From 5bc4ce2d456c59b742f2f8f741ecac51465aaf79 Mon Sep 17 00:00:00 2001
From: Brahmaji K <bkomma@codeaurora.org>
Date: Thu, 1 Jun 2017 17:20:10 +0530
Subject: [PATCH] qseecom: Fix accessing userspace memory in kernel space

Use put_user API to write the data from kernel space to
userspace to avoid accessing userspace memory directly
in kernel space.

Bug: 65468973
Change-Id: I7bdd702225ed179af841db9a67cc7b93eadf9dcc
Signed-off-by: Brahmaji K <bkomma@codeaurora.org>
---
 drivers/misc/qseecom.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
index 5afbcb1800c2..cb6365f7f4d5 100644
--- a/drivers/misc/qseecom.c
+++ b/drivers/misc/qseecom.c
@@ -4680,11 +4680,21 @@ static int __qseecom_qteec_issue_cmd(struct qseecom_dev_handle *data,
 	int ret = 0;
 	uint32_t reqd_len_sb_in = 0;
 	struct sglist_info *table = data->sglistinfo_ptr;
+	void *req_ptr = NULL;
+	void *resp_ptr = NULL;
 
 	ret  = __qseecom_qteec_validate_msg(data, req);
 	if (ret)
 		return ret;
 
+	req_ptr = req->req_ptr;
+	resp_ptr = req->resp_ptr;
+
+	req->req_ptr = (void *)__qseecom_uvirt_to_kvirt(data,
+						(uintptr_t)req->req_ptr);
+	req->resp_ptr = (void *)__qseecom_uvirt_to_kvirt(data,
+						(uintptr_t)req->resp_ptr);
+
 	if ((cmd_id == QSEOS_TEE_OPEN_SESSION) ||
 			(cmd_id == QSEOS_TEE_REQUEST_CANCELLATION)) {
 		ret = __qseecom_update_qteec_req_buf(
@@ -4700,10 +4710,10 @@ static int __qseecom_qteec_issue_cmd(struct qseecom_dev_handle *data,
 		ireq.qsee_cmd_id = cmd_id;
 	ireq.app_id = data->client.app_id;
 	ireq.req_ptr = (uint32_t)__qseecom_uvirt_to_kphys(data,
-						(uintptr_t)req->req_ptr);
+						(uintptr_t)req_ptr);
 	ireq.req_len = req->req_len;
 	ireq.resp_ptr = (uint32_t)__qseecom_uvirt_to_kphys(data,
-						(uintptr_t)req->resp_ptr);
+						(uintptr_t)resp_ptr);
 	ireq.resp_len = req->resp_len;
 	ireq.sglistinfo_ptr = (uint32_t)virt_to_phys(table);
 	ireq.sglistinfo_len = SGLISTINFO_TABLE_SIZE;
-- 
GitLab