Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ffd4b2b8 authored by Linux Build Service Account's avatar Linux Build Service Account Committed by Gerrit - the friendly Code Review server
Browse files

Merge "fbdev: msm: Avoid UAF in mdss_dsi_cmd_write"

parents a520a93c 99981fe4

drivers/video/msm/mdss/mdss_dsi.c

+7 −2
Original line number Diff line number Diff line
@@ -872,7 +872,7 @@ static ssize_t mdss_dsi_cmd_write(struct file *file, const char __user *p, 
{

	struct buf_data *pcmds = file->private_data;

	ssize_t ret = 0;

	int blen = 0;

	unsigned int blen = 0;

	char *string_buf;



	mutex_lock(&pcmds->dbg_mutex);
@@ -884,6 +884,11 @@ static ssize_t mdss_dsi_cmd_write(struct file *file, const char __user *p, 


	/* Allocate memory for the received string */

	blen = count + (pcmds->sblen);

	if (blen > U32_MAX - 1) {

		mutex_unlock(&pcmds->dbg_mutex);

		return -EINVAL;

	}



	string_buf = krealloc(pcmds->string_buf, blen + 1, GFP_KERNEL);

	if (!string_buf) {

		pr_err("%s: Failed to allocate memory\n", __func__);
@@ -891,6 +896,7 @@ static ssize_t mdss_dsi_cmd_write(struct file *file, const char __user *p, 
		return -ENOMEM;

	}



	pcmds->string_buf = string_buf;

	/* Writing in batches is possible */

	ret = simple_write_to_buffer(string_buf, blen, ppos, p, count);

	if (ret < 0) {
@@ -900,7 +906,6 @@ static ssize_t mdss_dsi_cmd_write(struct file *file, const char __user *p, 
	}



	string_buf[ret] = '\0';

	pcmds->string_buf = string_buf;

	pcmds->sblen = count;

	mutex_unlock(&pcmds->dbg_mutex);

	return ret;