aboutsummaryrefslogtreecommitdiffstats
path: root/target/linux/bcm27xx/patches-5.4/950-0664-driver-char-rpivid-Don-t-map-more-than-wanted.patch
blob: afc1a5a6a867ae034bed2960448af60442f2e9a1 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
From 8c2369b39b1dafe7a26907173bb47d37ec53bfa2 Mon Sep 17 00:00:00 2001
From: Phil Elwell <phil@raspberrypi.com>
Date: Tue, 21 Apr 2020 11:30:23 +0100
Subject: [PATCH] driver: char: rpivid: Don't map more than wanted

Limit mappings to the permitted range, but don't map more than asked
for otherwise we walk off the end of the allocated VMA.

Signed-off-by: Phil Elwell <phil@raspberrypi.com>
---
 drivers/char/broadcom/rpivid-mem.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

--- a/drivers/char/broadcom/rpivid-mem.c
+++ b/drivers/char/broadcom/rpivid-mem.c
@@ -100,6 +100,7 @@ static int rpivid_mem_mmap(struct file *
 {
 	struct rpivid_mem_priv *priv;
 	unsigned long pages;
+	unsigned long len;
 
 	priv = file->private_data;
 	pages = priv->regs_phys >> PAGE_SHIFT;
@@ -107,14 +108,13 @@ static int rpivid_mem_mmap(struct file *
 	 * The address decode is far larger than the actual number of registers.
 	 * Just map the whole lot in.
 	 */
-	vma->vm_page_prot = phys_mem_access_prot(file, pages,
-						 priv->mem_window_len,
+	len = min(vma->vm_end - vma->vm_start, priv->mem_window_len);
+	vma->vm_page_prot = phys_mem_access_prot(file, pages, len,
 						 vma->vm_page_prot);
 	vma->vm_ops = &rpivid_mem_vm_ops;
 	if (remap_pfn_range(vma, vma->vm_start,
-			pages,
-			priv->mem_window_len,
-			vma->vm_page_prot)) {
+			    pages, len,
+			    vma->vm_page_prot)) {
 		return -EAGAIN;
 	}
 	return 0;
@@ -156,7 +156,7 @@ static int rpivid_mem_probe(struct platf
 	ioresource = platform_get_resource(pdev, IORESOURCE_MEM, 0);
 	if (ioresource) {
 		priv->regs_phys = ioresource->start;
-		priv->mem_window_len = ioresource->end - ioresource->start;
+		priv->mem_window_len = (ioresource->end + 1) - ioresource->start;
 	} else {
 		dev_err(priv->dev, "failed to get IO resource");
 		err = -ENOENT;