memory_read_from_buffer() is a weird choice; it:
- is made for iteration with ppos a pointer.
- does futile error checking in our case.
- does NOT ensure we read exactly N bytes.
Replace it by:
1. A check that (offset + bytes) lands inside the region and,
2. a plain memcpy().
Signed-off-by: Théo Lebrun <theo.lebrun@xxxxxxxxxxx>
---
drivers/nvmem/rmem.c | 15 ++++++---------
1 file changed, 6 insertions(+), 9 deletions(-)
diff --git a/drivers/nvmem/rmem.c b/drivers/nvmem/rmem.c
index 7f907c5a445e7865c8626e00362df0040fe52241..0dc5c8237c7538efe4597c182d7bdb709b945851 100644
--- a/drivers/nvmem/rmem.c
+++ b/drivers/nvmem/rmem.c
@@ -21,10 +21,10 @@ static int rmem_read(void *context, unsigned int offset,
void *val, size_t bytes)
{
struct rmem *priv = context;
- size_t available = priv->mem->size;
- loff_t off = offset;
void *addr;
- int count;
+
+ if ((phys_addr_t)offset + bytes > priv->mem->size)
+ return -EIO;
/*
* Only map the reserved memory at this point to avoid potential rogue
@@ -36,20 +36,17 @@ static int rmem_read(void *context, unsigned int offset,
* An alternative would be setting the memory as RO, set_memory_ro(),
* but as of Dec 2020 this isn't possible on arm64.
*/
- addr = memremap(priv->mem->base, available, MEMREMAP_WB);
+ addr = memremap(priv->mem->base, priv->mem->size, MEMREMAP_WB);
if (!addr) {
dev_err(priv->dev, "Failed to remap memory region\n");
return -ENOMEM;
}
- count = memory_read_from_buffer(val, bytes, &off, addr, available);
+ memcpy(val, addr + offset, bytes);
memunmap(addr);
- if (count < 0)
- return count;
-
- return count == bytes ? 0 : -EIO;
+ return 0;
}
static int rmem_probe(struct platform_device *pdev)
--
2.47.1
