summaryrefslogtreecommitdiffstats
path: root/include/media
diff options
context:
space:
mode:
authorArnd Bergmann <arnd@arndb.de>2021-06-14 12:34:09 +0200
committerMauro Carvalho Chehab <mchehab+huawei@kernel.org>2021-06-17 10:18:37 +0200
commit0a7790be182d32b9b332a37cb4206e24fe94b728 (patch)
tree0af9820ab8c7f6c58afe4e4de4da2335496176ad /include/media
parentb4c650f1af68251f1970aecfc3c2fceec1552da2 (diff)
downloadlinux-0a7790be182d32b9b332a37cb4206e24fe94b728.tar.bz2
media: subdev: disallow ioctl for saa6588/davinci
The saa6588_ioctl() function expects to get called from other kernel functions with a 'saa6588_command' pointer, but I found nothing stops it from getting called from user space instead, which seems rather dangerous. The same thing happens in the davinci vpbe driver with its VENC_GET_FLD command. As a quick fix, add a separate .command() callback pointer for this driver and change the two callers over to that. This change can easily get backported to stable kernels if necessary, but since there are only two drivers, we may want to eventually replace this with a set of more specialized callbacks in the long run. Fixes: c3fda7f835b0 ("V4L/DVB (10537): saa6588: convert to v4l2_subdev.") Cc: stable@vger.kernel.org Signed-off-by: Arnd Bergmann <arnd@arndb.de> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Diffstat (limited to 'include/media')
-rw-r--r--include/media/v4l2-subdev.h4
1 files changed, 4 insertions, 0 deletions
diff --git a/include/media/v4l2-subdev.h b/include/media/v4l2-subdev.h
index 89115ba4c0f2..95f8bfd63273 100644
--- a/include/media/v4l2-subdev.h
+++ b/include/media/v4l2-subdev.h
@@ -162,6 +162,9 @@ struct v4l2_subdev_io_pin_config {
* @s_gpio: set GPIO pins. Very simple right now, might need to be extended with
* a direction argument if needed.
*
+ * @command: called by in-kernel drivers in order to call functions internal
+ * to subdev drivers driver that have a separate callback.
+ *
* @ioctl: called at the end of ioctl() syscall handler at the V4L2 core.
* used to provide support for private ioctls used on the driver.
*
@@ -193,6 +196,7 @@ struct v4l2_subdev_core_ops {
int (*load_fw)(struct v4l2_subdev *sd);
int (*reset)(struct v4l2_subdev *sd, u32 val);
int (*s_gpio)(struct v4l2_subdev *sd, u32 val);
+ long (*command)(struct v4l2_subdev *sd, unsigned int cmd, void *arg);
long (*ioctl)(struct v4l2_subdev *sd, unsigned int cmd, void *arg);
#ifdef CONFIG_COMPAT
long (*compat_ioctl32)(struct v4l2_subdev *sd, unsigned int cmd,