From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 30 Jul 2020 07:26:09 +0000 (+0200)
Subject: 4.19-stable patches
X-Git-Tag: v4.4.232~6
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3b4505f04c56f9e54ec6da8f6381d0896dde93af;p=thirdparty%2Fkernel%2Fstable-queue.git

4.19-stable patches

added patches:
	regmap-debugfs-check-count-when-read-regmap-file.patch
---

diff --git a/queue-4.19/regmap-debugfs-check-count-when-read-regmap-file.patch b/queue-4.19/regmap-debugfs-check-count-when-read-regmap-file.patch
new file mode 100644
index 00000000000..a1661d27ea1
--- /dev/null
+++ b/queue-4.19/regmap-debugfs-check-count-when-read-regmap-file.patch
@@ -0,0 +1,50 @@
+From 74edd08a4fbf51d65fd8f4c7d8289cd0f392bd91 Mon Sep 17 00:00:00 2001
+From: Peng Fan <peng.fan@nxp.com>
+Date: Fri, 13 Mar 2020 09:58:07 +0800
+Subject: regmap: debugfs: check count when read regmap file
+
+From: Peng Fan <peng.fan@nxp.com>
+
+commit 74edd08a4fbf51d65fd8f4c7d8289cd0f392bd91 upstream.
+
+When executing the following command, we met kernel dump.
+dmesg -c > /dev/null; cd /sys;
+for i in `ls /sys/kernel/debug/regmap/* -d`; do
+	echo "Checking regmap in $i";
+	cat $i/registers;
+done && grep -ri "0x02d0" *;
+
+It is because the count value is too big, and kmalloc fails. So add an
+upper bound check to allow max size `PAGE_SIZE << (MAX_ORDER - 1)`.
+
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Link: https://lore.kernel.org/r/1584064687-12964-1-git-send-email-peng.fan@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/regmap/regmap-debugfs.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/base/regmap/regmap-debugfs.c
++++ b/drivers/base/regmap/regmap-debugfs.c
+@@ -209,6 +209,9 @@ static ssize_t regmap_read_debugfs(struc
+ 	if (*ppos < 0 || !count)
+ 		return -EINVAL;
+ 
++	if (count > (PAGE_SIZE << (MAX_ORDER - 1)))
++		count = PAGE_SIZE << (MAX_ORDER - 1);
++
+ 	buf = kmalloc(count, GFP_KERNEL);
+ 	if (!buf)
+ 		return -ENOMEM;
+@@ -357,6 +360,9 @@ static ssize_t regmap_reg_ranges_read_fi
+ 	if (*ppos < 0 || !count)
+ 		return -EINVAL;
+ 
++	if (count > (PAGE_SIZE << (MAX_ORDER - 1)))
++		count = PAGE_SIZE << (MAX_ORDER - 1);
++
+ 	buf = kmalloc(count, GFP_KERNEL);
+ 	if (!buf)
+ 		return -ENOMEM;
diff --git a/queue-4.19/series b/queue-4.19/series
index 446094dd016..56ad51fdafc 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -14,3 +14,4 @@ sctp-shrink-stream-outq-when-fails-to-do-addstream-reconf.patch
 udp-copy-has_conns-in-reuseport_grow.patch
 udp-improve-load-balancing-for-so_reuseport.patch
 rtnetlink-fix-memory-net_device-leak-when-newlink-fails.patch
+regmap-debugfs-check-count-when-read-regmap-file.patch