Loading drivers/video/fbdev/msm/mdss_compat_utils.c +86 −62 Original line number Original line Diff line number Diff line Loading @@ -2879,26 +2879,28 @@ static int __pp_compat_alloc(struct msmfb_mdp_pp32 __user *pp32, *pp = compat_alloc_user_space(alloc_size); *pp = compat_alloc_user_space(alloc_size); if (*pp == NULL) if (*pp == NULL) return -ENOMEM; return -ENOMEM; memset(*pp, 0, alloc_size); if (clear_user(*pp, alloc_size)) return -EFAULT; (*pp)->data.lut_cfg_data.data.pgc_lut_data.r_data = if (put_user((struct mdp_ar_gc_lut_data *) (struct mdp_ar_gc_lut_data *) ((unsigned long) *pp + ((unsigned long) *pp + sizeof(struct msmfb_mdp_pp)); sizeof(struct msmfb_mdp_pp)), (*pp)->data.lut_cfg_data.data.pgc_lut_data.g_data = &(*pp)->data.lut_cfg_data.data.pgc_lut_data.r_data) || (struct mdp_ar_gc_lut_data *) put_user((struct mdp_ar_gc_lut_data *) ((unsigned long) *pp + ((unsigned long) *pp + sizeof(struct msmfb_mdp_pp) + sizeof(struct msmfb_mdp_pp) + pgc_size); pgc_size), (*pp)->data.lut_cfg_data.data.pgc_lut_data.b_data = &(*pp)->data.lut_cfg_data.data.pgc_lut_data.g_data) || (struct mdp_ar_gc_lut_data *) put_user((struct mdp_ar_gc_lut_data *) ((unsigned long) *pp + ((unsigned long) *pp + sizeof(struct msmfb_mdp_pp) + sizeof(struct msmfb_mdp_pp) + (2 * pgc_size)); (2 * pgc_size)), (*pp)->data.lut_cfg_data.data.pgc_lut_data.cfg_payload &(*pp)->data.lut_cfg_data.data.pgc_lut_data.b_data) || = (void *)((unsigned long) *pp + put_user((void *)((unsigned long) *pp + sizeof(struct msmfb_mdp_pp) + sizeof(struct msmfb_mdp_pp) + (3 * pgc_size)); (3 * pgc_size)), &(*pp)->data.lut_cfg_data.data. pgc_lut_data.cfg_payload)) return -EFAULT; break; break; case mdp_lut_igc: case mdp_lut_igc: alloc_size += __pp_compat_size_igc(); alloc_size += __pp_compat_size_igc(); Loading @@ -2908,10 +2910,13 @@ static int __pp_compat_alloc(struct msmfb_mdp_pp32 __user *pp32, alloc_size); alloc_size); return -ENOMEM; return -ENOMEM; } } memset(*pp, 0, alloc_size); if (clear_user(*pp, alloc_size)) (*pp)->data.lut_cfg_data.data.igc_lut_data.cfg_payload return -EFAULT; = (void *)((unsigned long)(*pp) + if (put_user((void *)((unsigned long)(*pp) + sizeof(struct msmfb_mdp_pp)); sizeof(struct msmfb_mdp_pp)), &(*pp)->data.lut_cfg_data.data. igc_lut_data.cfg_payload)) return -EFAULT; break; break; case mdp_lut_hist: case mdp_lut_hist: alloc_size += __pp_compat_size_hist_lut(); alloc_size += __pp_compat_size_hist_lut(); Loading @@ -2921,10 +2926,13 @@ static int __pp_compat_alloc(struct msmfb_mdp_pp32 __user *pp32, alloc_size); alloc_size); return -ENOMEM; return -ENOMEM; } } memset(*pp, 0, alloc_size); if (clear_user(*pp, alloc_size)) (*pp)->data.lut_cfg_data.data.hist_lut_data.cfg_payload return -EFAULT; = (void *)((unsigned long)(*pp) + if (put_user((void *)((unsigned long)(*pp) + sizeof(struct msmfb_mdp_pp)); sizeof(struct msmfb_mdp_pp)), &(*pp)->data.lut_cfg_data.data. hist_lut_data.cfg_payload)) return -EFAULT; break; break; default: default: *pp = compat_alloc_user_space(alloc_size); *pp = compat_alloc_user_space(alloc_size); Loading @@ -2933,7 +2941,8 @@ static int __pp_compat_alloc(struct