6 files changed, 69 insertions, 30 deletions

diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c
index a2f4501c2..f61d1d7ba 100644
--- a/drivers/media/usb/uvc/uvc_ctrl.c
+++ b/drivers/media/usb/uvc/uvc_ctrl.c
@@ -1939,6 +1939,9 @@ int uvc_ctrl_add_mapping(struct uvc_video_chain *chain,
 	if (!found)
 		return -ENOENT;
 
+	if (ctrl->info.size < mapping->size)
+		return -EINVAL;
+
 	if (mutex_lock_interruptible(&chain->ctrl_mutex))
 		return -ERESTARTSYS;
 
diff --git a/drivers/misc/mediatek/cmdq/cmdq_driver.c b/drivers/misc/mediatek/cmdq/cmdq_driver.c
index 4a9d2899f..cff3aa99d 100644
--- a/drivers/misc/mediatek/cmdq/cmdq_driver.c
+++ b/drivers/misc/mediatek/cmdq/cmdq_driver.c
@@ -513,6 +513,11 @@ static long cmdq_ioctl(struct file *pFile, unsigned int code, unsigned long para
 			return -EFAULT;
 		}
 
+		if (job.command.regRequest.count > CMDQ_MAX_DUMP_REG_COUNT ||
+			!job.command.blockSize ||
+			job.command.blockSize > CMDQ_MAX_COMMAND_SIZE)
+			return -EINVAL;
+
 		/* not support secure path for async ioctl yet */
 		if (true == job.command.secData.isSecure) {
 			CMDQ_ERR("not support secure path for CMDQ_IOCTL_ASYNC_JOB_EXEC\n");
diff --git a/drivers/misc/mediatek/freqhopping/mt_freqhopping_drv.c b/drivers/misc/mediatek/freqhopping/mt_freqhopping_drv.c
index 672747f44..bc335a0e9 100644
--- a/drivers/misc/mediatek/freqhopping/mt_freqhopping_drv.c
+++ b/drivers/misc/mediatek/freqhopping/mt_freqhopping_drv.c
@@ -302,6 +302,10 @@ static ssize_t freqhopping_userdefine_proc_write(struct file *file, const char *
 	fh_ctl.ssc_setting.dds 		= p7;
 	fh_ctl.ssc_setting.freq		= 0;
 
+	/* Check validity of PLL ID */
+	if (fh_ctl.pll_id >= FH_PLL_COUNT)
+		return -1;
+
 
 	if( p1 == FH_CMD_ENABLE){
 		ret = mt_fh_enable_usrdef(&fh_ctl);
@@ -428,6 +432,9 @@ static ssize_t freqhopping_status_proc_write(struct file *file, const char *buff
 	fh_ctl.ssc_setting.upbnd= 0;
 	fh_ctl.ssc_setting.lowbnd= 0;
 
+	/* Check validity of PLL ID */
+	if (fh_ctl.pll_id >= FH_PLL_COUNT)
+		return -1;
 	if( p1 == 0){
 		mt_freqhopping_ioctl(NULL,FH_CMD_DISABLE,(unsigned long)(&fh_ctl));
 	}
@@ -529,7 +536,9 @@ static ssize_t freqhopping_debug_proc_write(struct file *file, const char *buffe
 	fh_ctl.ssc_setting.lowbnd	= p7;
 	fh_ctl.ssc_setting.freq		= 0;
 
-
+	/* Check validity of PLL ID */
+	if (fh_ctl.pll_id >= FH_PLL_COUNT)
+		return -1;
 	if (cmd < FH_CMD_INTERNAL_MAX_CMD) {
 		mt_freqhopping_ioctl(NULL,cmd,(unsigned long)(&fh_ctl));
 	}
diff --git a/drivers/misc/mediatek/i2c/mt6735/i2c_common.c b/drivers/misc/mediatek/i2c/mt6735/i2c_common.c
index 11d97ceb4..050fb32e3 100644
--- a/drivers/misc/mediatek/i2c/mt6735/i2c_common.c
+++ b/drivers/misc/mediatek/i2c/mt6735/i2c_common.c
@@ -44,11 +44,11 @@ int string2hex(const char * buffer, int cnt){
   return c;
 }
 
