bootargs_append_store() indexes params[count - 1] when stripping a
trailing newline from the sysfs write buffer.

kernfs passes zero-length writes through to the store callback, so an
empty write makes that newline check read before the start of params.

Reject empty writes before looking at the last input byte.

Fixes: 683eab94da75 ("powerpc/fadump: setup additional parameters for dump capture kernel")
Cc: stable@vger.kernel.org

Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
 arch/powerpc/kernel/fadump.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/arch/powerpc/kernel/fadump.c b/arch/powerpc/kernel/fadump.c
index 4ebc333dd786..03ab5565e420 100644
--- a/arch/powerpc/kernel/fadump.c
+++ b/arch/powerpc/kernel/fadump.c
@@ -1479,6 +1479,9 @@ static ssize_t bootargs_append_store(struct kobject *kobj,
 	if (!fw_dump.fadump_enabled || fw_dump.dump_active)
 		return -EPERM;
 
+	if (!count)
+		return -EINVAL;
+
 	if (count >= COMMAND_LINE_SIZE)
 		return -EINVAL;
 
-- 
2.50.1 (Apple Git-155)

Hi Sourabh, Christophe,

Thanks for checking this.

I rechecked the current sysfs write path and I no longer think this
patch is valid. sysfs_kf_write() returns 0 before calling ->store() when
count is 0, so I do not have a path that reaches bootargs_append_store()
with count == 0.

Also, if such a path did exist, returning 0 would be the right behavior
for an empty write, not -EINVAL.

I'll drop this patch.

Thanks,
Pengpeng

On 17/04/26 13:09, Pengpeng Hou wrote:
> bootargs_append_store() indexes params[count - 1] when stripping a
> trailing newline from the sysfs write buffer.
>
> kernfs passes zero-length writes through to the store callback, so an
> empty write makes that newline check read before the start of params.
>
> Reject empty writes before looking at the last input byte.
>
> Fixes: 683eab94da75 ("powerpc/fadump: setup additional parameters for dump capture kernel")
> Cc: stable@vger.kernel.org
>
> Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
> ---
>   arch/powerpc/kernel/fadump.c | 3 +++
>   1 file changed, 3 insertions(+)
>
> diff --git a/arch/powerpc/kernel/fadump.c b/arch/powerpc/kernel/fadump.c
> index 4ebc333dd786..03ab5565e420 100644
> --- a/arch/powerpc/kernel/fadump.c
> +++ b/arch/powerpc/kernel/fadump.c
> @@ -1479,6 +1479,9 @@ static ssize_t bootargs_append_store(struct kobject *kobj,
>   	if (!fw_dump.fadump_enabled || fw_dump.dump_active)
>   		return -EPERM;
>   
> +	if (!count)
> +		return -EINVAL;

How you manage to call this function with count as 0?

> +
>   	if (count >= COMMAND_LINE_SIZE)
>   		return -EINVAL;
>

Le 17/04/2026 à 09:39, Pengpeng Hou a écrit :
> bootargs_append_store() indexes params[count - 1] when stripping a
> trailing newline from the sysfs write buffer.
> 
> kernfs passes zero-length writes through to the store callback, so an
> empty write makes that newline check read before the start of params.
> 
> Reject empty writes before looking at the last input byte.
> 
> Fixes: 683eab94da75 ("powerpc/fadump: setup additional parameters for dump capture kernel")
> Cc: stable@vger.kernel.org
> 
> Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
> ---
>   arch/powerpc/kernel/fadump.c | 3 +++
>   1 file changed, 3 insertions(+)
> 
> diff --git a/arch/powerpc/kernel/fadump.c b/arch/powerpc/kernel/fadump.c
> index 4ebc333dd786..03ab5565e420 100644
> --- a/arch/powerpc/kernel/fadump.c
> +++ b/arch/powerpc/kernel/fadump.c
> @@ -1479,6 +1479,9 @@ static ssize_t bootargs_append_store(struct kobject *kobj,
>   	if (!fw_dump.fadump_enabled || fw_dump.dump_active)
>   		return -EPERM;
>   
> +	if (!count)
> +		return -EINVAL;

Why return an error ? A 0 size write is a valid write, it should return 
0 I think.

> +
>   	if (count >= COMMAND_LINE_SIZE)
>   		return -EINVAL;
>