From 7b7873548f21f42e6d3032d038d3e8b2c2b22939 Mon Sep 17 00:00:00 2001 From: Phil Elwell <phil@raspberrypi.com> Date: Tue, 21 Apr 2020 11:30:23 +0100 Subject: [PATCH] driver: char: rpivid: Don't map more than wanted Limit mappings to the permitted range, but don't map more than asked for otherwise we walk off the end of the allocated VMA. Signed-off-by: Phil Elwell <phil@raspberrypi.com> --- drivers/char/broadcom/rpivid-mem.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) --- a/drivers/char/broadcom/rpivid-mem.c +++ b/drivers/char/broadcom/rpivid-mem.c @@ -100,6 +100,7 @@ static int rpivid_mem_mmap(struct file * { struct rpivid_mem_priv *priv; unsigned long pages; + unsigned long len; priv = file->private_data; pages = priv->regs_phys >> PAGE_SHIFT; @@ -107,14 +108,13 @@ static int rpivid_mem_mmap(struct file * * The address decode is far larger than the actual number of registers. * Just map the whole lot in. */ - vma->vm_page_prot = phys_mem_access_prot(file, pages, - priv->mem_window_len, + len = min(vma->vm_end - vma->vm_start, priv->mem_window_len); + vma->vm_page_prot = phys_mem_access_prot(file, pages, len, vma->vm_page_prot); vma->vm_ops = &rpivid_mem_vm_ops; if (remap_pfn_range(vma, vma->vm_start, - pages, - priv->mem_window_len, - vma->vm_page_prot)) { + pages, len, + vma->vm_page_prot)) { return -EAGAIN; } return 0; @@ -156,7 +156,7 @@ static int rpivid_mem_probe(struct platf ioresource = platform_get_resource(pdev, IORESOURCE_MEM, 0); if (ioresource) { priv->regs_phys = ioresource->start; - priv->mem_window_len = ioresource->end - ioresource->start; + priv->mem_window_len = (ioresource->end + 1) - ioresource->start; } else { dev_err(priv->dev, "failed to get IO resource"); err = -ENOENT;