Commit 2dbd4bfc authored Jun 29, 2015 by Se Wang (Patrick) Oh Committed by Rajakumar Govindaram Jul 13, 2015

msm: camera: cpp: Fix unprotected userspace access



After enabling KASan, unprotected userspace access causes
a PTE translation fault as it can covers only kernel memory
region. Following is the crash error for the reference.

pgd = ffffffc0b59e2000
[dfffff901ddc058c] *pgd=0000000000000000, *pud=0000000000000000
Internal error: Oops: 96000004 [#1] PREEMPT SMP
Modules linked in:
CPU: 2 PID: 4795 Comm: MCT_SERV_THREAD Tainted:
Gwq        W      3.18.0-g5a4a5d5-07255-g8e80921-dirty #22
Hardware name: Qualcomm Technologies, Inc. MSM 8996 v2 + PMI8994 MTP (DT)
task: ffffffc039404380 ti: ffffffc037890000 task.ti: ffffffc037890000
PC is at msm_cpp_subdev_fops_compat_ioctl+0x1e88/0x33f0
LR is at msm_cpp_subdev_fops_compat_ioctl+0x1cc/0x33f0
pc : [<ffffffc001034278>] lr : [<ffffffc0010325bc>] pstate: 60000145
sp : ffffffc0378975d0
x29: ffffffc0378975d0 x28: 00000000c01056c6
x27: ffffffc05cceb4b0 x26: ffffffc037896c70
x25: ffffffc037897670 x24: ffffffc037897470
x23: 000000000000000c x22: ffffffc037897790
x21: ffffffc05cceb3c0 x20: ffffffc05cceb3c8
x19: 00000000eee02c64 x18: 0000000000000000
x17: 0000000000000000 x16: ffffffc000385a88
x15: 0000000000000000 x14: 00000000f771d7c9
x13: 00000000eee02c28 x12: 00000000f4d175d0
x11: 000000000000000a x10: ffffff8806f12f3a
x9 : 1ffffff806f12f3a x8 : dfffff9000000000
x7 : 0000000000000036 x6 : ffffffc0378979d4
x5 : 00000000f4040000 x4 : 00000000eee02c80
x3 : eee02c640e2cccd0 x2 : ffffffffffffffff
x1 : 000000001ddc058c x0 : dfffff9000000000

Process MCT_SERV_THREAD (pid: 4795, stack limit = 0xffffffc037890058)
Call trace:
[<ffffffc001034278>] msm_cpp_subdev_fops_compat_ioctl+0x1e88/0x33f0
[<ffffffc000f164b4>] v4l2_compat_ioctl32+0x110/0x130
[<ffffffc000385d10>] compat_SyS_ioctl+0x288/0x2048
Code: 14000368 d2dff200 d343fe61 f2fbffe0 (38e06821)

Change-Id: Iab3d457a0a722241d9ebee8b96ba8fb862e20d13
Signed-off-by: Se Wang (Patrick) Oh <sewango@codeaurora.org>
Signed-off-by: Rajakumar Govindaram <rajakuma@codeaurora.org>

parent cdecac51

drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c

+7 −4

Original line number	Diff line number	Diff line
		@@ -3331,13 +3331,16 @@ static long msm_cpp_subdev_fops_compat_ioctl(struct file *file,
		case VIDIOC_MSM_CPP_ENQUEUE_STREAM_BUFF_INFO32:
		case VIDIOC_MSM_CPP_DELETE_STREAM_BUFF32:
		{
		compat_uptr_t p;
		struct msm_cpp_stream_buff_info32_t *u32_cpp_buff_info =
		(struct msm_cpp_stream_buff_info32_t *)kp_ioctl.ioctl_ptr;

		k_cpp_buff_info.identity = u32_cpp_buff_info->identity;
		k_cpp_buff_info.num_buffs = u32_cpp_buff_info->num_buffs;
		k_cpp_buff_info.buffer_info =
		compat_ptr(u32_cpp_buff_info->buffer_info);
		get_user(k_cpp_buff_info.identity,
		&u32_cpp_buff_info->identity);
		get_user(k_cpp_buff_info.num_buffs,
		&u32_cpp_buff_info->num_buffs);
		get_user(p, &u32_cpp_buff_info->buffer_info);
		k_cpp_buff_info.buffer_info = compat_ptr(p);

		kp_ioctl.ioctl_ptr = (void *)&k_cpp_buff_info;
		if (is_compat_task()) {