msmfb_mdp_pp32 __user *pp32, alloc_size, lut_type); alloc_size, lut_type); return -ENOMEM; return -ENOMEM; } } memset(*pp, 0, alloc_size); if (clear_user(*pp, alloc_size)) return -EFAULT; break; break; } } break; break; Loading @@ -2945,10 +2954,12 @@ static int __pp_compat_alloc(struct msmfb_mdp_pp32 __user *pp32, alloc_size); alloc_size); return -ENOMEM; return -ENOMEM; } } memset(*pp, 0, alloc_size); if (clear_user(*pp, alloc_size)) (*pp)->data.pcc_cfg_data.cfg_payload = return -EFAULT; (void *)((unsigned long)(*pp) + if (put_user((void *)((unsigned long)(*pp) + sizeof(struct msmfb_mdp_pp)); sizeof(struct msmfb_mdp_pp)), &(*pp)->data.pcc_cfg_data.cfg_payload)) return -EFAULT; break; break; case mdp_op_gamut_cfg: case mdp_op_gamut_cfg: alloc_size += __pp_compat_size_gamut(); alloc_size += __pp_compat_size_gamut(); Loading @@ -2958,10 +2969,12 @@ static int __pp_compat_alloc(struct msmfb_mdp_pp32 __user *pp32, alloc_size); alloc_size); return -ENOMEM; return -ENOMEM; } } memset(*pp, 0, alloc_size); if (clear_user(*pp, alloc_size)) (*pp)->data.gamut_cfg_data.cfg_payload = return -EFAULT; (void *)((unsigned long)(*pp) + if (put_user((void *)((unsigned long)(*pp) + sizeof(struct msmfb_mdp_pp)); sizeof(struct msmfb_mdp_pp)), &(*pp)->data.gamut_cfg_data.cfg_payload)) return -EFAULT; break; break; case mdp_op_pa_v2_cfg: case mdp_op_pa_v2_cfg: alloc_size += __pp_compat_size_pa(); alloc_size += __pp_compat_size_pa(); Loading @@ -2971,16 +2984,19 @@ static int __pp_compat_alloc(struct msmfb_mdp_pp32 __user *pp32, alloc_size); alloc_size); return -ENOMEM; return -ENOMEM; } } memset(*pp, 0, alloc_size); if (clear_user(*pp, alloc_size)) (*pp)->data.pa_v2_cfg_data.cfg_payload = return -EFAULT; (void *)((unsigned long)(*pp) + if (put_user((void *)((unsigned long)(*pp) + sizeof(struct msmfb_mdp_pp)); sizeof(struct msmfb_mdp_pp)), &(*pp)->data.pa_v2_cfg_data.cfg_payload)) return -EFAULT; break; break; default: default: *pp = compat_alloc_user_space(alloc_size); *pp = compat_alloc_user_space(alloc_size); if (*pp == NULL) if (*pp == NULL) return -ENOMEM; return -ENOMEM; memset(*pp, 0, alloc_size); if (clear_user(*pp, alloc_size)) return -EFAULT; break; break; } } return 0; return 0; Loading Loading @@ -3398,7 +3414,9 @@ static int mdss_histo_compat_ioctl(struct fb_info *info, unsigned int cmd, sizeof(struct mdp_histogram_start_req)); sizeof(struct mdp_histogram_start_req)); return -EINVAL; return -EINVAL; } } memset(hist_req, 0, sizeof(struct mdp_histogram_start_req)); if (clear_user(hist_req, sizeof(struct mdp_histogram_start_req))) return -EFAULT; ret = __from_user_hist_start_req(hist_req32, hist_req); ret = __from_user_hist_start_req(hist_req32, hist_req); if (ret) if (ret) goto histo_compat_err; goto histo_compat_err; Loading @@ -3418,7 +3436,8 @@ static int mdss_histo_compat_ioctl(struct fb_info *info, unsigned int cmd, sizeof(struct mdp_histogram_data)); sizeof(struct mdp_histogram_data)); return -EINVAL; return -EINVAL; } } memset(hist, 0, sizeof(struct mdp_histogram_data)); if (clear_user(hist, sizeof(struct mdp_histogram_data))) return -EFAULT; ret = __from_user_hist_data(hist32, hist); ret = __from_user_hist_data(hist32, hist); if (ret) if (ret) goto histo_compat_err; goto histo_compat_err; Loading Loading @@ -3921,7 +3940,7 @@ static int __to_user_mdp_overlay(struct mdp_overlay32 __user *ov32, } } static int __from_user_mdp_overlay(struct mdp_overlay *ov, static int __from_user_mdp_overlay(struct mdp_overlay __user *ov, struct mdp_overlay32 __user *ov32) struct mdp_overlay32 __user *ov32) { { __u32 data; __u32 data; Loading Loading @@ -3980,12 +3999,12 @@ static int __from_user_mdp_overlay(struct mdp_overlay *ov, return 0; return 0; } } static int __from_user_mdp_overlaylist(struct mdp_overlay_list *ovlist, static int __from_user_mdp_overlaylist(struct mdp_overlay_list __user *ovlist, struct mdp_overlay_list32 *ovlist32, struct mdp_overlay_list32 __user *ovlist32, struct mdp_overlay **to_list_head) struct mdp_overlay **to_list_head) { { __u32 i, ret; __u32 i, ret; unsigned long data, from_list_head; unsigned long data, from_list_head, num_overlays; struct mdp_overlay32 *iter; struct mdp_overlay32 *iter; if (!to_list_head || !ovlist32 || !ovlist) { if (!to_list_head || !ovlist32 || !ovlist) { Loading @@ -4006,11 +4025,13 @@ static int __from_user_mdp_overlaylist(struct mdp_overlay_list *ovlist, sizeof(ovlist32->processed_overlays))) sizeof(ovlist32->processed_overlays))) return -EFAULT; return -EFAULT; if (get_user(data, &ovlist32->overlay_list)) { if (get_user(data, &ovlist32->overlay_list) || get_user(num_overlays, &ovlist32->num_overlays)) { ret = -EFAULT; ret = -EFAULT; goto validate_exit; goto validate_exit; } } for (i = 0; i < ovlist32->num_overlays; i++) { for (i = 0; i < num_overlays; i++) { if (get_user(from_list_head, (__u32 *)data + i)) { if (get_user(from_list_head, (__u32 *)data + i)) { ret = -EFAULT; ret = -EFAULT; goto validate_exit; goto validate_exit; Loading @@ -4023,7 +4044,8 @@ static int __from_user_mdp_overlaylist(struct mdp_overlay_list *ovlist, goto validate_exit; goto validate_exit; } } } } ovlist->overlay_list = to_list_head; if (put_user(to_list_head, &ovlist->overlay_list)) return -EFAULT; return 0; return 0; Loading @@ -4032,8 +4054,8 @@ static int __from_user_mdp_overlaylist(struct mdp_overlay_list *ovlist, return -EFAULT; return -EFAULT; } } static int __to_user_mdp_overlaylist(struct mdp_overlay_list32 *ovlist32, static int __to_user_mdp_overlaylist(struct mdp_overlay_list32 __user *ovlist32, struct mdp_overlay_list *ovlist, struct mdp_overlay_list __user *ovlist, struct mdp_overlay **l_ptr) struct mdp_overlay **l_ptr) { { __u32 i, ret; __u32 i, ret; Loading Loading @@ -4106,31 +4128,33 @@ static u32 __pp_sspp_size(void) return size; return size; } } static int __pp_sspp_set_offsets(struct mdp_overlay *ov) static int __pp_sspp_set_offsets(struct mdp_overlay __user *ov) { { if (!ov) { if (!ov) { pr_err("invalid overlay pointer\n"); pr_err("invalid overlay pointer\n"); return -EFAULT; return -EFAULT; } } ov->overlay_pp_cfg.igc_cfg.cfg_payload = (void *)((unsigned long)ov + if (put_user((void *)((unsigned long)ov + sizeof(struct mdp_overlay)), sizeof(struct