From 8d0b17fdbea77753ce4388e4b7538f1c32b2b730 Mon Sep 17 00:00:00 2001
From: "Sravan Kumar D.V.N" <sravank1@codeaurora.org>
Date: Fri, 23 Jun 2017 20:15:13 +0530
Subject: [PATCH] msm: mdss: Avoid direct dereference user input in pp cache
 config

Eliminate direct dereferencing of user input pointer in pp cache
config functions.

Change-Id: Ia07a0ecc3b4839635cbd9c2f635c1f713783683c
CRs-Fixed: 2057285
Signed-off-by: Sravan Kumar D.V.N <sravank1@codeaurora.org>
---
 .../fbdev/msm/mdss_mdp_pp_cache_config.c      | 34 ++++++++++++++-----
 1 file changed, 25 insertions(+), 9 deletions(-)

diff --git a/drivers/video/fbdev/msm/mdss_mdp_pp_cache_config.c b/drivers/video/fbdev/msm/mdss_mdp_pp_cache_config.c
index 017a2f10dfbc..a5ec7097e0f6 100644
--- a/drivers/video/fbdev/msm/mdss_mdp_pp_cache_config.c
+++ b/drivers/video/fbdev/msm/mdss_mdp_pp_cache_config.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2014-2017, The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -194,8 +194,12 @@ static int pp_hist_lut_cache_params_pipe_v1_7(struct mdp_hist_lut_data *config,
 		return -EINVAL;
 	}
 
-	memcpy(&hist_lut_usr_config, config->cfg_payload,
-		sizeof(struct mdp_hist_lut_data_v1_7));
+	if (copy_from_user(&hist_lut_usr_config,
+				(void __user *) config->cfg_payload,
+				sizeof(hist_lut_usr_config))) {
+		pr_err("failed to copy hist lut config\n");
+		return -EFAULT;
+	}
 
 	hist_lut_cache_data = pipe->pp_res.hist_lut_cfg_payload;
 	if (!hist_lut_cache_data) {
@@ -606,8 +610,12 @@ static int pp_pcc_cache_params_pipe_v1_7(struct mdp_pcc_cfg_data *config,
 		return -EINVAL;
 	}
 
-	memcpy(&v17_usr_config, config->cfg_payload,
-			sizeof(v17_usr_config));
+	if (copy_from_user(&v17_usr_config,
+				(void __user *) config->cfg_payload,
+				sizeof(v17_usr_config))) {
+		pr_err("failed to copy pcc config\n");
+		return -EFAULT;
+	}
 
 	if (!(config->ops & MDP_PP_OPS_WRITE)) {
 		pr_debug("write ops not set value of flag is %d\n",
@@ -861,8 +869,12 @@ static int pp_igc_lut_cache_params_pipe_v1_7(struct mdp_igc_lut_data *config,
 		goto igc_config_exit;
 	}
 
-	memcpy(&v17_usr_config, config->cfg_payload,
-			sizeof(v17_usr_config));
+	if (copy_from_user(&v17_usr_config,
+				(void __user *) config->cfg_payload,
+				sizeof(v17_usr_config))) {
+		pr_err("failed to copy igc usr config\n");
+		return -EFAULT;
+	}
 
 	if (!(config->ops & MDP_PP_OPS_WRITE)) {
 		pr_debug("op for gamut %d\n", config->ops);
@@ -1272,8 +1284,12 @@ static int pp_pa_cache_params_pipe_v1_7(struct mdp_pa_v2_cfg_data *config,
 		return -EINVAL;
 	}
 
-	memcpy(&pa_usr_config, config->cfg_payload,
-			sizeof(struct mdp_pa_data_v1_7));
+	if (copy_from_user(&pa_usr_config,
+				(void __user *) config->cfg_payload,
+				sizeof(pa_usr_config))) {
+		pr_err("failed to copy pa usr config\n");
+		return -EFAULT;
+	}
 
 	pa_cache_data = pipe->pp_res.pa_cfg_payload;
 	if (!pa_cache_data) {