| From 74edd08a4fbf51d65fd8f4c7d8289cd0f392bd91 Mon Sep 17 00:00:00 2001 |
| From: Peng Fan <peng.fan@nxp.com> |
| Date: Fri, 13 Mar 2020 09:58:07 +0800 |
| Subject: regmap: debugfs: check count when read regmap file |
| |
| From: Peng Fan <peng.fan@nxp.com> |
| |
| commit 74edd08a4fbf51d65fd8f4c7d8289cd0f392bd91 upstream. |
| |
| When executing the following command, we met kernel dump. |
| dmesg -c > /dev/null; cd /sys; |
| for i in `ls /sys/kernel/debug/regmap/* -d`; do |
| echo "Checking regmap in $i"; |
| cat $i/registers; |
| done && grep -ri "0x02d0" *; |
| |
| It is because the count value is too big, and kmalloc fails. So add an |
| upper bound check to allow max size `PAGE_SIZE << (MAX_ORDER - 1)`. |
| |
| Signed-off-by: Peng Fan <peng.fan@nxp.com> |
| Link: https://lore.kernel.org/r/1584064687-12964-1-git-send-email-peng.fan@nxp.com |
| Signed-off-by: Mark Brown <broonie@kernel.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/base/regmap/regmap-debugfs.c | 6 ++++++ |
| 1 file changed, 6 insertions(+) |
| |
| --- a/drivers/base/regmap/regmap-debugfs.c |
| +++ b/drivers/base/regmap/regmap-debugfs.c |
| @@ -227,6 +227,9 @@ static ssize_t regmap_read_debugfs(struc |
| if (*ppos < 0 || !count) |
| return -EINVAL; |
| |
| + if (count > (PAGE_SIZE << (MAX_ORDER - 1))) |
| + count = PAGE_SIZE << (MAX_ORDER - 1); |
| + |
| buf = kmalloc(count, GFP_KERNEL); |
| if (!buf) |
| return -ENOMEM; |
| @@ -371,6 +374,9 @@ static ssize_t regmap_reg_ranges_read_fi |
| if (*ppos < 0 || !count) |
| return -EINVAL; |
| |
| + if (count > (PAGE_SIZE << (MAX_ORDER - 1))) |
| + count = PAGE_SIZE << (MAX_ORDER - 1); |
| + |
| buf = kmalloc(count, GFP_KERNEL); |
| if (!buf) |
| return -ENOMEM; |