msm: kgsl: Use copy_struct_from_user() helper

	cmdlist = u64_to_user_ptr(param->cmdlist);

	/* Create a draw object for KGSL_GPU_AUX_COMMAND_TIMELINE */

	if (kgsl_copy_struct_from_user(&generic, sizeof(generic),

	if (copy_struct_from_user(&generic, sizeof(generic),

		cmdlist, param->cmdsize)) {

		ret = -EFAULT;

		goto err;

/* SPDX-License-Identifier: GPL-2.0-only */

/*

 * Copyright (c) 2002,2007-2021, The Linux Foundation. All rights reserved.

 * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.

 */

#ifndef __KGSL_DEVICE_H

#define __KGSL_DEVICE_H

	[_IOC_NR((_cmd))] = \

		{ .cmd = (_cmd), .func = (_func) }

/**

 * kgsl_copy_struct_from_user: copy a struct from userspace

 * @dst:   Destination address, in kernel space. This buffer must be @ksize

 *         bytes long.

 * @ksize: Size of @dst struct.

 * @src:   Source address, in userspace.

 * @usize: (Alleged) size of @src struct.

 *

 * Copies a struct from userspace to kernel space, in a way that guarantees

 * backwards-compatibility for struct syscall arguments (as long as future

 * struct extensions are made such that all new fields are *appended* to the

 * old struct, and zeroed-out new fields have the same meaning as the old

 * struct).

 *

 * @ksize is just sizeof(*dst), and @usize should've been passed by userspace.

 * The recommended usage is something like the following:

 *

 *   SYSCALL_DEFINE2(foobar, const struct foo __user *, uarg, size_t, usize)

 *   {

 *      int err;

 *      struct foo karg = {};

 *

 *      if (usize > PAGE_SIZE)

 *        return -E2BIG;

 *      if (usize < FOO_SIZE_VER0)

 *        return -EINVAL;

 *

 *      err = kgsl_copy_struct_from_user(&karg, sizeof(karg), uarg, usize);

 *      if (err)

 *        return err;

 *

 *      // ...

 *   }

 *

 * There are three cases to consider:

 *  * If @usize == @ksize, then it's copied verbatim.

 *  * If @usize < @ksize, then the userspace has passed an old struct to a

 *    newer kernel. The rest of the trailing bytes in @dst (@ksize - @usize)

 *    are to be zero-filled.

 *  * If @usize > @ksize, then the userspace has passed a new struct to an

 *    older kernel. The trailing bytes unknown to the kernel (@usize - @ksize)

 *    are checked to ensure they are zeroed, otherwise -E2BIG is returned.

 *

 * Returns (in all cases, some data may have been copied):

 *  * -E2BIG:  (@usize > @ksize) and there are non-zero trailing bytes in @src.

 *  * -EFAULT: access to userspace failed.

 */

static __always_inline __must_check int

kgsl_copy_struct_from_user(void *dst, size_t ksize, const void __user *src,

		      size_t usize)

{

	size_t size = min(ksize, usize);

	size_t rest = max(ksize, usize) - size;

	/* Deal with trailing bytes. */

	if (usize < ksize) {

		memset(dst + size, 0, rest);

	} else if (usize > ksize) {

		if (memchr_inv(src + size, 0, rest))

			return -E2BIG;

	}

	/* Copy the interoperable parts of the struct. */

	if (copy_from_user(dst, src, size))

		return -EFAULT;

	return 0;

}

/*

 * KGSL device state is initialized to INIT when platform_probe		*

 * successfully initialized the device.  Once a device has been opened	*

// SPDX-License-Identifier: GPL-2.0-only

/*

 * Copyright (c) 2016-2021, The Linux Foundation. All rights reserved.

 * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.

 */

/*

	for (i = 0; i < count; i++, uptr += usize) {

		struct kgsl_timeline_val val;

		if (kgsl_copy_struct_from_user(&val, sizeof(val), uptr, usize))

		if (copy_struct_from_user(&val, sizeof(val), uptr, usize))

			continue;

		priv[i].timeline = val.timeline;

	unsigned int id;

	int ret;

	if (kgsl_copy_struct_from_user(&sync, sizeof(sync), uptr, usize))

	if (copy_struct_from_user(&sync, sizeof(sync), uptr, usize))

		return -EFAULT;

	fence = kgsl_timelines_to_fence_array(device, sync.timelines,

	struct event_fence_info *priv;

	unsigned int id, i;

	if (kgsl_copy_struct_from_user(&sync, sizeof(sync), data, datasize))

	if (copy_struct_from_user(&sync, sizeof(sync), data, datasize))

		return -EFAULT;

	kref_get(&drawobj->refcount);

{

	struct kgsl_cmd_syncpoint_timestamp timestamp;

	if (kgsl_copy_struct_from_user(&timestamp, sizeof(timestamp),

	if (copy_struct_from_user(&timestamp, sizeof(timestamp),

			data, datasize))

		return -EFAULT;

	struct kgsl_gpu_aux_command_timeline cmd;

	int i, ret;

	if (kgsl_copy_struct_from_user(&cmd, sizeof(cmd), src, cmdsize))

	if (copy_struct_from_user(&cmd, sizeof(cmd), src, cmdsize))

		return -EFAULT;

	if (!cmd.count)

	for (i = 0; i < cmd.count; i++) {

		struct kgsl_timeline_val val;

		if (kgsl_copy_struct_from_user(&val, sizeof(val), src,

		if (copy_struct_from_user(&val, sizeof(val), src,

			cmd.timelines_size)) {

			ret = -EFAULT;

			goto err;

// SPDX-License-Identifier: GPL-2.0-only

/*

 * Copyright (c) 2021, The Linux Foundation. All rights reserved.

 * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.

 */

#include <linux/dma-fence.h>

		struct kgsl_timeline_val val;

		struct kgsl_timeline *timeline;

		if (kgsl_copy_struct_from_user(&val, sizeof(val),

		if (copy_struct_from_user(&val, sizeof(val),

				uptr, usize)) {

			ret = -EFAULT;

			goto err;

		struct kgsl_timeline *timeline;

		struct kgsl_timeline_val val;

		if (kgsl_copy_struct_from_user(&val, sizeof(val),

		if (copy_struct_from_user(&val, sizeof(val),

			u64_to_user_ptr(timelines), param->timelines_size))

			return -EFAULT;