Merge "disp: msm: add check for buffer length before copy"

msm/dsi/dsi_ctrl.c

@@ -116,6 +116,9 @@ static ssize_t debugfs_state_info_read(struct file *file,
 			dsi_ctrl->clk_freq.pix_clk_rate,
 			dsi_ctrl->clk_freq.esc_clk_rate);
 
+	if (len > count)
+		len = count;
+
 	len = min_t(size_t, len, SZ_4K);
 	if (copy_to_user(buff, buf, len)) {
 		kfree(buf);
@@ -171,6 +174,8 @@ static ssize_t debugfs_reg_dump_read(struct file *file,
 		return rc;
 	}
 
+	if (len > count)
+		len = count;
 
 	len = min_t(size_t, len, SZ_4K);
 	if (copy_to_user(buff, buf, len)) {

msm/sde/sde_connector.c

@@ -1809,7 +1809,10 @@ static ssize_t _sde_debugfs_conn_cmd_tx_sts_read(struct file *file,
 		return 0;
 	}
 
-	blen = min_t(size_t, MAX_CMD_PAYLOAD_SIZE, count);
+	if (blen > count)
+		blen = count;
+
+	blen = min_t(size_t, blen, MAX_CMD_PAYLOAD_SIZE);
 	if (copy_to_user(buf, buffer, blen)) {
 		SDE_ERROR("copy to user buffer failed\n");
 		return -EFAULT;

msm/sde_rsc.c

@@ -1184,7 +1184,10 @@ end:
 	if (blen <= 0)
 		return 0;
 
-	blen = min_t(size_t, MAX_BUFFER_SIZE, count);
+	if (blen > count)
+		blen = count;
+
+	blen = min_t(size_t, blen, MAX_BUFFER_SIZE);
 	if (copy_to_user(buf, buffer, blen))
 		return -EFAULT;
 
@@ -1278,7 +1281,10 @@ end:
 	if (blen <= 0)
 		return 0;
 
-	blen = min_t(size_t, MAX_BUFFER_SIZE, count);
+	if (blen > count)
+		blen = count;
+
+	blen = min_t(size_t, blen, MAX_BUFFER_SIZE);
 	if (copy_to_user(buf, buffer, blen))
 		return -EFAULT;