Merge "fbdev/msm: sanitize debugfs inputs when reading mdp memory" · 9f31d42b06 - evie/android_kernel_oneplus_msm8998 - Gay Catgirls Forgejo: gay catgirls having sex

evie/android_kernel_oneplus_msm8998

Merge "fbdev/msm: sanitize debugfs inputs when reading mdp memory"

This commit is contained in:

Linux Build Service Account

2018-10-04 14:58:29 -07:00

• committed by

Gerrit - the friendly Code Review server

parent 5be60e5316 883b0bfa10

commit 9f31d42b06

1 changed files with 39 additions and 2 deletions

									
										41

drivers/video/fbdev/msm/mdss_debug.c
									
										View file
										
					@ -1,4 +1,4 @@

					/* Copyright (c) 2009-2017, The Linux Foundation. All rights reserved.

					/* Copyright (c) 2009-2018, The Linux Foundation. All rights reserved.

					 *

					 *

					 * This program is free software; you can redistribute it and/or modify

					 * This program is free software; you can redistribute it and/or modify

					 * it under the terms of the GNU General Public License version 2 and

					 * it under the terms of the GNU General Public License version 2 and

					@ -433,6 +433,39 @@ static int mdss_debug_base_release(struct inode *inode, struct file *file)

						return 0;

						return 0;

					}

					}

					/**

					 * mdss_debug_base_is_valid_range - verify if requested memory range is valid

					 * @off: address offset in bytes

					 * @cnt: memory size in bytes

					 * Return: true if valid; false otherwise

					 */

					static bool mdss_debug_base_is_valid_range(u32 off, u32 cnt)

					{

						struct mdss_data_type *mdata = mdss_mdp_get_mdata();

						struct mdss_debug_data *mdd = mdata->debug_inf.debug_data;

						struct range_dump_node *node;

						struct mdss_debug_base *base;

						pr_debug("check offset=0x%x cnt=0x%x\n", off, cnt);

						list_for_each_entry(base, &mdd->base_list, head) {

							list_for_each_entry(node, &base->dump_list, head) {

								pr_debug("%s: start=0x%x end=0x%x\n", node->range_name,

										node->offset.start, node->offset.end);

								if (node->offset.start <= off

										&& off <= node->offset.end

										&& off + cnt <= node->offset.end) {

									pr_debug("valid range requested\n");

									return true;

								}

							}

						}

						pr_err("invalid range requested\n");

						return false;

					}

					static ssize_t mdss_debug_base_offset_write(struct file *file,

					static ssize_t mdss_debug_base_offset_write(struct file *file,

							    const char __user *user_buf, size_t count, loff_t *ppos)

							    const char __user *user_buf, size_t count, loff_t *ppos)

					{

					{

					@ -452,7 +485,8 @@ static ssize_t mdss_debug_base_offset_write(struct file *file,

						buf[count] = 0;	/* end of string */

						buf[count] = 0;	/* end of string */

						sscanf(buf, "%5x %x", &off, &cnt);

						if (sscanf(buf, "%5x %x", &off, &cnt) != 2)

							return -EFAULT;

						if (off % sizeof(u32))

						if (off % sizeof(u32))

							return -EINVAL;

							return -EINVAL;

					@ -463,6 +497,9 @@ static ssize_t mdss_debug_base_offset_write(struct file *file,

						if (cnt > (dbg->max_offset - off))

						if (cnt > (dbg->max_offset - off))

							cnt = dbg->max_offset - off;

							cnt = dbg->max_offset - off;

						if (!mdss_debug_base_is_valid_range(off, cnt))

							return -EINVAL;

						mutex_lock(&mdss_debug_lock);

						mutex_lock(&mdss_debug_lock);

						dbg->off = off;

						dbg->off = off;

						dbg->cnt = cnt;

						dbg->cnt = cnt;