917791e434
commit 0a7790be182d32b9b332a37cb4206e24fe94b728 upstream.
The saa6588_ioctl() function expects to get called from other kernel
functions with a 'saa6588_command' pointer, but I found nothing stops it
from getting called from user space instead, which seems rather dangerous.
The same thing happens in the davinci vpbe driver with its VENC_GET_FLD
command.
As a quick fix, add a separate .command() callback pointer for this
driver and change the two callers over to that. This change can easily
get backported to stable kernels if necessary, but since there are only
two drivers, we may want to eventually replace this with a set of more
specialized callbacks in the long run.
Fixes:
|
||
---|---|---|
.. | ||
davinci | ||
drv-intf | ||
i2c | ||
tpg | ||
cec-notifier.h | ||
cec-pin.h | ||
cec.h | ||
demux.h | ||
dmxdev.h | ||
dvb_ca_en50221.h | ||
dvb_demux.h | ||
dvb_frontend.h | ||
dvb_math.h | ||
dvb_net.h | ||
dvb_ringbuffer.h | ||
dvb_vb2.h | ||
dvb-usb-ids.h | ||
dvbdev.h | ||
fwht-ctrls.h | ||
h264-ctrls.h | ||
imx.h | ||
media-dev-allocator.h | ||
media-device.h | ||
media-devnode.h | ||
media-entity.h | ||
media-request.h | ||
mpeg2-ctrls.h | ||
rc-core.h | ||
rc-map.h | ||
rcar-fcp.h | ||
soc_camera.h | ||
tuner-types.h | ||
tuner.h | ||
tveeprom.h | ||
v4l2-async.h | ||
v4l2-clk.h | ||
v4l2-common.h | ||
v4l2-ctrls.h | ||
v4l2-dev.h | ||
v4l2-device.h | ||
v4l2-dv-timings.h | ||
v4l2-event.h | ||
v4l2-fh.h | ||
v4l2-flash-led-class.h | ||
v4l2-fwnode.h | ||
v4l2-image-sizes.h | ||
v4l2-ioctl.h | ||
v4l2-mc.h | ||
v4l2-mediabus.h | ||
v4l2-mem2mem.h | ||
v4l2-rect.h | ||
v4l2-subdev.h | ||
videobuf2-core.h | ||
videobuf2-dma-contig.h | ||
videobuf2-dma-sg.h | ||
videobuf2-dvb.h | ||
videobuf2-memops.h | ||
videobuf2-v4l2.h | ||
videobuf2-vmalloc.h | ||
videobuf-core.h | ||
videobuf-dma-contig.h | ||
videobuf-dma-sg.h | ||
videobuf-vmalloc.h | ||
vp8-ctrls.h | ||
vsp1.h |