From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 30 Jul 2020 07:26:37 +0000 (+0200)
Subject: 5.7-stable patches
X-Git-Tag: v4.4.232~4
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=34a2845766bb13454758438ca8520f244e2af03c;p=thirdparty%2Fkernel%2Fstable-queue.git

5.7-stable patches

added patches:
	regmap-debugfs-check-count-when-read-regmap-file.patch
---

diff --git a/queue-5.7/regmap-debugfs-check-count-when-read-regmap-file.patch b/queue-5.7/regmap-debugfs-check-count-when-read-regmap-file.patch
new file mode 100644
index 00000000000..45b434f3fb8
--- /dev/null
+++ b/queue-5.7/regmap-debugfs-check-count-when-read-regmap-file.patch
@@ -0,0 +1,50 @@
+From 74edd08a4fbf51d65fd8f4c7d8289cd0f392bd91 Mon Sep 17 00:00:00 2001
+From: Peng Fan <peng.fan@nxp.com>
+Date: Fri, 13 Mar 2020 09:58:07 +0800
+Subject: regmap: debugfs: check count when read regmap file
+
+From: Peng Fan <peng.fan@nxp.com>
+
+commit 74edd08a4fbf51d65fd8f4c7d8289cd0f392bd91 upstream.
+
+When executing the following command, we met kernel dump.
+dmesg -c > /dev/null; cd /sys;
+for i in `ls /sys/kernel/debug/regmap/* -d`; do
+	echo "Checking regmap in $i";
+	cat $i/registers;
+done && grep -ri "0x02d0" *;
+
+It is because the count value is too big, and kmalloc fails. So add an
+upper bound check to allow max size `PAGE_SIZE << (MAX_ORDER - 1)`.
+
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Link: https://lore.kernel.org/r/1584064687-12964-1-git-send-email-peng.fan@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/regmap/regmap-debugfs.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/base/regmap/regmap-debugfs.c
++++ b/drivers/base/regmap/regmap-debugfs.c
+@@ -227,6 +227,9 @@ static ssize_t regmap_read_debugfs(struc
+ 	if (*ppos < 0 || !count)
+ 		return -EINVAL;
+ 
++	if (count > (PAGE_SIZE << (MAX_ORDER - 1)))
++		count = PAGE_SIZE << (MAX_ORDER - 1);
++
+ 	buf = kmalloc(count, GFP_KERNEL);
+ 	if (!buf)
+ 		return -ENOMEM;
+@@ -371,6 +374,9 @@ static ssize_t regmap_reg_ranges_read_fi
+ 	if (*ppos < 0 || !count)
+ 		return -EINVAL;
+ 
++	if (count > (PAGE_SIZE << (MAX_ORDER - 1)))
++		count = PAGE_SIZE << (MAX_ORDER - 1);
++
+ 	buf = kmalloc(count, GFP_KERNEL);
+ 	if (!buf)
+ 		return -ENOMEM;
diff --git a/queue-5.7/series b/queue-5.7/series
index 5fe60ea4841..49fa283f317 100644
--- a/queue-5.7/series
+++ b/queue-5.7/series
@@ -17,3 +17,4 @@ udp-copy-has_conns-in-reuseport_grow.patch
 udp-improve-load-balancing-for-so_reuseport.patch
 tipc-allow-to-build-nack-message-in-link-timeout-function.patch
 io_uring-ensure-double-poll-additions-work-with-both-request-types.patch
+regmap-debugfs-check-count-when-read-regmap-file.patch