drm/msm: add input sanitization on debug dump debugfs (1d9922b6) · Commits · e / devices / android_kernel_fairphone_FP3

drivers/gpu/drm/msm/sde_dbg.c

+47 −6

Original line number	Diff line number	Diff line
		@@ -2684,6 +2684,9 @@ void sde_dbg_dump(bool queue_work, const char *name, ...)
		*/
		static int sde_dbg_debugfs_open(struct inode inode, struct file file)
		{
		if (!inode \|\| !file)
		return -EINVAL;

		/* non-seekable */
		file->f_mode &= ~(FMODE_LSEEK \| FMODE_PREAD \| FMODE_PWRITE);
		file->private_data = inode->i_private;
		@@ -2703,6 +2706,9 @@ static ssize_t sde_evtlog_dump_read(struct file file, char __user buff,
		ssize_t len = 0;
		char evtlog_buf[SDE_EVTLOG_BUF_MAX];

		if (!buff \|\| !ppos)
		return -EINVAL;

		len = sde_evtlog_dump_to_buffer(sde_dbg_base.evtlog, evtlog_buf,
		SDE_EVTLOG_BUF_MAX);
		if (copy_to_user(buff, evtlog_buf, len))
		@@ -2764,7 +2770,7 @@ static int sde_evtlog_filter_show(struct seq_file s, void data)
		*/
		static int sde_evtlog_filter_open(struct inode inode, struct file file)
		{
		if (!file)
		if (!inode \|\| !file)
		return -EINVAL;

		return single_open(file, sde_evtlog_filter_show, inode->i_private);
		@@ -2783,6 +2789,9 @@ static ssize_t sde_evtlog_filter_write(struct file *file,
		char *tmp_filter = NULL;
		ssize_t rc = 0;

		if (!user_buf)
		return -EINVAL;

		if (count > 0) {
		/* copy user provided string and null terminate it */
		tmp_filter = kzalloc(count + 1, GFP_KERNEL);
		@@ -2818,7 +2827,14 @@ static const struct file_operations sde_evtlog_filter_fops = {
		*/
		static int sde_dbg_reg_base_release(struct inode inode, struct file file)
		{
		struct sde_dbg_reg_base *dbg = file->private_data;
		struct sde_dbg_reg_base *dbg;

		if (!file)
		return -EINVAL;

		dbg = file->private_data;
		if (!dbg)
		return -ENODEV;

		mutex_lock(&sde_dbg_base.mutex);
		if (dbg && dbg->buf) {
		@@ -2842,11 +2858,15 @@ static int sde_dbg_reg_base_release(struct inode inode, struct file file)
		static ssize_t sde_dbg_reg_base_offset_write(struct file *file,
		const char __user user_buf, size_t count, loff_t ppos)
		{
		struct sde_dbg_reg_base *dbg = file->private_data;
		struct sde_dbg_reg_base *dbg;
		u32 off = 0;
		u32 cnt = DEFAULT_BASE_REG_CNT;
		char buf[24];

		if (!file)
		return -EINVAL;

		dbg = file->private_data;
		if (!dbg)
		return -ENODEV;

		@@ -2870,6 +2890,9 @@ static ssize_t sde_dbg_reg_base_offset_write(struct file *file,
		if (cnt > (dbg->max_offset - off))
		cnt = dbg->max_offset - off;

		if (cnt == 0)
		return -EINVAL;

		mutex_lock(&sde_dbg_base.mutex);
		dbg->off = off;
		dbg->cnt = cnt;
		@@ -2890,13 +2913,20 @@ static ssize_t sde_dbg_reg_base_offset_write(struct file *file,
		static ssize_t sde_dbg_reg_base_offset_read(struct file *file,
		char __user buff, size_t count, loff_t ppos)
		{
		struct sde_dbg_reg_base *dbg = file->private_data;
		struct sde_dbg_reg_base *dbg;
		int len = 0;
		char buf[24] = {'\0'};

		if (!file)
		return -EINVAL;

		dbg = file->private_data;
		if (!dbg)
		return -ENODEV;

		if (!ppos)
		return -EINVAL;

		if (*ppos)
		return 0; /* the end */

		@@ -2933,11 +2963,15 @@ static ssize_t sde_dbg_reg_base_offset_read(struct file *file,
		static ssize_t sde_dbg_reg_base_reg_write(struct file *file,
		const char __user user_buf, size_t count, loff_t ppos)
		{
		struct sde_dbg_reg_base *dbg = file->private_data;
		struct sde_dbg_reg_base *dbg;
		size_t off;
		u32 data, cnt;
		char buf[24];

		if (!file)
		return -EINVAL;

		dbg = file->private_data;
		if (!dbg)
		return -ENODEV;

		@@ -2986,14 +3020,21 @@ static ssize_t sde_dbg_reg_base_reg_write(struct file *file,
		static ssize_t sde_dbg_reg_base_reg_read(struct file *file,
		char __user user_buf, size_t count, loff_t ppos)
		{
		struct sde_dbg_reg_base *dbg = file->private_data;
		struct sde_dbg_reg_base *dbg;
		size_t len;

		if (!file)
		return -EINVAL;

		dbg = file->private_data;
		if (!dbg) {
		pr_err("invalid handle\n");
		return -ENODEV;
		}

		if (!ppos)
		return -EINVAL;

		mutex_lock(&sde_dbg_base.mutex);
		if (!dbg->buf) {
		char dump_buf[64];