-char * get_hexbuffer(char *data_buffer, char *hex_buffer)
+char * get_hexbuffer(char *data_buffer, char *hex_buffer, int str_len)
 {
   char * ptr = data_buffer;
   int index = 0;
-  while (*ptr && *++ptr) {
+  while (*ptr && *++ptr && str_len--) {
     *(hex_buffer + index++) = string2hex(ptr-1, 2);
     ptr++;
   }
@@ -213,6 +213,7 @@ static ssize_t set_config(struct device *dev, struct device_attribute *attr, con
   int trans_auxlen;
   int dir=0;
 
+  int data_len;
   int number = 0;
   int length = 0;
   unsigned int ext_flag = 0;
@@ -224,9 +225,10 @@ static ssize_t set_config(struct device *dev, struct device_attribute *attr, con
   unsigned char tmpbuffer[128];
   printk("%s\n", buf);
   //if ( sscanf(buf, "%d %d %d %d %d %d %d %d %d %d %d %d %s", &bus_id, &address, &operation, &trans_mode, &trans_stop, &speed_mode, &pushpull_mode, &query_mode, &timing, &trans_num, &trans_auxlen,&dir, data_buffer) ) {
-  if ( sscanf(buf, "%d %x %d %d %d %d %d %d %d %d %d %s", &bus_id, &address, &operation, &trans_mode, &trans_stop, &speed_mode, &pushpull_mode, &query_mode, &timing, &trans_num, &trans_auxlen,data_buffer) ) {
+  if ( sscanf(buf, "%d %x %d %d %d %d %d %d %d %d %d %d %1023s", &bus_id, &address, &operation, &trans_mode, &trans_stop, &speed_mode, &pushpull_mode, &query_mode, &timing, &trans_num, &trans_auxlen, &data_len, data_buffer) ) {
       if((address != 0)&&(operation<=2)){
-        length = strlen(data_buffer);
+        /* data_len is transfer bytes, offset address + write data */
+        length = 2 * data_len;
       if (operation == 0){
         ext_flag |= I2C_WR_FLAG;
         number = (trans_auxlen << 8) | (length >> 1); ///TODO:need to confitm 8 Or 16
@@ -297,14 +299,14 @@ static ssize_t set_config(struct device *dev, struct device_attribute *attr, con
 
       if (trans_mode == 1) {/*DMA MODE*/
 	  	/*need GFP_DMA32 flag to confirm DMA alloc PA is 32bit range*/
-        vir_addr = dma_alloc_coherent(dev, length >> 1,  &dma_addr, GFP_KERNEL|GFP_DMA32);
+        vir_addr = dma_alloc_coherent(dev, (length >> 1) + 1,  &dma_addr, GFP_KERNEL|GFP_DMA32);
         if ( vir_addr == NULL ){
 
           printk("alloc dma memory failed\n");
           goto err;
         }
       } else {
-        vir_addr = kzalloc(length >> 1, GFP_KERNEL);
+        vir_addr = kzalloc((length >> 1) + 1, GFP_KERNEL);
         if ( vir_addr == NULL){
 
           printk("alloc virtual memory failed\n");
@@ -312,7 +314,7 @@ static ssize_t set_config(struct device *dev, struct device_attribute *attr, con
         }
       }
 
-      get_hexbuffer(data_buffer, vir_addr);
+      get_hexbuffer(data_buffer, vir_addr, length);
       printk(KERN_ALERT"bus_id:%d,address:%x,count:%x,ext_flag:0x%x,timing:%d\n", bus_id,address,number,ext_flag,timing);
       printk(KERN_ALERT"data_buffer:%s\n", data_buffer);
 
