diff options
| author | KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> | 2010-02-02 16:44:05 -0500 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2010-02-02 21:11:22 -0500 |
| commit | 325fda71d0badc1073dc59f12a948f24ff05796a (patch) | |
| tree | b143817aba0e8c0d9b4b689bde32fa893a9fb559 | |
| parent | 931e80e4b3263db75c8e34f078d22f11bbabd3a3 (diff) | |
devmem: check vmalloc address on kmem read/write
Otherwise vmalloc_to_page() will BUG().
This also makes the kmem read/write implementation aligned with mem(4):
"References to nonexistent locations cause errors to be returned." Here we
return -ENXIO (inspired by Hugh) if no bytes have been transfered to/from
user space, otherwise return partial read/write results.
Signed-off-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Signed-off-by: Wu Fengguang <fengguang.wu@intel.com>
Cc: Greg Kroah-Hartman <gregkh@suse.de>
Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
| -rw-r--r-- | drivers/char/mem.c | 28 |
1 files changed, 18 insertions, 10 deletions
diff --git a/drivers/char/mem.c b/drivers/char/mem.c index be832b6f8279..1fd4b110d815 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c | |||
| @@ -395,6 +395,7 @@ static ssize_t read_kmem(struct file *file, char __user *buf, | |||
| 395 | unsigned long p = *ppos; | 395 | unsigned long p = *ppos; |
| 396 | ssize_t low_count, read, sz; | 396 | ssize_t low_count, read, sz; |
| 397 | char * kbuf; /* k-addr because vread() takes vmlist_lock rwlock */ | 397 | char * kbuf; /* k-addr because vread() takes vmlist_lock rwlock */ |
| 398 | int err = 0; | ||
| 398 | 399 | ||
| 399 | read = 0; | 400 | read = 0; |
| 400 | if (p < (unsigned long) high_memory) { | 401 | if (p < (unsigned long) high_memory) { |
| @@ -441,12 +442,16 @@ static ssize_t read_kmem(struct file *file, char __user *buf, | |||
| 441 | return -ENOMEM; | 442 | return -ENOMEM; |
| 442 | while (count > 0) { | 443 | while (count > 0) { |
| 443 | sz = size_inside_page(p, count); | 444 | sz = size_inside_page(p, count); |
| 445 | if (!is_vmalloc_or_module_addr((void *)p)) { | ||
| 446 | err = -ENXIO; | ||
| 447 | break; | ||
| 448 | } | ||
| 444 | sz = vread(kbuf, (char *)p, sz); | 449 | sz = vread(kbuf, (char *)p, sz); |
| 445 | if (!sz) | 450 | if (!sz) |
| 446 | break; | 451 | break; |
| 447 | if (copy_to_user(buf, kbuf, sz)) { | 452 | if (copy_to_user(buf, kbuf, sz)) { |
| 448 | free_page((unsigned long)kbuf); | 453 | err = -EFAULT; |
| 449 | return -EFAULT; | 454 | break; |
| 450 | } | 455 | } |
| 451 | count -= sz; | 456 | count -= sz; |
| 452 | buf += sz; | 457 | buf += sz; |
| @@ -455,8 +460,8 @@ static ssize_t read_kmem(struct file *file, char __user *buf, | |||
| 455 | } | 460 | } |
| 456 | free_page((unsigned long)kbuf); | 461 | free_page((unsigned long)kbuf); |
| 457 | } | 462 | } |
| 458 | *ppos = p; | 463 | *ppos = p; |
| 459 | return read; | 464 | return read ? read : err; |
| 460 | } | 465 | } |
| 461 | 466 | ||
| 462 | 467 | ||
| @@ -520,6 +525,7 @@ static ssize_t write_kmem(struct file * file, const char __user * buf, | |||
| 520 | ssize_t wrote = 0; | 525 | ssize_t wrote = 0; |
| 521 | ssize_t virtr = 0; | 526 | ssize_t virtr = 0; |
| 522 | char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */ | 527 | char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */ |
| 528 | int err = 0; | ||
| 523 | 529 | ||
| 524 | if (p < (unsigned long) high_memory) { | 530 | if (p < (unsigned long) high_memory) { |
| 525 | unsigned long to_write = min_t(unsigned long, count, | 531 | unsigned long to_write = min_t(unsigned long, count, |
| @@ -540,12 +546,14 @@ static ssize_t write_kmem(struct file * file, const char __user * buf, | |||
| 540 | unsigned long sz = size_inside_page(p, count); | 546 | unsigned long sz = size_inside_page(p, count); |
| 541 | unsigned long n; | 547 | unsigned long n; |
| 542 | 548 | ||
| 549 | if (!is_vmalloc_or_module_addr((void *)p)) { | ||
| 550 | err = -ENXIO; | ||
| 551 | break; | ||
| 552 | } | ||
| 543 | n = copy_from_user(kbuf, buf, sz); | 553 | n = copy_from_user(kbuf, buf, sz); |
| 544 | if (n) { | 554 | if (n) { |
| 545 | if (wrote + virtr) | 555 | err = -EFAULT; |
| 546 | break; | 556 | break; |
| 547 | free_page((unsigned long)kbuf); | ||
| 548 | return -EFAULT; | ||
| 549 | } | 557 | } |
| 550 | sz = vwrite(kbuf, (char *)p, sz); | 558 | sz = vwrite(kbuf, (char *)p, sz); |
| 551 | count -= sz; | 559 | count -= sz; |
| @@ -556,8 +564,8 @@ static ssize_t write_kmem(struct file * file, const char __user * buf, | |||
| 556 | free_page((unsigned long)kbuf); | 564 | free_page((unsigned long)kbuf); |
| 557 | } | 565 | } |
| 558 | 566 | ||
| 559 | *ppos = p; | 567 | *ppos = p; |
| 560 | return virtr + wrote; | 568 | return virtr + wrote ? : err; |
| 561 | } | 569 | } |
| 562 | #endif | 570 | #endif |
| 563 | 571 | ||