mdp_overlay)); &(ov->overlay_pp_cfg.igc_cfg.cfg_payload)) || ov->overlay_pp_cfg.pa_v2_cfg_data.cfg_payload = put_user(ov->overlay_pp_cfg.igc_cfg.cfg_payload + ov->overlay_pp_cfg.igc_cfg.cfg_payload + sizeof(struct mdp_igc_lut_data_v1_7), sizeof(struct mdp_igc_lut_data_v1_7); &(ov->overlay_pp_cfg.pa_v2_cfg_data.cfg_payload)) || ov->overlay_pp_cfg.pcc_cfg_data.cfg_payload = put_user(ov->overlay_pp_cfg.pa_v2_cfg_data.cfg_payload + ov->overlay_pp_cfg.pa_v2_cfg_data.cfg_payload + sizeof(struct mdp_pa_data_v1_7), sizeof(struct mdp_pa_data_v1_7); &(ov->overlay_pp_cfg.pcc_cfg_data.cfg_payload)) || ov->overlay_pp_cfg.hist_lut_cfg.cfg_payload = put_user(ov->overlay_pp_cfg.pcc_cfg_data.cfg_payload + ov->overlay_pp_cfg.pcc_cfg_data.cfg_payload + sizeof(struct mdp_pcc_data_v1_7), sizeof(struct mdp_pcc_data_v1_7); &(ov->overlay_pp_cfg.hist_lut_cfg.cfg_payload))) return -EFAULT; return 0; return 0; } } int mdss_compat_overlay_ioctl(struct fb_info *info, unsigned int cmd, int mdss_compat_overlay_ioctl(struct fb_info *info, unsigned int cmd, unsigned long arg, struct file *file) unsigned long arg, struct file *file) { { struct mdp_overlay *ov, **layers_head; struct mdp_overlay **layers_head; struct mdp_overlay32 *ov32; struct mdp_overlay __user *ov; struct mdp_overlay32 __user *ov32; struct mdp_overlay_list __user *ovlist; struct mdp_overlay_list __user *ovlist; struct mdp_overlay_list32 __user *ovlist32; struct mdp_overlay_list32 __user *ovlist32; size_t layers_refs_sz, layers_sz, prepare_sz; size_t layers_refs_sz, layers_sz, prepare_sz; Loading Loading
drivers/video/fbdev/msm/mdss_compat_utils.c +86 −62 Original line number Original line Diff line number Diff line Loading @@ -2879,26 +2879,28 @@ static int __pp_compat_alloc(struct msmfb_mdp_pp32 __user *pp32, *pp = compat_alloc_user_space(alloc_size); *pp = compat_alloc_user_space(alloc_size); if (*pp == NULL) if (*pp == NULL) return -ENOMEM; return -ENOMEM; memset(*pp, 0, alloc_size); if (clear_user(*pp, alloc_size)) return -EFAULT; (*pp)->data.lut_cfg_data.data.pgc_lut_data.r_data = if (put_user((struct mdp_ar_gc_lut_data *) (struct mdp_ar_gc_lut_data *) ((unsigned long) *pp + ((unsigned long) *pp + sizeof(struct msmfb_mdp_pp)); sizeof(struct msmfb_mdp_pp)), (*pp)->data.lut_cfg_data.data.pgc_lut_data.g_data = &(*pp)->data.lut_cfg_data.data.pgc_lut_data.r_data) || (struct mdp_ar_gc_lut_data *) put_user((struct mdp_ar_gc_lut_data *) ((unsigned long) *pp + ((unsigned long) *pp + sizeof(struct msmfb_mdp_pp) + sizeof(struct msmfb_mdp_pp) + pgc_size); pgc_size), (*pp)->data.lut_cfg_data.data.pgc_lut_data.b_data = &(*pp)->data.lut_cfg_data.data.pgc_lut_data.g_data) || (struct mdp_ar_gc_lut_data *) put_user((struct mdp_ar_gc_lut_data *) ((unsigned long) *pp + ((unsigned long) *pp + sizeof(struct msmfb_mdp_pp) + sizeof(struct msmfb_mdp_pp) + (2 * pgc_size)); (2 * pgc_size)), (*pp)->data.lut_cfg_data.data.pgc_lut_data.cfg_payload &(*pp)->data.lut_cfg_data.data.pgc_lut_data.b_data) || = (void *)((unsigned long) *pp + put_user((void *)((unsigned long) *pp + sizeof(struct msmfb_mdp_pp) + sizeof(struct msmfb_mdp_pp) + (3 * pgc_size)); (3 * pgc_size)), &(*pp)->data.lut_cfg_data.data. pgc_lut_data.cfg_payload)) return -EFAULT; break; break; case mdp_lut_igc: case mdp_lut_igc: alloc_size += __pp_compat_size_igc(); alloc_size += __pp_compat_size_igc(); Loading @@ -2908,10 +2910,13 @@ static int __pp_compat_alloc(struct msmfb_mdp_pp32 __user *pp32, alloc_size); alloc_size); return -ENOMEM; return -ENOMEM; } } memset(*pp, 0, alloc_size); if (clear_user(*pp, alloc_size)) (*pp)->data.lut_cfg_data.data.igc_lut_data.cfg_payload return -EFAULT; = (void *)((unsigned long)(*pp) + if (put_user((void *)((unsigned long)(*pp) + sizeof(struct msmfb_mdp_pp)); sizeof(struct msmfb_mdp_pp)), &(*pp)->data.lut_cfg_data.data. igc_lut_data.cfg_payload)) return -EFAULT; break; break; case mdp_lut_hist: case mdp_lut_hist: alloc_size += __pp_compat_size_hist_lut(); alloc_size += __pp_compat_size_hist_lut(); Loading @@ -2921,10 +2926,13 @@ static int __pp_compat_alloc(struct msmfb_mdp_pp32 __user *pp32, alloc_size); alloc_size); return -ENOMEM; return -ENOMEM; } } memset(*pp, 0, alloc_size); if (clear_user(*pp, alloc_size)) (*pp)->data.lut_cfg_data.data.hist_lut_data.cfg_payload return -EFAULT; = (void *)((unsigned long)(*pp) + if (put_user((void *)((unsigned long)(*pp) + sizeof(struct msmfb_mdp_pp)); sizeof(struct msmfb_mdp_pp)), &(*pp)->data.lut_cfg_data.data. hist_lut_data.cfg_payload)) return -EFAULT; break; break; default: default: *pp = compat_alloc_user_space(alloc_size); *pp = compat_alloc_user_space(alloc_size); Loading @@ -2933,7 +2941,8 @@ static int __pp_compat_alloc(struct msmfb_mdp_pp32 __user *pp32, alloc_size, lut_type); alloc_size, lut_type); return -ENOMEM; return -ENOMEM; } } memset(*pp, 0, alloc_size); if (clear_user(*pp, alloc_size)) return -EFAULT; break; break; } } break; break; Loading @@ -2945,10 +2954,12 @@ static int __pp_compat_alloc(struct msmfb_mdp_pp32 __user *pp32, alloc_size); alloc_size); return -ENOMEM; return -ENOMEM; } } memset(*pp, 0, alloc_size); if (clear_user(*pp, alloc_size)) (*pp)->data.pcc_cfg_data.cfg_payload = return -EFAULT; (void *)((unsigned long)(*pp) + if (put_user((void *)((unsigned long)(*pp) + sizeof(struct msmfb_mdp_pp)); sizeof(struct msmfb_mdp_pp)), &(*pp)->data.pcc_cfg_data.cfg_payload)) return -EFAULT; break; break; case mdp_op_gamut_cfg: case mdp_op_gamut_cfg: alloc_size += __pp_compat_size_gamut(); alloc_size += __pp_compat_size_gamut(); Loading @@ -2958,10 +2969,12 @@ static int __pp_compat_alloc(struct msmfb_mdp_pp32 __user *pp32, alloc_size); alloc_size); return -ENOMEM; return -ENOMEM; } } memset(*pp, 0, alloc_size); if (clear_user(*pp, alloc_size)) (*pp)->data.gamut_cfg_data.cfg_payload = return -EFAULT; (void *)((unsigned long)(*pp) + if (put_user((void *)((unsigned long)(*pp) + sizeof(struct msmfb_mdp_pp)); sizeof(struct msmfb_mdp_pp)), &(*pp)->data.gamut_cfg_data.cfg_payload)) return -EFAULT; break; break; case mdp_op_pa_v2_cfg: case mdp_op_pa_v2_cfg: alloc_size += __pp_compat_size_pa(); alloc_size += __pp_compat_size_pa(); Loading @@ -2971,16 +2984,19 @@ static int __pp_compat_alloc(struct msmfb_mdp_pp32 __user *pp32, alloc_size); alloc_size); return -ENOMEM; return -ENOMEM; } } memset(*pp, 0, alloc_size); if (clear_user(*pp, alloc_size)) (*pp)->data.pa_v2_cfg_data.cfg_payload = return -EFAULT; (void *)((unsigned long)(*pp) + if (put_user((void *)((unsigned long)(*pp) + sizeof(struct msmfb_mdp_pp)); sizeof(struct msmfb_mdp_pp)), &(*pp)->data.pa_v2_cfg_data.cfg_payload)) return -EFAULT; break; break; default: default: *pp = compat_alloc_user_space(alloc_size); *pp = compat_alloc_user_space(alloc_size); if (*pp == NULL) if (*pp == NULL) return -ENOMEM; return -ENOMEM; memset(*pp, 0, alloc_size); if (clear_user(*pp, alloc_size)) return -EFAULT; break; break; } } return 0; return 0; Loading Loading @@ -3398,7 +3414,9 @@ static int mdss_histo_compat_ioctl(struct fb_info *info, unsigned int cmd, sizeof(struct mdp_histogram_start_req)); sizeof(struct mdp_histogram_start_req)); return -EINVAL; return -EINVAL; } } memset(hist_req, 0, sizeof(struct mdp_histogram_start_req)); if (clear_user(hist_req, sizeof(struct mdp_histogram_start_req))) return -EFAULT; ret = __from_user_hist_start_req(hist_req32, hist_req); ret = __from_user_hist_start_req(hist_req32, hist_req); if (ret) if (ret) goto histo_compat_err; goto histo_compat_err; Loading @@ -3418,7 +3436,8 @@ static int mdss_histo_compat_ioctl(struct fb_info *info, unsigned int cmd, sizeof(struct mdp_histogram_data)); sizeof(struct mdp_histogram_data)); return -EINVAL; return -EINVAL; } } memset(hist, 0, sizeof(struct mdp_histogram_data)); if (clear_user(hist, sizeof(struct mdp_histogram_data))) return -EFAULT; ret = __from_user_hist_data(hist32, hist); ret = __from_user_hist_data(hist32, hist); if (ret) if (ret) goto histo_compat_err; goto histo_compat_err; Loading Loading @@ -3921,7 +3940,7 @@ static int __to_user_mdp_overlay(struct mdp_overlay32 __user *ov32, } } static int __from_user_mdp_overlay(struct mdp_overlay *ov, static int __from_user_mdp_overlay(struct mdp_overlay __user *ov, struct mdp_overlay32 __user *ov32) struct mdp_overlay32 __user *ov32) { { __u32 data; __u32 data; Loading Loading @@ -3980,12 +3999,12 @@ static int __from_user_mdp_overlay(struct mdp_overlay *ov, return 0; return 0; } } static int __from_user_mdp_overlaylist(struct mdp_overlay_list *ovlist, static int __from_user_mdp_overlaylist(struct mdp_overlay_list __user *ovlist, struct mdp_overlay_list32 *ovlist32, struct mdp_overlay_list32 __user *ovlist32, struct mdp_overlay **to_list_head) struct mdp_overlay **to_list_head) { { __u32 i, ret; __u32 i, ret; unsigned long data, from_list_head; unsigned long data, from_list_head, num_overlays; struct mdp_overlay32 *iter; struct mdp_overlay32 *iter; if (!to_list_head || !ovlist32 || !ovlist) { if (!to_list_head || !ovlist32 || !ovlist) { Loading @@ -4006,11 +4025,13 @@ static int __from_user_mdp_overlaylist(struct mdp_overlay_list *ovlist, sizeof(ovlist32->processed_overlays))) sizeof(ovlist32->processed_overlays))) return -EFAULT; return -EFAULT; if (get_user(data, &ovlist32->overlay_list)) { if (get_user(data, &ovlist32->overlay_list) || get_user(num_overlays, &ovlist32->num_overlays)) { ret = -EFAULT; ret = -EFAULT; goto validate_exit; goto validate_exit; } } for (i = 0; i < ovlist32->num_overlays; i++) { for (i = 0; i < num_overlays; i++) { if (get_user(from_list_head, (__u32 *)data + i)) { if (get_user(from_list_head, (__u32 *)data + i)) { ret = -EFAULT; ret = -EFAULT; goto validate_exit; goto validate_exit; Loading @@ -4023,7 +4044,8 @@ static int __from_user_mdp_overlaylist(struct mdp_overlay_list *ovlist, goto validate_exit; goto validate_exit; } } } } ovlist->overlay_list = to_list_head; if (put_user(to_list_head, &ovlist->overlay_list)) return -EFAULT; return 0; return 0; Loading @@ -4032,8 +4054,8 @@ static int __from_user_mdp_overlaylist(struct mdp_overlay_list *ovlist, return -EFAULT; return -EFAULT; } } static int __to_user_mdp_overlaylist(struct mdp_overlay_list32 *ovlist32, static int __to_user_mdp_overlaylist(struct mdp_overlay_list32 __user *ovlist32, struct mdp_overlay_list *ovlist, struct mdp_overlay_list __user *ovlist, struct mdp_overlay **l_ptr) struct mdp_overlay **l_ptr) { { __u32 i, ret; __u32 i, ret; Loading Loading @@ -4106,31 +4128,33 @@ static u32 __pp_sspp_size(void) return size; return size; } } static int __pp_sspp_set_offsets(struct mdp_overlay *ov) static int __pp_sspp_set_offsets(struct mdp_overlay __user *ov) { { if (!ov) { if (!ov) { pr_err("invalid overlay pointer\n"); pr_err("invalid overlay pointer\n"); return -EFAULT; return -EFAULT; } } ov->overlay_pp_cfg.igc_cfg.cfg_payload = (void *)((unsigned long)ov + if (put_user((void *)((unsigned long)ov + sizeof(struct mdp_overlay)), sizeof(struct mdp_overlay)); &(ov->overlay_pp_cfg.igc_cfg.cfg_payload)) || ov->overlay_pp_cfg.pa_v2_cfg_data.cfg_payload = put_user(ov->overlay_pp_cfg.igc_cfg.cfg_payload + ov->overlay_pp_cfg.igc_cfg.cfg_payload + sizeof(struct mdp_igc_lut_data_v1_7), sizeof(struct mdp_igc_lut_data_v1_7); &(ov->overlay_pp_cfg.pa_v2_cfg_data.cfg_payload)) || ov->overlay_pp_cfg.pcc_cfg_data.cfg_payload = put_user(ov->overlay_pp_cfg.pa_v2_cfg_data.cfg_payload + ov->overlay_pp_cfg.pa_v2_cfg_data.cfg_payload + sizeof(struct mdp_pa_data_v1_7), sizeof(struct mdp_pa_data_v1_7); &(ov->overlay_pp_cfg.pcc_cfg_data.cfg_payload)) || ov->overlay_pp_cfg.hist_lut_cfg.cfg_payload = put_user(ov->overlay_pp_cfg.pcc_cfg_data.cfg_payload + ov->overlay_pp_cfg.pcc_cfg_data.cfg_payload + sizeof(struct mdp_pcc_data_v1_7), sizeof(struct mdp_pcc_data_v1_7); &(ov->overlay_pp_cfg.hist_lut_cfg.cfg_payload))) return -EFAULT; return 0; return 0; } } int mdss_compat_overlay_ioctl(struct fb_info *info, unsigned int cmd, int mdss_compat_overlay_ioctl(struct fb_info *info, unsigned int cmd, unsigned long arg, struct file *file) unsigned long arg, struct file *file) { { struct mdp_overlay *ov, **layers_head; struct mdp_overlay **layers_head; struct mdp_overlay32 *ov32; struct mdp_overlay __user *ov; struct mdp_overlay32 __user *ov32; struct mdp_overlay_list __user *ovlist; struct mdp_overlay_list __user *ovlist; struct mdp_overlay_list32 __user *ovlist32; struct mdp_overlay_list32 __user *ovlist32; size_t layers_refs_sz, layers_sz, prepare_sz; size_t layers_refs_sz, layers_sz, prepare_sz; Loading
