Re: [PATCH] params: bound array element output to the caller's page buffer

Next message: Christophe Leroy (CS GROUP): "Re: [PATCH v1 0/6] objtool: Fixup alternate feature relative addresses"
Previous message: J&#xFC;rgen Gro&#xDF;: "Re: [PATCH] x86/xen: Fix a potential problem in xen_e820_resolve_conflicts()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Petr Pavlu

Date: Tue May 05 2026 - 05:13:53 EST

On 4/17/26 9:50 AM, Pengpeng Hou wrote:
> param_array_get() appends each element's string representation into the
> shared sysfs page buffer by passing buffer + off to the element getter.
>
> That works for getters that only write a small bounded string, but
> param_get_charp() and similar helpers format against PAGE_SIZE from the
> pointer they receive. Once off is non-zero, an element getter can
> therefore write past the end of the original sysfs page buffer.
>
> Collect each element into a temporary PAGE_SIZE buffer first and then
> copy only the remaining space into the caller's page buffer.
>
> Fixes: 9bbb9e5a3310 ("param: use ops in struct kernel_param, rather than get and set fns directly")

I'm not sure how this commit is relevant. It looks to me the issue was
introduced pre-Git by "[PATCH] module parameter array fixes":

https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git/commit/?id=206a70f22b5fc94e58a7e75f1d4bce1215c24ad7

> Cc: stable@xxxxxxxxxxxxxxx
>
> Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>

As mentioned in my previous reply, I think it would be good to look into
making kernel_param_ops::get() take a size argument as well. However,
this patch looks reasonable to me as a minimal fix. Feel free to add:

Reviewed-by: Petr Pavlu <petr.pavlu@xxxxxxxx>

--
Thanks,
Petr