On Fri, Jul 08, 2022 at 04:46:38PM +0300, Dan Carpenter wrote:
> The simple_write_to_buffer() function will return positive/success if it
> is able to write a single byte anywhere within the buffer. However that
> potentially leaves a lot of the buffer uninitialized.
>
> In this code it's better to return 0 if the offset is non-zero. This
> code is not written to support partial writes. And then return -EFAULT
> if the buffer is not completely initialized.
>
> Fixes: cfad6425382e ("eeprom: Add IDT 89HPESx EEPROM/CSR driver")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Seems reasonable. Thanks.
Reviewed-by: Serge Semin <fancer.lancer@xxxxxxxxx>
-Sergey
> ---
> v2: In v1, I tried to be fancy and use strndup_user(). That potentially
> breaks the user space API. I cannot test this code so it's better to be
> conservative.
>
> drivers/misc/eeprom/idt_89hpesx.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/misc/eeprom/idt_89hpesx.c b/drivers/misc/eeprom/idt_89hpesx.c
> index b0cff4b152da..7f430742ce2b 100644
> --- a/drivers/misc/eeprom/idt_89hpesx.c
> +++ b/drivers/misc/eeprom/idt_89hpesx.c
> @@ -909,14 +909,18 @@ static ssize_t idt_dbgfs_csr_write(struct file *filep, const char __user *ubuf,
> u32 csraddr, csrval;
> char *buf;
>
> + if (*offp)
> + return 0;
> +
> /* Copy data from User-space */
> buf = kmalloc(count + 1, GFP_KERNEL);
> if (!buf)
> return -ENOMEM;
>
> - ret = simple_write_to_buffer(buf, count, offp, ubuf, count);
> - if (ret < 0)
> + if (copy_from_user(buf, ubuf, count)) {
> + ret = -EFAULT;
> goto free_buf;
> + }
> buf[count] = 0;
>
> /* Find position of colon in the buffer */
> --
> 2.35.1
>
