From ab13c34734650366b89cf11a7f0be255e6d9034e Mon Sep 17 00:00:00 2001
From: "xianjun.liu" <xianjun.liu@amlogic.com>
Date: Tue, 25 Jun 2019 15:31:30 +0800
Subject: [PATCH] Mtd: fix check return value for copy_from_user in uboot_write
 method [1/1]

PD#SWPL-11776

Problem:
missing return value check for copy_from_user in uboot_write method

Solution:
checking return value after call copy_from_user/copy_to_user

Verify:
AXG-S420

Change-Id: I087a341cbf0b603b2898e81773dc266d8e3debe1
Signed-off-by: xianjun.liu <xianjun.liu@amlogic.com>
---
 drivers/amlogic/mtd/aml_dtb.c | 8 ++++++++
 drivers/amlogic/mtd/aml_env.c | 8 ++++++++
 drivers/amlogic/mtd/boot.c    | 8 ++++++++
 3 files changed, 24 insertions(+)

diff --git a/drivers/amlogic/mtd/aml_dtb.c b/drivers/amlogic/mtd/aml_dtb.c
index 4259e15a2352..d690942c19b5 100644
--- a/drivers/amlogic/mtd/aml_dtb.c
+++ b/drivers/amlogic/mtd/aml_dtb.c
@@ -165,6 +165,10 @@ ssize_t dtb_read(struct file *file,
 		read_size = count;
 
 	ret = copy_to_user(buf, (dtb_ptr + *ppos), read_size);
+	if (ret) {
+		read_size = -EFAULT;
+		goto exit;
+	}
 	*ppos += read_size;
 exit:
 	chip->select_chip(mtd, -1);
@@ -214,6 +218,10 @@ ssize_t dtb_write(struct file *file,
 		write_size = count;
 
 	ret = copy_from_user((dtb_ptr + *ppos), buf, write_size);
+	if (ret) {
+		write_size = -EFAULT;
+		goto exit;
+	}
 
 	ret = amlnf_dtb_save(dtb_ptr, aml_chip_dtb->dtbsize);
 	if (ret) {
diff --git a/drivers/amlogic/mtd/aml_env.c b/drivers/amlogic/mtd/aml_env.c
index c56fb1147793..7a2fe8c10f5d 100644
--- a/drivers/amlogic/mtd/aml_env.c
+++ b/drivers/amlogic/mtd/aml_env.c
@@ -226,6 +226,10 @@ ssize_t uboot_env_read(struct file *file,
 		read_size = count;
 
 	ret = copy_to_user(buf, (env_ptr + *ppos), read_size);
+	if (ret) {
+		read_size = -EFAULT;
+		goto exit;
+	}
 	*ppos += read_size;
 exit:
 	chip->select_chip(mtd, -1);
@@ -270,6 +274,10 @@ ssize_t uboot_env_write(struct file *file,
 		write_size = count;
 
 	ret = copy_from_user((env_ptr + *ppos), buf, write_size);
+	if (ret) {
+		write_size = -EFAULT;
+		goto exit;
+	}
 
 	ret = amlnf_env_save(env_ptr, CONFIG_ENV_SIZE);
 	if (ret) {
diff --git a/drivers/amlogic/mtd/boot.c b/drivers/amlogic/mtd/boot.c
index f6507227e7c3..4bc0531d0d98 100644
--- a/drivers/amlogic/mtd/boot.c
+++ b/drivers/amlogic/mtd/boot.c
@@ -817,6 +817,9 @@ static ssize_t uboot_read(struct file *file,
 	chip->select_chip(mtd, -1);
 	nand_release_device(mtd);
 	ret = copy_to_user(buf, data_buf, count);
+	if (ret)
+		count = -EFAULT;
+
 err_exit0:
 	vfree(data_buf);
 
@@ -858,6 +861,11 @@ static ssize_t uboot_write(struct file *file, const char __user *buf,
 	}
 
 	ret = copy_from_user(data_buf, buf, count);
+	if (ret) {
+		count = -EFAULT;
+		goto err_exit0;
+	}
+
 	addr = *ppos;
 	buffer = data_buf;
 	nand_get_device(mtd, FL_WRITING);