MLK-14642 imx: sim: fix segment fault caused by user address access

Kernel space cannot access user space memory directly. In fact, the issue always exited. Since 4.4, the kernel handle the action as page abort. Signed-off-by: Gao Pan <pandy.gao@nxp.com> Signed-off-by: Fugang Duan <fugang.duan@nxp.com>
2017-04-13 14:58:03 +08:00 · 2017-04-13 14:58:03 +08:00 · 3135b8110b
parent 34a04d8706
commit 3135b8110b
1 changed files with 10 additions and 6 deletions
--- a/drivers/mxc/sim/imx_sim.c
+++ b/drivers/mxc/sim/imx_sim.c
@ -1300,6 +1300,9 @@ static long sim_ioctl(struct file *file,
 	u32 delay;
 	u32 copy_cnt, val;
 	unsigned long flags;
+	unsigned char __user *atr_buffer;
+	unsigned char __user *xmt_buffer;
+	unsigned char __user *rcv_buffer;

 	struct sim_t *sim = (struct sim_t *) file->private_data;

@ -1342,8 +1345,8 @@ static long sim_ioctl(struct file *file,
 			break;
 		}

-		ret = copy_to_user(((sim_atr_t *)arg)->atr_buffer, sim->rcv_buffer,
-					sim->rcv_count);
+		__get_user(atr_buffer, &((sim_atr_t __user *)arg)->atr_buffer);
+		ret = copy_to_user(atr_buffer, sim->rcv_buffer, sim->rcv_count);
 		if (ret) {
 			pr_err("ATR ACCESS buffer Error %d %d\n", sim->rcv_count, ret);
 			errval = -SIM_E_ACCESS;
@ -1390,8 +1393,9 @@ static long sim_ioctl(struct file *file,
 			errval = -EINVAL;
 			break;
 		}
-		ret = copy_from_user(sim->xmt_buffer, (((sim_xmt_t *)arg)->xmt_buffer),
-				     sim->xmt_remaining);
+
+		__get_user(xmt_buffer, &((sim_xmt_t *)arg)->xmt_buffer);
+		ret = copy_from_user(sim->xmt_buffer, xmt_buffer, sim->xmt_remaining);

 		if (ret) {
 			pr_err("Copy Error\n");
@ -1527,8 +1531,8 @@ copy_data:
 			break;
 		}

-		ret = copy_to_user(((sim_rcv_t *)arg)->rcv_buffer, &sim->rcv_buffer[sim->rcv_head],
-					copy_cnt);
+		__get_user(rcv_buffer, &((sim_rcv_t *)arg)->rcv_buffer);
+		ret = copy_to_user(rcv_buffer, &sim->rcv_buffer[sim->rcv_head], copy_cnt);
 		if (ret) {
 			pr_err("ATR ACCESS Error\n");
 			errval = -SIM_E_ACCESS;