From: Toshi Kani Date: Thu, 24 Sep 2015 19:06:04 +0000 (-0600) Subject: EDAC: Fix sysfs dimm_label store operation X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=438470b84c119f4910ebf1fdd26738c8d9881b24;p=GitHub%2FLineageOS%2FG12%2Fandroid_kernel_amlogic_linux-4.9.git EDAC: Fix sysfs dimm_label store operation Sysfs "dimm_label" and "chX_dimm_label" nodes have the following issues in their store operation: 1) A newline-terminated input string causes redundant newlines: # echo "test" > /sys/bus/mc0/devices/dimm0/dimm_label # cat /sys/bus/mc0/devices/dimm0/dimm_label test # od -bc /sys/bus/mc0/devices/dimm0/dimm_label 0000000 164 145 163 164 012 012 t e s t \n \n 0000006 2) The original label string (31 characters) cannot be stored due to an improper size check: # echo "CPU_SrcID#0_Ha#0_Chan#0_DIMM#0" > /sys/bus/mc0/devices/dimm0/dimm_label # cat /sys/bus/mc0/devices/dimm0/dimm_label # od -bc /sys/bus/mc0/devices/dimm0/dimm_label 0000000 012 012 \n \n 0000002 3) An input string longer than the buffer size results a wrong label info as it allows a retry with the remaining string: # echo "CPU_SrcID#0_Ha#0_Chan#0_DIMM#0_TEST" > /sys/bus/mc0/devices/dimm0/dimm_label # cat /sys/bus/mc0/devices/dimm0/dimm_label _TEST Fix these issues by making the following changes: 1) Replace a newline character at the end by setting a null. It also assures that the string is null-terminated in the label buffer. 2) Check the label buffer size with 'sizeof(dimm->label)'. 3) Fail a request if its string exceeds the label buffer size. Signed-off-by: Toshi Kani Acked-by: Tony Luck Cc: linux-edac Cc: Mauro Carvalho Chehab Cc: Robert Elliott Link: http://lkml.kernel.org/r/1443121564.25474.160.camel@hpe.com Signed-off-by: Borislav Petkov --- diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c index 7d1b31bc6555..bf6b6802105c 100644 --- a/drivers/edac/edac_mc_sysfs.c +++ b/drivers/edac/edac_mc_sysfs.c @@ -240,14 +240,21 @@ static ssize_t channel_dimm_label_store(struct device *dev, struct csrow_info *csrow = to_csrow(dev); unsigned chan = to_channel(mattr); struct rank_info *rank = csrow->channels[chan]; + size_t copy_count = count; - ssize_t max_size = 0; + if (count == 0) + return -EINVAL; + + if (data[count - 1] == '\0' || data[count - 1] == '\n') + copy_count -= 1; - max_size = min((ssize_t) count, (ssize_t) EDAC_MC_LABEL_LEN - 1); - strncpy(rank->dimm->label, data, max_size); - rank->dimm->label[max_size] = '\0'; + if (copy_count >= sizeof(rank->dimm->label)) + return -EINVAL; - return max_size; + strncpy(rank->dimm->label, data, copy_count); + rank->dimm->label[copy_count] = '\0'; + + return count; } /* show function for dynamic chX_ce_count attribute */ @@ -494,14 +501,21 @@ static ssize_t dimmdev_label_store(struct device *dev, size_t count) { struct dimm_info *dimm = to_dimm(dev); + size_t copy_count = count; - ssize_t max_size = 0; + if (count == 0) + return -EINVAL; + + if (data[count - 1] == '\0' || data[count - 1] == '\n') + copy_count -= 1; - max_size = min((ssize_t) count, (ssize_t) EDAC_MC_LABEL_LEN - 1); - strncpy(dimm->label, data, max_size); - dimm->label[max_size] = '\0'; + if (copy_count >= sizeof(dimm->label)) + return -EINVAL; - return max_size; + strncpy(dimm->label, data, copy_count); + dimm->label[copy_count] = '\0'; + + return count; } static ssize_t dimmdev_size_show(struct device *dev,