@@ -416,7 +418,7 @@ static DEVICE_ATTR(ut, 660, show_config, set_config);
 static int i2c_common_probe(struct platform_device *pdev)
 {
   int ret = 0;
-  //your code here£¬your should save client in your own way
+  //your code here should save client in your own way
   printk(KERN_ALERT"i2c_common device probe\n");
   ret = device_create_file(&pdev->dev, &dev_attr_ut);
   return ret;
@@ -469,4 +471,3 @@ module_exit( xxx_exit);
 MODULE_LICENSE("GPL");
 MODULE_DESCRIPTION("MediaTek I2C Bus Driver Test Driver");
 MODULE_AUTHOR("Ranran Lu");
-
diff --git a/drivers/misc/mediatek/m4u/2.0/m4u.c b/drivers/misc/mediatek/m4u/2.0/m4u.c
index a3d7b91f7..3f3ca8193 100644
--- a/drivers/misc/mediatek/m4u/2.0/m4u.c
+++ b/drivers/misc/mediatek/m4u/2.0/m4u.c
@@ -1985,6 +1985,10 @@ static long MTK_M4U_ioctl(struct file *filp, unsigned int cmd, unsigned long arg
 	switch (cmd) {
 	case MTK_M4U_T_POWER_ON:
 		ret = copy_from_user(&ModuleID, (void *)arg, sizeof(unsigned int));
+		if (ModuleID < 0 || ModuleID >= M4U_PORT_UNKNOWN) {
+			M4UMSG("from user port id is invald,%d\n", ModuleID);
+			return -EFAULT;
+		}
 		if (ret) {
 			M4UMSG("MTK_M4U_T_POWER_ON,copy_from_user failed,%d\n", ret);
 			return -EFAULT;
@@ -1994,6 +1998,10 @@ static long MTK_M4U_ioctl(struct file *filp, unsigned int cmd, unsigned long arg
 
 	case MTK_M4U_T_POWER_OFF:
 		ret = copy_from_user(&ModuleID, (void *)arg, sizeof(unsigned int));
+		if (ModuleID < 0 || ModuleID >= M4U_PORT_UNKNOWN) {
+			M4UMSG("from user port id is invald,%d\n", ModuleID);
+			return -EFAULT;
+		}
 		if (ret) {
 			M4UMSG("MTK_M4U_T_POWER_OFF,copy_from_user failed,%d\n", ret);
 			return -EFAULT;
@@ -2003,6 +2011,10 @@ static long MTK_M4U_ioctl(struct file *filp, unsigned int cmd, unsigned long arg
 
 	case MTK_M4U_T_ALLOC_MVA:
 		ret = copy_from_user(&m4u_module, (void *)arg, sizeof(M4U_MOUDLE_STRUCT));
+		if (m4u_module.port < 0 || m4u_module.port >= M4U_PORT_UNKNOWN) {
+			M4UMSG("from user port id is invald,%d\n", m4u_module.port);
+			return -EFAULT;
+		}
 		if (ret) {
 			M4UMSG("MTK_M4U_T_ALLOC_MVA,copy_from_user failed:%d\n", ret);
 			return -EFAULT;
@@ -2030,6 +2042,10 @@ static long MTK_M4U_ioctl(struct file *filp, unsigned int cmd, unsigned long arg
 				M4UMSG("MTK_M4U_T_DEALLOC_MVA,copy_from_user failed:%d\n", ret);
 				return -EFAULT;
 			}
+			if (m4u_module.port < 0 || m4u_module.port >= M4U_PORT_UNKNOWN) {
+				M4UMSG("from user port id is invald,%d\n", m4u_module.port);
+				return -EFAULT;
+			}
 
 			ret = m4u_dealloc_mva(client, m4u_module.port, m4u_module.MVAStart);
 			if (ret)
@@ -2039,6 +2055,10 @@ static long MTK_M4U_ioctl(struct file *filp, unsigned int cmd, unsigned long arg
 
 	case MTK_M4U_T_DUMP_INFO:
 		ret = copy_from_user(&ModuleID, (void *)arg, sizeof(unsigned int));
+		if (ModuleID < 0 || ModuleID >= M4U_PORT_UNKNOWN) {
+			M4UMSG("from user port id is invald,%d\n", ModuleID);
+			return -EFAULT;
+		}
 		if (ret) {
 			M4UMSG("MTK_M4U_Invalid_TLB_Range,copy_from_user failed,%d\n", ret);
 			return -EFAULT;
@@ -2073,6 +2093,10 @@ static long MTK_M4U_ioctl(struct file *filp, unsigned int cmd, unsigned long arg
 
