diff options
author | Arnd Bergmann <arnd@arndb.de> | 2005-12-09 19:21:44 +0100 |
---|---|---|
committer | Paul Mackerras <paulus@samba.org> | 2006-01-09 14:53:31 +1100 |
commit | f9ce299fc629d5c899a2e56b00e21f5da05cf590 (patch) | |
tree | da8f883f72d08f9534e9eca3bba662413b9bd865 | |
parent | d52771fce4e774fa786097d34412a057d487c697 (diff) | |
download | op-kernel-dev-f9ce299fc629d5c899a2e56b00e21f5da05cf590.zip op-kernel-dev-f9ce299fc629d5c899a2e56b00e21f5da05cf590.tar.gz |
[PATCH] powerpc: fix large nvram access
/dev/nvram uses the user-provided read/write size
for kmalloc, which fails, if a large number is passed.
This will always use a single page at most, which
can be expected to succeed.
Signed-off-by: Arnd Bergmann <arndb@de.ibm.com>
Signed-off-by: Paul Mackerras <paulus@samba.org>
-rw-r--r-- | arch/powerpc/kernel/nvram_64.c | 106 |
1 files changed, 50 insertions, 56 deletions
diff --git a/arch/powerpc/kernel/nvram_64.c b/arch/powerpc/kernel/nvram_64.c index c0fcd29..fd7db8d 100644 --- a/arch/powerpc/kernel/nvram_64.c +++ b/arch/powerpc/kernel/nvram_64.c @@ -80,80 +80,74 @@ static loff_t dev_nvram_llseek(struct file *file, loff_t offset, int origin) static ssize_t dev_nvram_read(struct file *file, char __user *buf, size_t count, loff_t *ppos) { - ssize_t len; - char *tmp_buffer; - int size; + ssize_t ret; + char *tmp = NULL; + ssize_t size; - if (ppc_md.nvram_size == NULL) - return -ENODEV; + ret = -ENODEV; + if (!ppc_md.nvram_size) + goto out; + + ret = 0; size = ppc_md.nvram_size(); + if (*ppos >= size || size < 0) + goto out; - if (!access_ok(VERIFY_WRITE, buf, count)) - return -EFAULT; - if (*ppos >= size) - return 0; - if (count > size) - count = size; + count = min_t(size_t, count, size - *ppos); + count = min(count, PAGE_SIZE); - tmp_buffer = (char *) kmalloc(count, GFP_KERNEL); - if (!tmp_buffer) { - printk(KERN_ERR "dev_read_nvram: kmalloc failed\n"); - return -ENOMEM; - } + ret = -ENOMEM; + tmp = kmalloc(count, GFP_KERNEL); + if (!tmp) + goto out; - len = ppc_md.nvram_read(tmp_buffer, count, ppos); - if ((long)len <= 0) { - kfree(tmp_buffer); - return len; - } + ret = ppc_md.nvram_read(tmp, count, ppos); + if (ret <= 0) + goto out; - if (copy_to_user(buf, tmp_buffer, len)) { - kfree(tmp_buffer); - return -EFAULT; - } + if (copy_to_user(buf, tmp, ret)) + ret = -EFAULT; - kfree(tmp_buffer); - return len; +out: + kfree(tmp); + return ret; } static ssize_t dev_nvram_write(struct file *file, const char __user *buf, - size_t count, loff_t *ppos) + size_t count, loff_t *ppos) { - ssize_t len; - char * tmp_buffer; - int size; + ssize_t ret; + char *tmp = NULL; + ssize_t size; - if (ppc_md.nvram_size == NULL) - return -ENODEV; + ret = -ENODEV; + if (!ppc_md.nvram_size) + goto out; + + ret = 0; size = ppc_md.nvram_size(); + if (*ppos >= size || size < 0) + goto out; - if (!access_ok(VERIFY_READ, buf, count)) - return -EFAULT; - if (*ppos >= size) - return 0; - if (count > size) - count = size; + count = min_t(size_t, count, size - *ppos); + count = min(count, PAGE_SIZE); - tmp_buffer = (char *) kmalloc(count, GFP_KERNEL); - if (!tmp_buffer) { - printk(KERN_ERR "dev_nvram_write: kmalloc failed\n"); - return -ENOMEM; - } - - if (copy_from_user(tmp_buffer, buf, count)) { - kfree(tmp_buffer); - return -EFAULT; - } + ret = -ENOMEM; + tmp = kmalloc(count, GFP_KERNEL); + if (!tmp) + goto out; - len = ppc_md.nvram_write(tmp_buffer, count, ppos); - if ((long)len <= 0) { - kfree(tmp_buffer); - return len; - } + ret = -EFAULT; + if (copy_from_user(tmp, buf, count)) + goto out; + + ret = ppc_md.nvram_write(tmp, count, ppos); + +out: + kfree(tmp); + return ret; - kfree(tmp_buffer); - return len; } static int dev_nvram_ioctl(struct inode *inode, struct file *file, |