[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20221102212336.380257-1-W_Armin@gmx.de>
Date: Wed, 2 Nov 2022 22:23:35 +0100
From: Armin Wolf <W_Armin@....de>
To: hdegoede@...hat.com, markgross@...nel.org
Cc: platform-driver-x86@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [PATCH 1/2] platform/x86: dell-ddv: Improve buffer handling
When the DDV interface returns a buffer, it actually
returns a acpi buffer containing an integer (buffer size)
and another acpi buffer (buffer content).
The size of the buffer may be smaller than the size of
the buffer content, which is perfectly valid and should not
be treated as an error.
Also use the buffer size instead of the buffer content size
when accessing the buffer to prevent accessing bogus data.
Tested on a Dell Inspiron 3505.
Signed-off-by: Armin Wolf <W_Armin@....de>
---
drivers/platform/x86/dell/dell-wmi-ddv.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/drivers/platform/x86/dell/dell-wmi-ddv.c b/drivers/platform/x86/dell/dell-wmi-ddv.c
index 699feae3c435..1a001296e8c6 100644
--- a/drivers/platform/x86/dell/dell-wmi-ddv.c
+++ b/drivers/platform/x86/dell/dell-wmi-ddv.c
@@ -129,9 +129,9 @@ static int dell_wmi_ddv_query_buffer(struct wmi_device *wdev, enum dell_ddv_meth
if (obj->package.elements[1].type != ACPI_TYPE_BUFFER)
goto err_free;
- if (buffer_size != obj->package.elements[1].buffer.length) {
+ if (buffer_size > obj->package.elements[1].buffer.length) {
dev_warn(&wdev->dev,
- FW_WARN "ACPI buffer size (%llu) does not match WMI buffer size (%d)\n",
+ FW_WARN "WMI buffer size (%llu) exceeds ACPI buffer size (%d)\n",
buffer_size, obj->package.elements[1].buffer.length);
goto err_free;
@@ -271,15 +271,17 @@ static int dell_wmi_ddv_buffer_read(struct seq_file *seq, enum dell_ddv_method m
struct device *dev = seq->private;
struct dell_wmi_ddv_data *data = dev_get_drvdata(dev);
union acpi_object *obj;
- union acpi_object buf;
+ u64 size;
+ u8 *buf;
int ret;
ret = dell_wmi_ddv_query_buffer(data->wdev, method, 0, &obj);
if (ret < 0)
return ret;
- buf = obj->package.elements[1];
- ret = seq_write(seq, buf.buffer.pointer, buf.buffer.length);
+ size = obj->package.elements[0].integer.value;
+ buf = obj->package.elements[1].buffer.pointer;
+ ret = seq_write(seq, buf, size);
kfree(obj);
return ret;
--
2.30.2
Powered by blists - more mailing lists