 	case MTK_M4U_T_CONFIG_PORT:
 		ret = copy_from_user(&m4u_port, (void *)arg, sizeof(M4U_PORT_STRUCT));
+		if (m4u_port.ePortID < 0 || m4u_port.ePortID >= M4U_PORT_UNKNOWN) {
+			M4UMSG("from user port id is invald,%d\n", m4u_port.ePortID);
+			return -EFAULT;
+		}
 		if (ret) {
 			M4UMSG("MTK_M4U_T_CONFIG_PORT,copy_from_user failed:%d\n", ret);
 			return -EFAULT;
@@ -2085,25 +2109,6 @@ static long MTK_M4U_ioctl(struct file *filp, unsigned int cmd, unsigned long arg
 		mutex_unlock(&gM4u_sec_init);
 #endif
 		break;
-#if 0
-	case MTK_M4U_T_MONITOR_START:
-		ret = copy_from_user(&PortID, (void *)arg, sizeof(unsigned int));
-		if (ret) {
-			M4UMSG("MTK_M4U_T_MONITOR_START,copy_from_user failed,%d\n", ret);
-			return -EFAULT;
-		}
-		ret = m4u_monitor_start(m4u_port_2_m4u_id(PortID));
-
-		break;
-	case MTK_M4U_T_MONITOR_STOP:
-		ret = copy_from_user(&PortID, (void *)arg, sizeof(unsigned int));
-		if (ret) {
-			M4UMSG("MTK_M4U_T_MONITOR_STOP,copy_from_user failed,%d\n", ret);
-			return -EFAULT;
-		}
-		ret = m4u_monitor_stop(m4u_port_2_m4u_id(PortID));
-		break;
-#endif
 	case MTK_M4U_T_CACHE_FLUSH_ALL:
 		m4u_dma_cache_flush_all();
 		break;
@@ -2131,6 +2136,10 @@ static long MTK_M4U_ioctl(struct file *filp, unsigned int cmd, unsigned long arg
 			M4U_MAU_STRUCT rMAU;
 
 			ret = copy_from_user(&rMAU, (void *)arg, sizeof(M4U_MAU_STRUCT));
+			if (rMAU.port < 0 || rMAU.port >= M4U_PORT_UNKNOWN) {
+				M4UMSG("from user port id is invald,%d\n", rMAU.port);
+				return -EFAULT;
+			}
 			if (ret) {
 				M4UMSG("MTK_M4U_T_CONFIG_MAU,copy_from_user failed:%d\n", ret);
 				return -EFAULT;
@@ -2144,6 +2153,10 @@ static long MTK_M4U_ioctl(struct file *filp, unsigned int cmd, unsigned long arg
 			M4U_TF_STRUCT rM4UTF;
 
 			ret = copy_from_user(&rM4UTF, (void *)arg, sizeof(M4U_TF_STRUCT));
+			if (rM4UTF.port < 0 || rM4UTF.port >= M4U_PORT_UNKNOWN) {
+				M4UMSG("from user port id is invald,%d\n", rM4UTF.port);
+				return -EFAULT;
+			}
 			if (ret) {
 				M4UMSG("MTK_M4U_T_CONFIG_TF,copy_from_user failed:%d\n", ret);
 				return -EFAULT;
diff --git a/drivers/misc/mediatek/videocodec/mt6735/videocodec_kernel_driver_D3.c b/drivers/misc/mediatek/videocodec/mt6735/videocodec_kernel_driver_D3.c
index 2bc7b0514..7f19f3016 100644
--- a/drivers/misc/mediatek/videocodec/mt6735/videocodec_kernel_driver_D3.c
+++ b/drivers/misc/mediatek/videocodec/mt6735/videocodec_kernel_driver_D3.c
@@ -1459,6 +1459,15 @@ static long vcodec_unlocked_ioctl(struct file *file, unsigned int cmd, unsigned
                 MFV_LOGE("[ERROR] VCODEC_GET_CORE_LOADING, copy_from_user failed: %lu\n", ret);
                 return -EFAULT;
             }
+            if (rTempCoreLoading.CPUid > num_possible_cpus()) {
+                MFV_LOGE("[ERROR] rTempCoreLoading.CPUid(%d) > num_possible_cpus(%d)\n",
+                    rTempCoreLoading.CPUid, num_possible_cpus());
+                return -EFAULT;
+            }
+            if (rTempCoreLoading.CPUid < 0) {
+                MFV_LOGE("[ERROR] rTempCoreLoading.CPUid < 0\n");
+                return -EFAULT;
+            }
             rTempCoreLoading.Loading = get_cpu_load(rTempCoreLoading.CPUid);
             ret = copy_to_user(user_data_addr, &rTempCoreLoading, sizeof(VAL_VCODEC_CORE_LOADING_T));
             if (ret)
@@ -2619,4 +2628,3 @@ module_exit(vcodec_driver_exit);
 MODULE_AUTHOR("Legis, Lu <legis.lu@mediatek.com>");
 MODULE_DESCRIPTION("Denali-3 Vcodec Driver");
 MODULE_LICENSE("GPL");
-