[PATCH v3 4/4] mtdchar: add MEMREAD ioctl
Miquel Raynal
miquel.raynal at bootlin.com
Thu Feb 3 01:46:54 PST 2022
Hi Richard,
richard at nod.at wrote on Thu, 3 Feb 2022 10:18:56 +0100 (CET):
> Michał,
>
> ----- Ursprüngliche Mail -----
> > Von: "Michał Kępień" <kernel at kempniu.pl>
> > An: "Miquel Raynal" <miquel.raynal at bootlin.com>, "richard" <richard at nod.at>, "Vignesh Raghavendra" <vigneshr at ti.com>
> > CC: "Boris Brezillon" <boris.brezillon at collabora.com>, "linux-mtd" <linux-mtd at lists.infradead.org>, "linux-kernel"
> > <linux-kernel at vger.kernel.org>
> > Gesendet: Dienstag, 25. Januar 2022 11:48:22
> > Betreff: [PATCH v3 4/4] mtdchar: add MEMREAD ioctl
>
> > + if (req.start + req.len > mtd->size) {
>
> I think this can overflow since both req.start and req.len are u64.
> So an evil-doer might bypass this check.
>
> > + ret = -EINVAL;
> > + goto out;
> > + }
> > +
> > + datbuf_len = min_t(size_t, req.len, mtd->erasesize);
> > + if (datbuf_len > 0) {
> > + datbuf = kmalloc(datbuf_len, GFP_KERNEL);
>
> If mtd->erasesize is large (which is not uncommon these days) you might
> request more from kmalloc() than it can serve.
> Maybe kvmalloc() makes more sense?
Mmmh, I would really like these buffers dma-able.
I just discovered mtd_kmalloc_up_to(). Would this work?
>
> > + if (!datbuf) {
> > + ret = -ENOMEM;
> > + goto out;
> > + }
> > + }
> > +
> > + oobbuf_len = min_t(size_t, req.ooblen, mtd->erasesize);
> > + if (oobbuf_len > 0) {
> > + oobbuf = kmalloc(oobbuf_len, GFP_KERNEL);
>
> Same.
>
> Thanks,
> //richard
Thanks,
Miquèl
More information about the linux-mtd
mailing list