diff options
| author | Rahul Sharma <sharah@codeaurora.org> | 2017-07-19 10:52:17 +0530 |
|---|---|---|
| committer | Andy Sun <bins@codeaurora.org> | 2017-07-25 16:57:48 +0800 |
| commit | fa90d7b74faeb5a7dc934f8602c77ea39b049df7 (patch) | |
| tree | 613248b3cce7e174997a564a978834638a6eadf9 | |
| parent | 26bb59b7f41080009fb5a6507b76017b39daea29 (diff) | |
msm: ais: sensor: validating the flash initialization parameters
Copying the flash initialization parameters from userspace memory to
kernel memory and in turn checking for the validity of the flash
initialization parameters pointer sent from userspace
Change-Id: I9ecd0a5d320a68ef23fb8dd0d4eaab7f7da5f729
CR fixed: 2059812
Signed-off-by: Rahul Sharma <sharah@codeaurora.org>
Signed-off-by: Andy Sun <bins@codeaurora.org>
| -rw-r--r-- | drivers/media/platform/msm/ais/sensor/flash/msm_flash.c | 41 |
1 files changed, 32 insertions, 9 deletions
diff --git a/drivers/media/platform/msm/ais/sensor/flash/msm_flash.c b/drivers/media/platform/msm/ais/sensor/flash/msm_flash.c index a2a89b92c9f1..fb972aab481a 100644 --- a/drivers/media/platform/msm/ais/sensor/flash/msm_flash.c +++ b/drivers/media/platform/msm/ais/sensor/flash/msm_flash.c @@ -497,23 +497,46 @@ static int32_t msm_flash_init( } flash_ctrl->flash_state = MSM_CAMERA_FLASH_INIT; - CDBG("Exit"); return 0; } -#ifdef CONFIG_COMPAT static int32_t msm_flash_init_prepare( struct msm_flash_ctrl_t *flash_ctrl, struct msm_flash_cfg_data_t *flash_data) { + #ifdef CONFIG_COMPAT + struct msm_flash_cfg_data_t flash_data_k; + struct msm_flash_init_info_t flash_init_info; + int32_t i = 0; + + if (!is_compat_task()) { + /*for 64-bit usecase,it need copy the data to local memory*/ + flash_data_k.cfg_type = flash_data->cfg_type; + for (i = 0; i < MAX_LED_TRIGGERS; i++) { + flash_data_k.flash_current[i] = + flash_data->flash_current[i]; + flash_data_k.flash_duration[i] = + flash_data->flash_duration[i]; + } + + flash_data_k.cfg.flash_init_info = &flash_init_info; + if (copy_from_user(&flash_init_info, + (void __user *)(flash_data->cfg.flash_init_info), + sizeof(struct msm_flash_init_info_t))) { + pr_err("%s copy_from_user failed %d\n", + __func__, __LINE__); + return -EFAULT; + } + return msm_flash_init(flash_ctrl, &flash_data_k); + } + /* + * for 32-bit usecase,it already copy the userspace + * data to local memory in msm_flash_subdev_do_ioctl() + * so here do not need copy from user + */ return msm_flash_init(flash_ctrl, flash_data); -} #else -static int32_t msm_flash_init_prepare( - struct msm_flash_ctrl_t *flash_ctrl, - struct msm_flash_cfg_data_t *flash_data) -{ struct msm_flash_cfg_data_t flash_data_k; struct msm_flash_init_info_t flash_init_info; int32_t i = 0; @@ -528,15 +551,15 @@ static int32_t msm_flash_init_prepare( flash_data_k.cfg.flash_init_info = &flash_init_info; if (copy_from_user(&flash_init_info, - (void *)(flash_data->cfg.flash_init_info), + (void __user *)(flash_data->cfg.flash_init_info), sizeof(struct msm_flash_init_info_t))) { pr_err("%s copy_from_user failed %d\n", __func__, __LINE__); return -EFAULT; } return msm_flash_init(flash_ctrl, &flash_data_k); -} #endif +} static int32_t msm_flash_low( struct msm_flash_ctrl_t *flash_ctrl, |