samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

disp: msm: sde: ensure string buffer is properly terminated

Browse Source 
Give snprintf the max size posssible to store in buffer or
copy_to_user instead of just truncating in order to ensure
the output string is properly terminated.

Change-Id: Id387e99cd035e39530b2c7de9484c0288efff605
Signed-off-by: Steve Cohen <cohens@codeaurora.org>
This commit is contained in:
Steve Cohen
2020-02-04 15:15:40 -05:00
committed by Gerrit - the friendly Code Review server
parent f97e75d7ab
commit 1b7e54c362
2 changed files with 16 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
msm/sde_rsc.c
View File

@@ -1357,6 +1357,7 @@ static ssize_t _sde_debugfs_mode_ctrl_read(struct file *file, char __user *buf,
struct sde_rsc_priv *rsc = file->private_data; struct sde_rsc_priv *rsc = file->private_data;
char buffer[MAX_BUFFER_SIZE]; char buffer[MAX_BUFFER_SIZE];
int blen = 0; int blen = 0;
size_t max_size = min_t(size_t, count, MAX_BUFFER_SIZE);
if (*ppos || !rsc || !rsc->hw_ops.mode_ctrl) if (*ppos || !rsc || !rsc->hw_ops.mode_ctrl)
return 0; return 0;
@@ -1364,23 +1365,23 @@ static ssize_t _sde_debugfs_mode_ctrl_read(struct file *file, char __user *buf,
mutex_lock(&rsc->client_lock); mutex_lock(&rsc->client_lock);
if (rsc->current_state == SDE_RSC_IDLE_STATE) { if (rsc->current_state == SDE_RSC_IDLE_STATE) {
pr_debug("debug node is not supported during idle state\n"); pr_debug("debug node is not supported during idle state\n");
blen = snprintf(buffer, MAX_BUFFER_SIZE, blen = scnprintf(buffer, max_size,
"hw state is not supported during idle pc\n"); "hw state is not supported during idle pc\n");
goto end; goto end;
} }
blen = rsc->hw_ops.mode_ctrl(rsc, MODE_READ, buffer, blen = rsc->hw_ops.mode_ctrl(rsc, MODE_READ, buffer, max_size, 0);
MAX_BUFFER_SIZE, 0);
end: end:
mutex_unlock(&rsc->client_lock); mutex_unlock(&rsc->client_lock);
if (blen <= 0) if (blen <= 0)
return 0; return 0;
if (blen > count) if (blen > count) {
blen = count; blen = count;
buffer[count - 1] = '\0';
}
blen = min_t(size_t, blen, MAX_BUFFER_SIZE);
if (copy_to_user(buf, buffer, blen)) if (copy_to_user(buf, buffer, blen))
return -EFAULT; return -EFAULT;
@@ -1447,6 +1448,7 @@ static ssize_t _sde_debugfs_vsync_mode_read(struct file *file, char __user *buf,
struct sde_rsc_priv *rsc = file->private_data; struct sde_rsc_priv *rsc = file->private_data;
char buffer[MAX_BUFFER_SIZE]; char buffer[MAX_BUFFER_SIZE];
int blen = 0; int blen = 0;
size_t max_size = min_t(size_t, count, MAX_BUFFER_SIZE);
if (*ppos || !rsc || !rsc->hw_ops.hw_vsync) if (*ppos || !rsc || !rsc->hw_ops.hw_vsync)
return 0; return 0;
@@ -1454,23 +1456,23 @@ static ssize_t _sde_debugfs_vsync_mode_read(struct file *file, char __user *buf,
mutex_lock(&rsc->client_lock); mutex_lock(&rsc->client_lock);
if (rsc->current_state == SDE_RSC_IDLE_STATE) { if (rsc->current_state == SDE_RSC_IDLE_STATE) {
pr_debug("debug node is not supported during idle state\n"); pr_debug("debug node is not supported during idle state\n");
blen = snprintf(buffer, MAX_BUFFER_SIZE, blen = scnprintf(buffer, max_size,
"hw state is not supported during idle pc\n"); "hw state is not supported during idle pc\n");
goto end; goto end;
} }
blen = rsc->hw_ops.hw_vsync(rsc, VSYNC_READ, buffer, blen = rsc->hw_ops.hw_vsync(rsc, VSYNC_READ, buffer, max_size, 0);
MAX_BUFFER_SIZE, 0);
end: end:
mutex_unlock(&rsc->client_lock); mutex_unlock(&rsc->client_lock);
if (blen <= 0) if (blen <= 0)
return 0; return 0;
if (blen > count) if (blen > count) {
blen = count; blen = count;
buffer[count - 1] = '\0';
}
blen = min_t(size_t, blen, MAX_BUFFER_SIZE);
if (copy_to_user(buf, buffer, blen)) if (copy_to_user(buf, buffer, blen))
return -EFAULT; return -EFAULT;

11
msm/sde_rsc_hw.c
View File

@@ -1,6 +1,6 @@
// SPDX-License-Identifier: GPL-2.0-only // SPDX-License-Identifier: GPL-2.0-only
/* /*
* Copyright (c) 2016-2019, The Linux Foundation. All rights reserved. * Copyright (c) 2016-2020, The Linux Foundation. All rights reserved.
*/ */
#define pr_fmt(fmt) "[sde_rsc_hw:%s:%d]: " fmt, __func__, __LINE__ #define pr_fmt(fmt) "[sde_rsc_hw:%s:%d]: " fmt, __func__, __LINE__
@@ -717,8 +717,7 @@ int rsc_hw_mode_ctrl(struct sde_rsc_priv *rsc, enum rsc_mode_req request,
if (!buffer || !buffer_size) if (!buffer || !buffer_size)
return blen; return blen;
blen = snprintf(buffer, buffer_size - blen, blen = scnprintf(buffer, buffer_size, "mode_status:0x%x\n",
"mode_status:0x%x\n",
dss_reg_r(&rsc->drv_io, SDE_RSCC_SOLVER_STATUS2_DRV0, dss_reg_r(&rsc->drv_io, SDE_RSCC_SOLVER_STATUS2_DRV0,
rsc->debug_mode)); rsc->debug_mode));
break; break;
@@ -798,14 +797,12 @@ int rsc_hw_vsync(struct sde_rsc_priv *rsc, enum rsc_vsync_req request,
if (!buffer || !buffer_size) if (!buffer || !buffer_size)
return blen; return blen;
blen = snprintf(buffer, buffer_size - blen, "vsync0:0x%x\n", blen = scnprintf(buffer, buffer_size, "vsync0:0x%x\n",
dss_reg_r(&rsc->wrapper_io, dss_reg_r(&rsc->wrapper_io,
SDE_RSCC_WRAPPER_VSYNC_TIMESTAMP0, SDE_RSCC_WRAPPER_VSYNC_TIMESTAMP0,
rsc->debug_mode)); rsc->debug_mode));
if (blen >= buffer_size)
return blen;
blen += snprintf(buffer + blen, buffer_size - blen, blen += scnprintf(buffer + blen, buffer_size - blen,
"vsync1:0x%x\n", "vsync1:0x%x\n",
dss_reg_r(&rsc->wrapper_io, dss_reg_r(&rsc->wrapper_io,
SDE_RSCC_WRAPPER_VSYNC_TIMESTAMP1, SDE_RSCC_WRAPPER_VSYNC_TIMESTAMP1,