf; + copr_msg *mbuf; +--- 1.15/sound/oss/msnd_pinnacle.c 2004-07-21 14:51:56 -07:00 ++++ 1.16/sound/oss/msnd_pinnacle.c 2004-07-21 14:51:56 -07:00 +@@ -809,7 +809,7 @@ + + static __inline__ int pack_DARQ_to_DARF(register int bank) + { +- register int size, n, timeout = 3; ++ register int size, timeout = 3; + register WORD wTmp; + LPDAQD DAQD; + +@@ -830,13 +830,10 @@ + /* Read data from the head (unprotected bank 1 access okay + since this is only called inside an interrupt) */ + outb(HPBLKSEL_1, dev.io + HP_BLKS); +- if ((n = msnd_fifo_write( ++ msnd_fifo_write( + &dev.DARF, + (char *)(dev.base + bank * DAR_BUFF_SIZE), +- size, 0)) <= 0) { +- outb(HPBLKSEL_0, dev.io + HP_BLKS); +- return n; +- } ++ size); + outb(HPBLKSEL_0, dev.io + HP_BLKS); + + return 1; +@@ -858,21 +855,16 @@ + if (protect) { + /* Critical section: protect fifo in non-interrupt */ + spin_lock_irqsave(&dev.lock, flags); +- if ((n = msnd_fifo_read( ++ n = msnd_fifo_read( + &dev.DAPF, + (char *)(dev.base + bank_num * DAP_BUFF_SIZE), +- DAP_BUFF_SIZE, 0)) < 0) { +- spin_unlock_irqrestore(&dev.lock, flags); +- return n; +- } ++ DAP_BUFF_SIZE); + spin_unlock_irqrestore(&dev.lock, flags); + } else { +- if ((n = msnd_fifo_read( ++ n = msnd_fifo_read( + &dev.DAPF, + (char *)(dev.base + bank_num * DAP_BUFF_SIZE), +- DAP_BUFF_SIZE, 0)) < 0) { +- return n; +- } ++ DAP_BUFF_SIZE); + } + if (!n) + break; +@@ -899,30 +891,43 @@ + static int dsp_read(char *buf, size_t len) + { + int count = len; ++ char *page = (char *)__get_free_page(PAGE_SIZE); ++ ++ if (!page) ++ return -ENOMEM; + + while (count > 0) { +- int n; ++ int n, k; + unsigned long flags; + ++ k = PAGE_SIZE; ++ if (k > count) ++ k = count; ++ + /* Critical section: protect fifo in non-interrupt */ + spin_lock_irqsave(&dev.lock, flags); +- if ((n = msnd_fifo_read(&dev.DARF, buf, count, 1)) < 0) { +- printk(KERN_WARNING LOGNAME ": FIFO read error\n"); +- spin_unlock_irqrestore(&dev.lock, flags); +- return n; +- } ++ n = msnd_fifo_read(&dev.DARF, page, k); + spin_unlock_irqrestore(&dev.lock, flags); ++ if (copy_to_user(buf, page, n)) { ++ free_page((unsigned long)page); ++ return -EFAULT; ++ } + buf += n; + count -= n; + ++ if (n == k && count) ++ continue; ++ + if (!test_bit(F_READING, &dev.flags) && dev.mode & FMODE_READ) { + dev.last_recbank = -1; + if (chk_send_dsp_cmd(&dev, HDEX_RECORD_START) == 0) + set_bit(F_READING, &dev.flags); + } + +- if (dev.rec_ndelay) ++ if (dev.rec_ndelay) { ++ free_page((unsigned long)page); + return count == len ? -EAGAIN : len - count; ++ } + + if (count > 0) { + set_bit(F_READBLOCK, &dev.flags); +@@ -931,41 +936,57 @@ + get_rec_delay_jiffies(DAR_BUFF_SIZE))) + clear_bit(F_READING, &dev.flags); + clear_bit(F_READBLOCK, &dev.flags); +- if (signal_pending(current)) ++ if (signal_pending(current)) { ++ free_page((unsigned long)page); + return -EINTR; ++ } + } + } +- ++ free_page((unsigned long)page); + return len - count; + } + + static int dsp_write(const char *buf, size_t len) + { + int count = len; ++ char *page = (char *)__get_free_page(GFP_KERNEL); ++ ++ if (!page) ++ return -ENOMEM; + + while (count > 0) { +- int n; ++ int n, k; + unsigned long flags; + ++ k = PAGE_SIZE; ++ if (k > count) ++ k = count; ++ ++ if (copy_from_user(page, buf, k)) { ++ free_page((unsigned long)page); ++ return -EFAULT; ++ } ++ + /* Critical section: protect fifo in non-interrupt */ + spin_lock_irqsave(&dev.lock, flags); +- if ((n = msnd_fifo_write(&dev.DAPF, buf, count, 1)) < 0) { +- printk(KERN_WARNING LOGNAME ": FIFO write error\n"); +- spin_unlock_irqrestore(&dev.lock, flags); +- return n; +- } ++ n = msnd_fifo_write(&dev.DAPF, page, k); + spin_unlock_irqrestore(&dev.lock, flags); + buf += n; + count -= n; + ++ if (count && n == k) ++ continue; ++ + if (!test_bit(F_WRITING, &dev.flags) && (dev.mode & FMODE_WRITE)) { + dev.last_playbank = -1; + if (pack_DAPF_to_DAPQ(1) > 0) + set_bit(F_WRITING, &dev.flags); + } + +- if (dev.play_ndelay) ++ if (dev.play_ndelay) { ++ free_page((unsigned long)page); + return count == len ? -EAGAIN : len - count; ++ } + + if (count > 0) { + set_bit(F_WRITEBLOCK, &dev.flags); +@@ -973,11 +994,14 @@ + &dev.writeblock, + get_play_delay_jiffies(DAP_BUFF_SIZE)); + clear_bit(F_WRITEBLOCK, &dev.flags); +- if (signal_pending(current)) ++ if (signal_pending(current)) { ++ free_page((unsigned long)page); + return -EINTR; ++ } + } + } + ++ free_page((unsigned long)page); + return len - count; + } + +--- 1.2/sound/oss/msnd.h 2004-07-21 14:52:24 -07:00 ++++ 1.3/sound/oss/msnd.h 2004-07-21 14:52:24 -07:00 +@@ -266,8 +266,8 @@ + void msnd_fifo_free(msnd_fifo *f); + int msnd_fifo_alloc(msnd_fifo *f, size_t n); + void msnd_fifo_make_empty(msnd_fifo *f); +-int msnd_fifo_write(msnd_fifo *f, const char *buf, size_t len, int user); +-int msnd_fifo_read(msnd_fifo *f, char *buf, size_t len, int user); ++int msnd_fifo_write(msnd_fifo *f, const char *buf, size_t len); ++int msnd_fifo_read(msnd_fifo *f, char *buf, size_t len); + + int msnd_wait_TXDE(multisound_dev_t *dev); + int msnd_wait_HC0(multisound_dev_t *dev); +--- 1.8/sound/oss/msnd.c 2004-07-21 14:52:37 -07:00 ++++ 1.9/sound/oss/msnd.c 2004-07-21 14:52:37 -07:00 +@@ -139,13 +139,10 @@ + f->len = f->tail = f->head = 0; + } + +-int msnd_fifo_write(msnd_fifo *f, const char *buf, size_t len, int user) ++int msnd_fifo_write(msnd_fifo *f, const char *buf, size_t len) + { + int count = 0; + +- if (f->len == f->n) +- return 0; +- + while ((count < len) && (f->len != f->n)) { + + int nwritten; +@@ -161,11 +158,7 @@ + nwritten = len - count; + } + +- if (user) { +- if (copy_from_user(f->data + f->tail, buf, nwritten)) +- return -EFAULT; +- } else +- isa_memcpy_fromio(f->data + f->tail, (unsigned long) buf, nwritten); ++ isa_memcpy_fromio(f->data + f->tail, (unsigned long) buf, nwritten); + + count += nwritten; + buf += nwritten; +@@ -177,13 +170,10 @@ + return count; + } + +-int msnd_fifo_read(msnd_fifo *f, char *buf, size_t len, int user) ++int msnd_fifo_read(msnd_fifo *f, char *buf, size_t len) + { + int count = 0; + +- if (f->len == 0) +- return f->len; +- + while ((count < len) && (f->len > 0)) { + + int nread; +@@ -199,11 +189,7 @@ + nread = len - count; + } + +- if (user) { +- if (copy_to_user(buf, f->data + f->head, nread)) +- return -EFAULT; +- } else +- isa_memcpy_toio((unsigned long) buf, f->data + f->head, nread); ++ isa_memcpy_toio((unsigned long) buf, f->data + f->head, nread); + + count += nread; + buf += nread; |