Commit cf88cac6 authored Aug 19, 2015 by Peter Liu

msm: camera: cpp: fix copy from user pointer on dequeue buf



Fix the copy from user in DEQUEUE_STREAM_BUFF usecase.
the Kasan report call stack is:
<0>[ 3205.219529] Call trace:
<6>[ 3205.221938] [<ffffffc000089e44>] dump_backtrace+0x0/0x19c
<6>[ 3205.221959] [<ffffffc000089ff0>] show_stack+0x10/0x1c
<6>[ 3205.221979] [<ffffffc001068c34>] dump_stack+0xa0/0xf8
<6>[ 3205.222001] [<ffffffc000200e94>] kasan_report_user_access+0x80/0xa8
<6>[ 3205.222018] [<ffffffc0002000b8>] __asan_loadN+0x30/0x164
<6>[ 3205.222035] [<ffffffc000200620>] memcpy+0x24/0x54
<6>[ 3205.222059] [<ffffffc000a033e0>] msm_cpp_copy_from_ioctl_ptr
<6>[ 3205.222075] [<ffffffc000a0ba6c>] msm_cpp_subdev_ioctl+0xf64/0x1368
<6>[ 3205.222094] [<ffffffc000a081d0>] msm_cpp_subdev_fops_compat_ioctl
<6>[ 3205.222116] [<ffffffc00096d090>] v4l2_compat_ioctl32+0xb8/0xe0
<6>[ 3205.222136] [<ffffffc00026e634>] compat_SyS_ioctl+0x1ac/0x160c

DEQUEUE_STREAM_BUFF is one of the use case will lead to such
call stack and did not have proper copy from user pointer.

Change-Id: I867ce6384db4694f2fd000d936b6bbee9d53b462
Signed-off-by: Peter Liu <pingchie@codeaurora.org>

parent 8b477bbf

drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c

+8 −1

Original line number	Diff line number	Diff line
		@@ -3488,9 +3488,16 @@ static long msm_cpp_subdev_fops_compat_ioctl(struct file *file,
		cmd = VIDIOC_MSM_CPP_APPEND_STREAM_BUFF_INFO;
		break;
		}
		case VIDIOC_MSM_CPP_DEQUEUE_STREAM_BUFF_INFO32:
		case VIDIOC_MSM_CPP_DEQUEUE_STREAM_BUFF_INFO32: {
		uint32_t identity_k = 0;
		uint32_t identity_u = (uint32_t )kp_ioctl.ioctl_ptr;

		get_user(identity_k, identity_u);
		kp_ioctl.ioctl_ptr = (void *)&identity_k;
		kp_ioctl.len = sizeof(uint32_t);
		cmd = VIDIOC_MSM_CPP_DEQUEUE_STREAM_BUFF_INFO;
		break;
		}
		case VIDIOC_MSM_CPP_GET_EVENTPAYLOAD32:
		{
		struct msm_device_queue *queue = &cpp_dev->eventData_q;