Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit bd02458c authored by Krishna Srinivas Kundurthi's avatar Krishna Srinivas Kundurthi Committed by Krishnankutty Kolathappilly
Browse files

msm: cpp: Fix issue in updating frame info pointer in compact ioctl 



The userspace pointer is directly accessed/de-referenced in kernel
space. This causes device crash during camera stability runs. Copy
the v4l2ioctl and cpp frame info userspace pointer to kernel space
and access/update the individual data.

Change-Id: Ic7829edc8464b91ccd8315e3b96f8c283ac15a32
Signed-off-by: default avatarKrishna Srinivas Kundurthi <krisri@codeaurora.org>
parent dafdc45a

drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c

+6 −3
Original line number Diff line number Diff line
@@ -2317,9 +2317,12 @@ static int msm_cpp_cfg(struct cpp_device *cpp_dev, 
	struct msm_camera_v4l2_ioctl_t *ioctl_ptr)

{

	struct msm_cpp_frame_info_t *frame = NULL;

	struct msm_cpp_frame_info_t *u_frame_info =

	  (struct msm_cpp_frame_info_t *)ioctl_ptr->ioctl_ptr;

	struct msm_cpp_frame_info_t k_frame_info;

	int32_t rc = 0;

	if (copy_from_user(&k_frame_info,

			(void __user *)ioctl_ptr->ioctl_ptr,

			sizeof(k_frame_info)))

			return -EFAULT;



	frame = msm_cpp_get_frame(ioctl_ptr);

	if (!frame) {
@@ -2331,7 +2334,7 @@ static int msm_cpp_cfg(struct cpp_device *cpp_dev, 


	ioctl_ptr->trans_code = rc;



	if (copy_to_user((void __user *)u_frame_info->status, &rc,

	if (copy_to_user((void __user *)k_frame_info.status, &rc,

		sizeof(int32_t)))

		pr_err("error cannot copy error\n");