[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <201012221650.17394.arnd@arndb.de>
Date: Wed, 22 Dec 2010 16:50:17 +0100
From: Arnd Bergmann <arnd@...db.de>
To: Andreas Oberritter <obi@...uxtv.org>
Cc: Thiago Farina <tfransosi@...il.com>, linux-kernel@...r.kernel.org,
Guennadi Liakhovetski <g.liakhovetski@....de>,
Mauro Carvalho Chehab <mchehab@...radead.org>,
linux-media@...r.kernel.org
Subject: Re: [PATCH v2] drivers/media/video/v4l2-compat-ioctl32.c: Check the return value of copy_to_user
On Wednesday 22 December 2010 15:14:49 Andreas Oberritter wrote:
> > diff --git a/drivers/media/video/v4l2-compat-ioctl32.c b/drivers/media/video/v4l2-compat-ioctl32.c
> > index e30e8df..6f2a022 100644
> > --- a/drivers/media/video/v4l2-compat-ioctl32.c
> > +++ b/drivers/media/video/v4l2-compat-ioctl32.c
> > @@ -201,14 +201,12 @@ static struct video_code __user *get_microcode32(struct video_code32 *kp)
> >
> > up = compat_alloc_user_space(sizeof(*up));
>
> I don't know anything about that code, but I assume that "up" should be
> checked for NULL before use and should be freed in case an error occurs
> below.
>
No, that's fine. compat_alloc_user_space() is very special -- the allocated
memory is on the user stack and automatically gets freed when the kernel
returns to user space.
We treat the resulting pointer like any other user pointer, i.e. we only
ever access it using {get,put}_user and copy_{from,to}_user, which check
that it's pointing to real user memory. A null pointer here would only
mean that the user had an invalid stack pointer before entering the kernel,
but causes no more problems than passing NULL as the ioctl argument.
Arnd
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists