During conversion to use strndup_user() the commit 35d13c7a0512 ("platform/x86: thinkpad_acpi: Use strndup_user() in dispatch_proc_write()") missed the fact that buffer coming thru procfs is not immediately NULL terminated. We have to limit size when calling strndup_user(). Fixes: 35d13c7a0512 ("platform/x86: thinkpad_acpi: Use strndup_user() in dispatch_proc_write()") Reported-by: Hans de Goede <hdegoede@xxxxxxxxxx> Signed-off-by: Andy Shevchenko <andriy.shevchenko@xxxxxxxxxxxxxxx> --- drivers/platform/x86/thinkpad_acpi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c index f571d6254e7c..f411ad814cab 100644 --- a/drivers/platform/x86/thinkpad_acpi.c +++ b/drivers/platform/x86/thinkpad_acpi.c @@ -886,7 +886,7 @@ static ssize_t dispatch_proc_write(struct file *file, if (!ibm || !ibm->write) return -EINVAL; - kernbuf = strndup_user(userbuf, PAGE_SIZE); + kernbuf = strndup_user(userbuf, min_t(long, count, PAGE_SIZE)); if (IS_ERR(kernbuf)) return PTR_ERR(kernbuf); -- 2.27.0