From a637447cc1a8a72a799809fd3e8e041691b978be Mon Sep 17 00:00:00 2001
From: Krishna Chaitanya Parimi <cparimi@codeaurora.org>
Date: Thu, 3 Oct 2013 20:51:41 +0530
Subject: msm: mdss: fb: Copy & send unsigned value for notify update

Copy unsigned long from userspace and modify the data fields
before copying back unsigned long data to userspace. This
keeps the datatypes of all operands homogeneous without
data leaks from kernel to user land.

CRs-Fixed: 526286
Change-Id: Ie4673563170c3459019dd6a5f1f55376f6e560c7
Signed-off-by: Krishna Chaitanya Parimi <cparimi@codeaurora.org>
Signed-off-by: Manoj Rao <manojraj@codeaurora.org>
---
 drivers/video/fbdev/msm/mdss_fb.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/drivers/video/fbdev/msm/mdss_fb.c b/drivers/video/fbdev/msm/mdss_fb.c
index 385390a37a48..eab529d5292d 100644
--- a/drivers/video/fbdev/msm/mdss_fb.c
+++ b/drivers/video/fbdev/msm/mdss_fb.c
@@ -108,9 +108,10 @@ void mdss_fb_no_update_notify_timer_cb(unsigned long data)
 static int mdss_fb_notify_update(struct msm_fb_data_type *mfd,
 							unsigned long *argp)
 {
-	int ret, notify, to_user;
+	int ret;
+	unsigned long notify = 0x0, to_user = 0x0;
 
-	ret = copy_from_user(&notify, argp, sizeof(int));
+	ret = copy_from_user(&notify, argp, sizeof(unsigned long));
 	if (ret) {
 		pr_err("%s:ioctl failed\n", __func__);
 		return ret;
@@ -123,12 +124,12 @@ static int mdss_fb_notify_update(struct msm_fb_data_type *mfd,
 		INIT_COMPLETION(mfd->update.comp);
 		ret = wait_for_completion_interruptible_timeout(
 						&mfd->update.comp, 4 * HZ);
-		to_user = mfd->update.value;
+		to_user = (unsigned int)mfd->update.value;
 	} else if (notify == NOTIFY_UPDATE_STOP) {
 		INIT_COMPLETION(mfd->no_update.comp);
 		ret = wait_for_completion_interruptible_timeout(
 						&mfd->no_update.comp, 4 * HZ);
-		to_user = mfd->no_update.value;
+		to_user = (unsigned int)mfd->no_update.value;
 	} else {
 		if (mfd->panel_power_on) {
 			INIT_COMPLETION(mfd->power_off_comp);
@@ -140,7 +141,7 @@ static int mdss_fb_notify_update(struct msm_fb_data_type *mfd,
 	if (ret == 0)
 		ret = -ETIMEDOUT;
 	else if (ret > 0)
-		ret = copy_to_user(argp, &to_user, sizeof(int));
+		ret = copy_to_user(argp, &to_user, sizeof(unsigned long));
 	return ret;
 }
 
-- 
cgit v1.2.3