diff options
author | KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> | 2010-02-02 13:44:05 -0800 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2010-02-02 18:11:22 -0800 |
commit | 325fda71d0badc1073dc59f12a948f24ff05796a (patch) | |
tree | b143817aba0e8c0d9b4b689bde32fa893a9fb559 /drivers/char | |
parent | 931e80e4b3263db75c8e34f078d22f11bbabd3a3 (diff) | |
download | linux-325fda71d0badc1073dc59f12a948f24ff05796a.tar.gz linux-325fda71d0badc1073dc59f12a948f24ff05796a.tar.bz2 linux-325fda71d0badc1073dc59f12a948f24ff05796a.zip |
devmem: check vmalloc address on kmem read/write
Otherwise vmalloc_to_page() will BUG().
This also makes the kmem read/write implementation aligned with mem(4):
"References to nonexistent locations cause errors to be returned." Here we
return -ENXIO (inspired by Hugh) if no bytes have been transfered to/from
user space, otherwise return partial read/write results.
Signed-off-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Signed-off-by: Wu Fengguang <fengguang.wu@intel.com>
Cc: Greg Kroah-Hartman <gregkh@suse.de>
Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'drivers/char')
-rw-r--r-- | drivers/char/mem.c | 28 |
1 files changed, 18 insertions, 10 deletions
diff --git a/drivers/char/mem.c b/drivers/char/mem.c index be832b6f8279..1fd4b110d815 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -395,6 +395,7 @@ static ssize_t read_kmem(struct file *file, char __user *buf, unsigned long p = *ppos; ssize_t low_count, read, sz; char * kbuf; /* k-addr because vread() takes vmlist_lock rwlock */ + int err = 0; read = 0; if (p < (unsigned long) high_memory) { @@ -441,12 +442,16 @@ static ssize_t read_kmem(struct file *file, char __user *buf, return -ENOMEM; while (count > 0) { sz = size_inside_page(p, count); + if (!is_vmalloc_or_module_addr((void *)p)) { + err = -ENXIO; + break; + } sz = vread(kbuf, (char *)p, sz); if (!sz) break; if (copy_to_user(buf, kbuf, sz)) { - free_page((unsigned long)kbuf); - return -EFAULT; + err = -EFAULT; + break; } count -= sz; buf += sz; @@ -455,8 +460,8 @@ static ssize_t read_kmem(struct file *file, char __user *buf, } free_page((unsigned long)kbuf); } - *ppos = p; - return read; + *ppos = p; + return read ? read : err; } @@ -520,6 +525,7 @@ static ssize_t write_kmem(struct file * file, const char __user * buf, ssize_t wrote = 0; ssize_t virtr = 0; char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */ + int err = 0; if (p < (unsigned long) high_memory) { unsigned long to_write = min_t(unsigned long, count, @@ -540,12 +546,14 @@ static ssize_t write_kmem(struct file * file, const char __user * buf, unsigned long sz = size_inside_page(p, count); unsigned long n; + if (!is_vmalloc_or_module_addr((void *)p)) { + err = -ENXIO; + break; + } n = copy_from_user(kbuf, buf, sz); if (n) { - if (wrote + virtr) - break; - free_page((unsigned long)kbuf); - return -EFAULT; + err = -EFAULT; + break; } sz = vwrite(kbuf, (char *)p, sz); count -= sz; @@ -556,8 +564,8 @@ static ssize_t write_kmem(struct file * file, const char __user * buf, free_page((unsigned long)kbuf); } - *ppos = p; - return virtr + wrote; + *ppos = p; + return virtr + wrote ? : err; } #endif |