diff options
| author | Krishna Chaitanya Parimi <cparimi@codeaurora.org> | 2013-10-03 20:51:41 +0530 |
|---|---|---|
| committer | David Keitel <dkeitel@codeaurora.org> | 2016-03-23 20:22:45 -0700 |
| commit | a637447cc1a8a72a799809fd3e8e041691b978be (patch) | |
| tree | b48df10fed68d52368f5e77c8be000d502be8fd0 | |
| parent | 497d13185607e4b6bed73503adc6d10231abbfdf (diff) | |
msm: mdss: fb: Copy & send unsigned value for notify update
Copy unsigned long from userspace and modify the data fields
before copying back unsigned long data to userspace. This
keeps the datatypes of all operands homogeneous without
data leaks from kernel to user land.
CRs-Fixed: 526286
Change-Id: Ie4673563170c3459019dd6a5f1f55376f6e560c7
Signed-off-by: Krishna Chaitanya Parimi <cparimi@codeaurora.org>
Signed-off-by: Manoj Rao <manojraj@codeaurora.org>
| -rw-r--r-- | drivers/video/fbdev/msm/mdss_fb.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/drivers/video/fbdev/msm/mdss_fb.c b/drivers/video/fbdev/msm/mdss_fb.c index 385390a37a48..eab529d5292d 100644 --- a/drivers/video/fbdev/msm/mdss_fb.c +++ b/drivers/video/fbdev/msm/mdss_fb.c @@ -108,9 +108,10 @@ void mdss_fb_no_update_notify_timer_cb(unsigned long data) static int mdss_fb_notify_update(struct msm_fb_data_type *mfd, unsigned long *argp) { - int ret, notify, to_user; + int ret; + unsigned long notify = 0x0, to_user = 0x0; - ret = copy_from_user(¬ify, argp, sizeof(int)); + ret = copy_from_user(¬ify, argp, sizeof(unsigned long)); if (ret) { pr_err("%s:ioctl failed\n", __func__); return ret; @@ -123,12 +124,12 @@ static int mdss_fb_notify_update(struct msm_fb_data_type *mfd, INIT_COMPLETION(mfd->update.comp); ret = wait_for_completion_interruptible_timeout( &mfd->update.comp, 4 * HZ); - to_user = mfd->update.value; + to_user = (unsigned int)mfd->update.value; } else if (notify == NOTIFY_UPDATE_STOP) { INIT_COMPLETION(mfd->no_update.comp); ret = wait_for_completion_interruptible_timeout( &mfd->no_update.comp, 4 * HZ); - to_user = mfd->no_update.value; + to_user = (unsigned int)mfd->no_update.value; } else { if (mfd->panel_power_on) { INIT_COMPLETION(mfd->power_off_comp); @@ -140,7 +141,7 @@ static int mdss_fb_notify_update(struct msm_fb_data_type *mfd, if (ret == 0) ret = -ETIMEDOUT; else if (ret > 0) - ret = copy_to_user(argp, &to_user, sizeof(int)); + ret = copy_to_user(argp, &to_user, sizeof(unsigned long)); return ret; } |