From 270bb9351889878dbfc87a6797886cb3caf42430 Mon Sep 17 00:00:00 2001
From: kaiwang <kaiwang@codeaurora.org>
Date: Tue, 27 Jun 2017 19:29:03 +0800
Subject: [PATCH] msm: camera: sensor:validating the flash initialization
 parameters

Copying the flash initialization parameters from userspace memory to
kernel memory and in turn checking for the validity of the flash
initialization parameters pointer sent from userspace

CRs-Fixed: 2059812
Bug: 37949660
Change-Id: I957c10959108eb08b263d439a9a449b90338b6db
Signed-off-by: kaiwang <kaiwang@codeaurora.org>
---
 .../msm/camera_v2/sensor/flash/msm_flash.c         | 38 +++++++++++++++++-----
 1 file changed, 30 insertions(+), 8 deletions(-)

diff --git a/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c b/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c
index 4a13ef87898d7..0390e0e60deab 100644
--- a/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c
+++ b/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c
@@ -498,22 +498,44 @@ static int32_t msm_flash_init(
 	return 0;
 }
 
-#ifdef CONFIG_COMPAT
 static int32_t msm_flash_init_prepare(
 	struct msm_flash_ctrl_t *flash_ctrl,
 	struct msm_flash_cfg_data_t *flash_data)
 {
+#ifdef CONFIG_COMPAT
+	struct msm_flash_cfg_data_t flash_data_k;
+	struct msm_flash_init_info_t flash_init_info;
+	int32_t i = 0;
+	if(!is_compat_task()) {
+		/*for 64-bit usecase,it need copy the data to local memory*/
+		flash_data_k.cfg_type = flash_data->cfg_type;
+		for (i = 0; i < MAX_LED_TRIGGERS; i++) {
+			flash_data_k.flash_current[i] =
+				flash_data->flash_current[i];
+			flash_data_k.flash_duration[i] =
+				flash_data->flash_duration[i];
+		}
+
+		flash_data_k.cfg.flash_init_info = &flash_init_info;
+		if (copy_from_user(&flash_init_info,
+			(void *)(flash_data->cfg.flash_init_info),
+			sizeof(struct msm_flash_init_info_t))) {
+			pr_err("%s copy_from_user failed %d\n",
+				__func__, __LINE__);
+			return -EFAULT;
+		}
+		return msm_flash_init(flash_ctrl, &flash_data_k);
+	}
+	/*
+	 * for 32-bit usecase,it already copy the userspace
+	 * data to local memory in msm_flash_subdev_do_ioctl()
+	 * so here do not need copy from user
+	 */
 	return msm_flash_init(flash_ctrl, flash_data);
-}
 #else
-static int32_t msm_flash_init_prepare(
-	struct msm_flash_ctrl_t *flash_ctrl,
-	struct msm_flash_cfg_data_t *flash_data)
-{
 	struct msm_flash_cfg_data_t flash_data_k;
 	struct msm_flash_init_info_t flash_init_info;
 	int32_t i = 0;
-
 	flash_data_k.cfg_type = flash_data->cfg_type;
 	for (i = 0; i < MAX_LED_TRIGGERS; i++) {
 		flash_data_k.flash_current[i] =
@@ -531,8 +553,8 @@ static int32_t msm_flash_init_prepare(
 		return -EFAULT;
 	}
 	return msm_flash_init(flash_ctrl, &flash_data_k);
-}
 #endif
+}
 
 static int32_t msm_flash_low(
 	struct msm_flash_ctrl_t *flash_ctrl,