msm: camera: Fix arbitrary kernel write

In 64 bit kernel and 32 bit userspace,ioctl_ptr from
kernel space, should NOT call the copy_from_user.

In 64 bit kernel and 64 bit userspace,ioctl_ptr from
user space, use the copy_from_user to copy data.

use the is_compat_task to distinguish two condition.

CRs-Fixed: 2283160
Change-Id: If9205e4f3176a52e52f694a3183dc9c5b7617a97
Signed-off-by: Haibin Liu <haibinl@codeaurora.org>

1 files changed, 3 insertions, 5 deletions

diff --git a/drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c b/drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c
index 58bfdb77a492..bf5296e6d071 100644
--- a/drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c
+++ b/drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c
@@ -570,15 +570,13 @@ static long msm_buf_mngr_subdev_ioctl(struct v4l2_subdev *sd,
 		k_ioctl = *ptr;
 		switch (k_ioctl.id) {
 		case MSM_CAMERA_BUF_MNGR_IOCTL_ID_GET_BUF_BY_IDX: {
+			struct msm_buf_mngr_info buf_info, *tmp = NULL;
 
 			if (k_ioctl.size != sizeof(struct msm_buf_mngr_info))
 				return -EINVAL;
 			if (!k_ioctl.ioctl_ptr)
 				return -EINVAL;
-#ifndef CONFIG_COMPAT
-			{
-				struct msm_buf_mngr_info buf_info, *tmp = NULL;
-
+			if (!is_compat_task()) {
 				MSM_CAM_GET_IOCTL_ARG_PTR(&tmp,
 					&k_ioctl.ioctl_ptr, sizeof(tmp));
 				if (copy_from_user(&buf_info, tmp,
@@ -587,7 +585,7 @@ static long msm_buf_mngr_subdev_ioctl(struct v4l2_subdev *sd,
 				}
 				k_ioctl.ioctl_ptr = (uintptr_t)&buf_info;
 			}
-#endif
+
 			argp = &k_ioctl;
 			rc = msm_cam_buf_mgr_ops(cmd, argp);
 			}