4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Mera dev@michaelmera.com
commit 062d0f22a30c39840ea49b72cfcfc1aa4cc538fa upstream.
In write to debugfs file 'resource_stats' the local buffer 'tmp_str' is written at index 'count-1' where 'count' is the size of the write, so potentially 0.
This patch filters odd values for the write size/position to avoid this type of problem.
Signed-off-by: Michael Mera dev@michaelmera.com Reviewed-by: Leon Romanovsky leonro@mellanox.com Signed-off-by: Doug Ledford dledford@redhat.com Signed-off-by: Amit Pundir amit.pundir@linaro.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/infiniband/hw/ocrdma/ocrdma_stats.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/infiniband/hw/ocrdma/ocrdma_stats.c +++ b/drivers/infiniband/hw/ocrdma/ocrdma_stats.c @@ -645,7 +645,7 @@ static ssize_t ocrdma_dbgfs_ops_write(st struct ocrdma_stats *pstats = filp->private_data; struct ocrdma_dev *dev = pstats->dev;
- if (count > 32) + if (*ppos != 0 || count == 0 || count > sizeof(tmp_str)) goto err;
if (copy_from_user(tmp_str, buffer, count))