From e7369163162e7773bc887f7a264d6aa46cfcc665 Mon Sep 17 00:00:00 2001
From: Patrick Daly <pdaly@codeaurora.org>
Date: Thu, 28 May 2015 18:05:54 -0700
Subject: ASoC: msm: qdsp6v2: DAP: Fix unprotected userspace access

Use get_user() & friends to access userspace addresses.

Change-Id: I9741a60e53f6253da27913175e9b8c4abbf50db9
Signed-off-by: Patrick Daly <pdaly@codeaurora.org>
Signed-off-by: Pradnya Chaphekar <pradnyac@codeaurora.org>
---
 sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
index 67a9400..7761b9c 100644
--- a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
+++ b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
@@ -1354,11 +1354,13 @@ end:
 static int msm_ds2_dap_handle_commands(u32 cmd, void *arg)
 {
 	int ret  = 0, port_id = 0;
+	int32_t data;
 	struct dolby_param_data *dolby_data = (struct dolby_param_data *)arg;
+	get_user(data, &dolby_data->data[0]);
 
 	pr_debug("%s: param_id %d,be_id %d,device_id 0x%x,length %d,data %d\n",
 		 __func__, dolby_data->param_id, dolby_data->be_id,
-		dolby_data->device_id, dolby_data->length, dolby_data->data[0]);
+		dolby_data->device_id, dolby_data->length, data);
 
 	switch (dolby_data->param_id) {
 	case DAP_CMD_COMMIT_ALL:
@@ -1370,18 +1372,18 @@ static int msm_ds2_dap_handle_commands(u32 cmd, void *arg)
 	break;
 
 	case DAP_CMD_USE_CACHE_FOR_INIT:
-		ds2_dap_params_states.use_cache = dolby_data->data[0];
+		ds2_dap_params_states.use_cache = data;
 	break;
 
 	case DAP_CMD_SET_BYPASS:
 		pr_debug("%s: bypass %d bypass type %d, data %d\n", __func__,
 			 ds2_dap_params_states.dap_bypass,
 			 ds2_dap_params_states.dap_bypass_type,
-			 dolby_data->data[0]);
+			 data);
 		/* Do not perform bypass operation if bypass state is same*/
-		if (ds2_dap_params_states.dap_bypass == dolby_data->data[0])
+		if (ds2_dap_params_states.dap_bypass == data)
 			break;
-		ds2_dap_params_states.dap_bypass = dolby_data->data[0];
+		ds2_dap_params_states.dap_bypass = data;
 		/* hard bypass */
 		if (ds2_dap_params_states.dap_bypass_type == DAP_HARD_BYPASS)
 			msm_ds2_dap_handle_bypass(dolby_data);
@@ -1390,7 +1392,7 @@ static int msm_ds2_dap_handle_commands(u32 cmd, void *arg)
 	break;
 
 	case DAP_CMD_SET_BYPASS_TYPE:
-		if (dolby_data->data[0] == true)
+		if (data == true)
 			ds2_dap_params_states.dap_bypass_type =
 				DAP_HARD_BYPASS;
 		else
@@ -1429,6 +1431,7 @@ static int msm_ds2_dap_set_param(u32 cmd, void *arg)
 {
 	int rc = 0, idx, i, j, off, port_id = 0, cdev = 0;
 	int32_t num_device = 0;
+	int32_t data = 0;
 	int32_t dev_arr[DS2_DSP_SUPPORTED_ENDP_DEVICE] = {0};
 	struct dolby_param_data *dolby_data =  (struct dolby_param_data *)arg;
 
@@ -1472,10 +1475,10 @@ static int msm_ds2_dap_set_param(u32 cmd, void *arg)
 		ds2_dap_params[cdev].dap_params_modified[idx] += 1;
 		for (j = 0; j <  dolby_data->length; j++) {
 			off = ds2_dap_params_offset[idx];
-			ds2_dap_params[cdev].params_val[off + j] =
-							dolby_data->data[j];
+			get_user(data, &dolby_data->data[j]);
+			ds2_dap_params[cdev].params_val[off + j] = data;
 				pr_debug("%s:off %d,val[i/p:o/p]-[%d / %d]\n",
-					 __func__, off, dolby_data->data[j],
+					 __func__, off, data,
 					 ds2_dap_params[cdev].
 					 params_val[off + j]);
 		}
-- 
cgit v1.1