msm: ais: Fix arbitrary kernel write (5cf2ebee) · Commits · e / devices / android_kernel_xiaomi_markw

drivers/media/platform/msm/ais/msm_buf_mgr/msm_generic_buf_mgr.c

+12 −11

Original line number	Diff line number	Diff line
		/* Copyright (c) 2013-2017, The Linux Foundation. All rights reserved.
		/* Copyright (c) 2013-2018, The Linux Foundation. All rights reserved.
		*
		* This program is free software; you can redistribute it and/or modify
		* it under the terms of the GNU General Public License version 2 and
		@@ -527,7 +527,7 @@ static long msm_buf_mngr_subdev_ioctl(struct v4l2_subdev *sd,
		{
		int32_t rc = 0;
		struct msm_buf_mngr_device *buf_mngr_dev = v4l2_get_subdevdata(sd);
		void __user argp = (void __user )arg;
		void *argp = arg;

		if (!buf_mngr_dev) {
		pr_err("%s buf manager device NULL\n", __func__);
		@@ -550,16 +550,17 @@ static long msm_buf_mngr_subdev_ioctl(struct v4l2_subdev *sd,
		return -EINVAL;
		if (!k_ioctl.ioctl_ptr)
		return -EINVAL;

		MSM_CAM_GET_IOCTL_ARG_PTR(&tmp, &k_ioctl.ioctl_ptr,
		sizeof(tmp));
		if (copy_from_user(&buf_info, tmp,
		if (!is_compat_task()) {
		MSM_CAM_GET_IOCTL_ARG_PTR(&tmp,
		&k_ioctl.ioctl_ptr, sizeof(tmp));
		if (copy_from_user(&buf_info,
		(void __user *)tmp,
		sizeof(struct msm_buf_mngr_info))) {
		return -EFAULT;
		}
		k_ioctl.ioctl_ptr = (uintptr_t)&buf_info;

		argp = &k_ioctl;
		}
		argp = (void *)&k_ioctl;
		rc = msm_cam_buf_mgr_ops(cmd, argp);
		}
		break;

+1 −1

Original line number	Diff line number	Diff line
		@@ -218,7 +218,7 @@ struct msm_camera_private_ioctl_arg {
		__u32 size;
		__u32 result;
		__u32 reserved;
		__user __u64 ioctl_ptr;
		__u64 ioctl_ptr;
		};

		#define VIDIOC_MSM_CAMERA_PRIVATE_IOCTL_CMD \