msm: eva: Use error checked property num

When copying sys property set/read commands from user to kernel,
the error checked property number could be re-written by user. It
invalidated the earlier check and may cause out-of-boundary write.

Change-Id: Ia219eb7f922aaef23741641fdc52d93f13a22278
Signed-off-by: George Shen <quic_sqiao@quicinc.com>

msm/eva/msm_cvp_ioctl.c

@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
  * Copyright (c) 2018-2021, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
  */
 
 #include <linux/compat.h>
@@ -63,14 +64,14 @@ static int _get_fence_pkt_hdr_from_user(struct eva_kmd_arg __user *up,
 /* Size is in unit of u32 */
 static int _copy_pkt_from_user(struct eva_kmd_arg *kp,
 		struct eva_kmd_arg __user *up,
-		unsigned int size)
+		unsigned int start, unsigned int size)
 {
 	struct eva_kmd_hfi_packet *k, *u;
 	int i;
 
 	k = &kp->data.hfi_pkt;
 	u = &up->data.hfi_pkt;
-	for (i = 0; i < size; i++)
+	for (i = start; i < size; i++)
 		if (get_user(k->pkt_data[i], &u->pkt_data[i]))
 			return -EFAULT;
 
@@ -164,13 +165,13 @@ static int _copy_sysprop_from_user(struct eva_kmd_arg *kp,
 	if (get_user(k->prop_num, &u->prop_num))
 		return -EFAULT;
 
-	if (k->prop_num < 1 || k->prop_num > 32) {
+	if (k->prop_num < 1 || k->prop_num > MAX_KMD_PROP_NUM_PER_PACKET) {
 		dprintk(CVP_ERR, "Num of prop out of range %d\n", k->prop_num);
 		return -EFAULT;
 	}
 
-	return _copy_pkt_from_user(kp, up,
-		(k->prop_num*((sizeof(struct eva_kmd_sys_property)>>2)+1)));
+	return _copy_pkt_from_user(kp, up, 1,
+		(k->prop_num * (sizeof(struct eva_kmd_sys_property) >> 2)));
 }
 
 static int _copy_pkt_to_user(struct eva_kmd_arg *kp,
@@ -376,7 +377,7 @@ static int convert_from_user(struct eva_kmd_arg *kp,
 			return -EFAULT;
 		}
 
-		rc = _copy_pkt_from_user(kp, up, (pkt_hdr.size >> 2));
+		rc = _copy_pkt_from_user(kp, up, 0, (pkt_hdr.size >> 2));
 		break;
 	}
 	case EVA_KMD_SEND_FENCE_CMD_PKT: