From 66221ce8c2a8ef0134ad4daa0a0f3f581b0ed5ad Mon Sep 17 00:00:00 2001 From: Patrick Auchter Date: Tue, 17 May 2016 16:50:45 -0700 Subject: [PATCH] msm: mdss: fix possible overflow errors in panel_debug_base_reg_read The panel_reg_buf is a dynamically allocated buffer of size reg_buf_len so checking sizeof(panel_reg_buf) is incorrect. Using scnprintf will ensure that len is at most reg_buf_len - 1 after all the prints. This allows sanity checks to be removed which were incorrectly skipping clock disable, resulting in an extra clock reference count. Change-Id: Ic3bb685c7b83eefef7bc207ad93d6a2a9e36fd33 Signed-off-by: Patrick Auchter Signed-off-by: Veera Sundaram Sankaran (cherry picked from commit 89bede0751357bc24701b8ebfe326d3e6bb46683) --- drivers/video/fbdev/msm/mdss_debug.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/drivers/video/fbdev/msm/mdss_debug.c b/drivers/video/fbdev/msm/mdss_debug.c index 8663797f1730..6b455e0f1e6f 100644 --- a/drivers/video/fbdev/msm/mdss_debug.c +++ b/drivers/video/fbdev/msm/mdss_debug.c @@ -244,23 +244,19 @@ static ssize_t panel_debug_base_reg_read(struct file *file, mdss_dsi_panel_cmd_read(ctrl_pdata, panel_reg[0], panel_reg[1], NULL, rx_buf, dbg->cnt); - len = snprintf(panel_reg_buf, reg_buf_len, "0x%02zx: ", dbg->off); - if (len < 0) - goto read_reg_fail; + len = scnprintf(panel_reg_buf, reg_buf_len, "0x%02zx: ", dbg->off); for (i = 0; (len < reg_buf_len) && (i < ctrl_pdata->rx_len); i++) len += scnprintf(panel_reg_buf + len, reg_buf_len - len, "0x%02x ", rx_buf[i]); - panel_reg_buf[len - 1] = '\n'; + if (len) + panel_reg_buf[len - 1] = '\n'; if (mdata->debug_inf.debug_enable_clock) mdata->debug_inf.debug_enable_clock(0); - if (len < 0 || len >= sizeof(panel_reg_buf)) - return 0; - - if ((count < sizeof(panel_reg_buf)) + if ((count < reg_buf_len) || (copy_to_user(user_buf, panel_reg_buf, len))) goto read_reg_fail;