Darkangeel_hd
/
lineage_android_kernel_xiaomi_sdm845
mirror of https://github.com/Darkangeel-hd/lineage_android_kernel_xiaomi_sdm845.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge "drm/msm/dp: add checks to prevent buffer overflows"

This commit is contained in:
Linux Build Service Account 2019-08-26 13:29:31 -07:00 committed by Gerrit - the friendly Code Review server
parent e9fde55f11 df847feac0
commit 3fca24c808
1 changed files with 17 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
drivers/gpu/drm/msm/dp/dp_debug.c
View File

@ -192,6 +192,8 @@ static ssize_t dp_debug_write_dpcd(struct file *file,
goto bail;
size = min_t(size_t, count, SZ_2K);
if (size < 4)
goto bail;
buf = kzalloc(size, GFP_KERNEL);
if (ZERO_OR_NULL_PTR(buf)) {
@ -220,6 +222,8 @@ static ssize_t dp_debug_write_dpcd(struct file *file,
}
size -= 4;
if (size == 0)
goto bail;
dpcd_size = size / char_to_nib;
buf_t = buf + 4;
@ -271,6 +275,7 @@ static ssize_t dp_debug_read_dpcd(struct file *file,
len += snprintf(buf, SZ_8, "0x%x\n", debug->aux->reg);
len = min_t(size_t, count, len);
if (copy_to_user(user_buff, buf, len))
return -EFAULT;
@ -428,7 +433,7 @@ static ssize_t dp_debug_write_exe_mode(struct file *file,
const char __user *user_buff, size_t count, loff_t *ppos)
{
struct dp_debug_private *debug = file->private_data;
char *buf;
char buf[SZ_32];
size_t len = 0;
if (!debug)
@ -437,8 +442,11 @@ static ssize_t dp_debug_write_exe_mode(struct file *file,
if (*ppos)
return 0;
/* Leave room for termination char */
len = min_t(size_t, count, SZ_32 - 1);
buf = memdup_user(user_buff, len);
if (copy_from_user(buf, user_buff, len))
goto end;
buf[len] = '\0';
if (sscanf(buf, "%3s", debug->exe_mode) != 1)
@ -469,6 +477,7 @@ static ssize_t dp_debug_read_connected(struct file *file,
len += snprintf(buf, SZ_8, "%d\n", debug->usbpd->hpd_high);
len = min_t(size_t, count, len);
if (copy_to_user(user_buff, buf, len))
return -EFAULT;
@ -532,6 +541,7 @@ static ssize_t dp_debug_read_edid_modes(struct file *file,
}
mutex_unlock(&connector->dev->mode_config.mutex);
len = min_t(size_t, count, len);
if (copy_to_user(user_buff, buf, len)) {
kfree(buf);
rc = -EFAULT;
@ -621,6 +631,7 @@ static ssize_t dp_debug_read_info(struct file *file, char __user *user_buff,
if (dp_debug_check_buffer_overflow(rc, &max_size, &len))
goto error;
len = min_t(size_t, count, len);
if (copy_to_user(user_buff, buf, len))
goto error;
@ -653,6 +664,7 @@ static ssize_t dp_debug_bw_code_read(struct file *file,
len += snprintf(buf + len, (SZ_4K - len),
"max_bw_code = %d\n", debug->panel->max_bw_code);
len = min_t(size_t, count, len);
if (copy_to_user(user_buff, buf, len)) {
kfree(buf);
return -EFAULT;
@ -678,6 +690,7 @@ static ssize_t dp_debug_tpg_read(struct file *file,
len += snprintf(buf, SZ_8, "%d\n", debug->dp_debug.tpg_state);
len = min_t(size_t, count, len);
if (copy_to_user(user_buff, buf, len))
return -EFAULT;
@ -868,6 +881,7 @@ static ssize_t dp_debug_read_hdr(struct file *file,
goto error;
}
len = min_t(size_t, count, len);
if (copy_to_user(user_buff, buf, len)) {
kfree(buf);
rc = -EFAULT;
@ -1027,6 +1041,7 @@ static ssize_t dp_debug_read_dump(struct file *file,
print_hex_dump(KERN_DEBUG, prefix, DUMP_PREFIX_NONE,
16, 4, buf, len, false);
len = min_t(size_t, count, len);
if (copy_to_user(user_buff, buf, len))
return -EFAULT;