eeprom: idt_89hpesx: uninitialized data in idt_dbgfs_csr_write()

The simple_write_to_buffer() function will return positive/success if it
is able to write a single byte anywhere within the buffer.  However that
potentially leaves a lot of the buffer uninitialized.

In this code it's better to return 0 if the offset is non-zero.  This
code is not written to support partial writes.  And then return -EFAULT
if the buffer is not completely initialized.

Fixes: cfad6425382e ("eeprom: Add IDT 89HPESx EEPROM/CSR driver")
Reviewed-by: Serge Semin <fancer.lancer@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/Ysg1Pu/nzSMe3r1q@kili
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/misc/eeprom/idt_89hpesx.c b/drivers/misc/eeprom/idt_89hpesx.c
index 42eac114edd7437b57b9f3efc5ecd3b20795e45a..9aec3338e37d7c238140508312601d563b4a2109 100644 (file)
--- a/drivers/misc/eeprom/idt_89hpesx.c
+++ b/drivers/misc/eeprom/idt_89hpesx.c
@@ -909,14 +909,18 @@ static ssize_t idt_dbgfs_csr_write(struct file *filep, const char __user *ubuf,
        u32 csraddr, csrval;
        char *buf;
 
+       if (*offp)
+               return 0;
+
        /* Copy data from User-space */
        buf = kmalloc(count + 1, GFP_KERNEL);
        if (!buf)
                return -ENOMEM;
 
-       ret = simple_write_to_buffer(buf, count, offp, ubuf, count);
-       if (ret < 0)
+       if (copy_from_user(buf, ubuf, count)) {
+               ret = -EFAULT;
                goto free_buf;
+       }
        buf[count] = 0;
 
        /* Find position of colon in the buffer */