diff mbox

staging: binder: Convert get_user calls to copy_from_user

Message ID 1393849319-27269-1-git-send-email-john.stultz@linaro.org
State New
Headers show

Commit Message

John Stultz March 3, 2014, 12:21 p.m. UTC 
With the new binder protocol, the binder_uintptr_t is 64bits
in size on both 64 and 32bit architectures. This caused
problems on 32bits as there aren't get_user implementations
for 64bit size values there.

Thus this patch chanes the get_user calls to copy_from_user
which can handle 64bit sizes on both architectures.

Cc: Serban Constantinescu <serban.constantinescu@arm.com>
Change-Id: If5128f98394e3138433f39a8abf04f9f9ed7c437
Signed-off-by: John Stultz <john.stultz@linaro.org>
---
 drivers/staging/android/binder.c | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)
diff mbox

Patch

diff --git a/drivers/staging/android/binder.c b/drivers/staging/android/binder.c
index 55195ea..16a2740 100644
--- a/drivers/staging/android/binder.c
+++ b/drivers/staging/android/binder.c
@@ -1809,10 +1809,14 @@  int binder_thread_write(struct binder_proc *proc, struct binder_thread *thread,
 			binder_uintptr_t cookie;
 			struct binder_node *node;
 
-			if (get_user(node_ptr, (binder_uintptr_t __user *)ptr))
+			if (copy_from_user(&node_ptr,
+					   (binder_uintptr_t __user *)ptr,
+					   sizeof(binder_uintptr_t)))
 				return -EFAULT;
 			ptr += sizeof(binder_uintptr_t);
-			if (get_user(cookie, (binder_uintptr_t __user *)ptr))
+			if (copy_from_user(&cookie,
+					   (binder_uintptr_t __user *)ptr,
+					   sizeof(binder_uintptr_t)))
 				return -EFAULT;
 			ptr += sizeof(binder_uintptr_t);
 			node = binder_get_node(proc, node_ptr);
@@ -1870,7 +1874,9 @@  int binder_thread_write(struct binder_proc *proc, struct binder_thread *thread,
 			binder_uintptr_t data_ptr;
 			struct binder_buffer *buffer;
 
-			if (get_user(data_ptr, (binder_uintptr_t __user *)ptr))
+			if (copy_from_user(&data_ptr,
+					   (binder_uintptr_t __user *)ptr,
+					   sizeof(binder_uintptr_t)))
 				return -EFAULT;
 			ptr += sizeof(binder_uintptr_t);
 
@@ -1964,7 +1970,9 @@  int binder_thread_write(struct binder_proc *proc, struct binder_thread *thread,
 			if (get_user(target, (uint32_t __user *)ptr))
 				return -EFAULT;
 			ptr += sizeof(uint32_t);
-			if (get_user(cookie, (binder_uintptr_t __user *)ptr))
+			if (copy_from_user(&cookie,
+					   (binder_uintptr_t __user *)ptr,
+					   sizeof(binder_uintptr_t)))
 				return -EFAULT;
 			ptr += sizeof(binder_uintptr_t);
 			ref = binder_get_ref(proc, target);
@@ -2046,7 +2054,9 @@  int binder_thread_write(struct binder_proc *proc, struct binder_thread *thread,
 			struct binder_work *w;
 			binder_uintptr_t cookie;
 			struct binder_ref_death *death = NULL;
-			if (get_user(cookie, (binder_uintptr_t __user *)ptr))
+			if (copy_from_user(&cookie,
+					   (binder_uintptr_t __user *)ptr,
+					   sizeof(binder_uintptr_t)))
 				return -EFAULT;
 
 			ptr += sizeof(void *);