1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
From 7b7873548f21f42e6d3032d038d3e8b2c2b22939 Mon Sep 17 00:00:00 2001
From: Phil Elwell <phil@raspberrypi.com>
Date: Tue, 21 Apr 2020 11:30:23 +0100
Subject: [PATCH] driver: char: rpivid: Don't map more than wanted
Limit mappings to the permitted range, but don't map more than asked
for otherwise we walk off the end of the allocated VMA.
Signed-off-by: Phil Elwell <phil@raspberrypi.com>
---
drivers/char/broadcom/rpivid-mem.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/drivers/char/broadcom/rpivid-mem.c
+++ b/drivers/char/broadcom/rpivid-mem.c
@@ -100,6 +100,7 @@ static int rpivid_mem_mmap(struct file *
{
struct rpivid_mem_priv *priv;
unsigned long pages;
+ unsigned long len;
priv = file->private_data;
pages = priv->regs_phys >> PAGE_SHIFT;
@@ -107,14 +108,13 @@ static int rpivid_mem_mmap(struct file *
* The address decode is far larger than the actual number of registers.
* Just map the whole lot in.
*/
- vma->vm_page_prot = phys_mem_access_prot(file, pages,
- priv->mem_window_len,
+ len = min(vma->vm_end - vma->vm_start, priv->mem_window_len);
+ vma->vm_page_prot = phys_mem_access_prot(file, pages, len,
vma->vm_page_prot);
vma->vm_ops = &rpivid_mem_vm_ops;
if (remap_pfn_range(vma, vma->vm_start,
- pages,
- priv->mem_window_len,
- vma->vm_page_prot)) {
+ pages, len,
+ vma->vm_page_prot)) {
return -EAGAIN;
}
return 0;
@@ -156,7 +156,7 @@ static int rpivid_mem_probe(struct platf
ioresource = platform_get_resource(pdev, IORESOURCE_MEM, 0);
if (ioresource) {
priv->regs_phys = ioresource->start;
- priv->mem_window_len = ioresource->end - ioresource->start;
+ priv->mem_window_len = (ioresource->end + 1) - ioresource->start;
} else {
dev_err(priv->dev, "failed to get IO resource");
err = -ENOENT;
|