]> nv-tegra.nvidia Code Review - linux-2.6.git/blobdiff - drivers/char/mem.c
devmem: check vmalloc address on kmem read/write
[linux-2.6.git] / drivers / char / mem.c
index be832b6f8279919831df235a11738f7398668722..1fd4b110d81550114612b120d9cb04d056464dac 100644 (file)
@@ -395,6 +395,7 @@ static ssize_t read_kmem(struct file *file, char __user *buf,
        unsigned long p = *ppos;
        ssize_t low_count, read, sz;
        char * kbuf; /* k-addr because vread() takes vmlist_lock rwlock */
+       int err = 0;
 
        read = 0;
        if (p < (unsigned long) high_memory) {
@@ -441,12 +442,16 @@ static ssize_t read_kmem(struct file *file, char __user *buf,
                        return -ENOMEM;
                while (count > 0) {
                        sz = size_inside_page(p, count);
+                       if (!is_vmalloc_or_module_addr((void *)p)) {
+                               err = -ENXIO;
+                               break;
+                       }
                        sz = vread(kbuf, (char *)p, sz);
                        if (!sz)
                                break;
                        if (copy_to_user(buf, kbuf, sz)) {
-                               free_page((unsigned long)kbuf);
-                               return -EFAULT;
+                               err = -EFAULT;
+                               break;
                        }
                        count -= sz;
                        buf += sz;
@@ -455,8 +460,8 @@ static ssize_t read_kmem(struct file *file, char __user *buf,
                }
                free_page((unsigned long)kbuf);
        }
-       *ppos = p;
-       return read;
+       *ppos = p;
+       return read ? read : err;
 }
 
 
@@ -520,6 +525,7 @@ static ssize_t write_kmem(struct file * file, const char __user * buf,
        ssize_t wrote = 0;
        ssize_t virtr = 0;
        char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
+       int err = 0;
 
        if (p < (unsigned long) high_memory) {
                unsigned long to_write = min_t(unsigned long, count,
@@ -540,12 +546,14 @@ static ssize_t write_kmem(struct file * file, const char __user * buf,
                        unsigned long sz = size_inside_page(p, count);
                        unsigned long n;
 
+                       if (!is_vmalloc_or_module_addr((void *)p)) {
+                               err = -ENXIO;
+                               break;
+                       }
                        n = copy_from_user(kbuf, buf, sz);
                        if (n) {
-                               if (wrote + virtr)
-                                       break;
-                               free_page((unsigned long)kbuf);
-                               return -EFAULT;
+                               err = -EFAULT;
+                               break;
                        }
                        sz = vwrite(kbuf, (char *)p, sz);
                        count -= sz;
@@ -556,8 +564,8 @@ static ssize_t write_kmem(struct file * file, const char __user * buf,
                free_page((unsigned long)kbuf);
        }
 
-       *ppos = p;
-       return virtr + wrote;
+       *ppos = p;
+       return virtr + wrote ? : err;
 }
 #endif