From 84fa20c2a56a9d941fef68dd2c1d489a5f24daa7 Mon Sep 17 00:00:00 2001 From: Armin Wolf Date: Wed, 2 Nov 2022 22:23:35 +0100 Subject: [PATCH] platform/x86: dell-ddv: Improve buffer handling When the DDV interface returns a buffer, it actually returns a acpi buffer containing an integer (buffer size) and another acpi buffer (buffer content). The size of the buffer may be smaller than the size of the buffer content, which is perfectly valid and should not be treated as an error. Also use the buffer size instead of the buffer content size when accessing the buffer to prevent accessing bogus data. Tested on a Dell Inspiron 3505. Signed-off-by: Armin Wolf Link: https://lore.kernel.org/r/20221102212336.380257-1-W_Armin@gmx.de Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede --- drivers/platform/x86/dell/dell-wmi-ddv.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/drivers/platform/x86/dell/dell-wmi-ddv.c b/drivers/platform/x86/dell/dell-wmi-ddv.c index 699feae3c435c..1a001296e8c60 100644 --- a/drivers/platform/x86/dell/dell-wmi-ddv.c +++ b/drivers/platform/x86/dell/dell-wmi-ddv.c @@ -129,9 +129,9 @@ static int dell_wmi_ddv_query_buffer(struct wmi_device *wdev, enum dell_ddv_meth if (obj->package.elements[1].type != ACPI_TYPE_BUFFER) goto err_free; - if (buffer_size != obj->package.elements[1].buffer.length) { + if (buffer_size > obj->package.elements[1].buffer.length) { dev_warn(&wdev->dev, - FW_WARN "ACPI buffer size (%llu) does not match WMI buffer size (%d)\n", + FW_WARN "WMI buffer size (%llu) exceeds ACPI buffer size (%d)\n", buffer_size, obj->package.elements[1].buffer.length); goto err_free; @@ -271,15 +271,17 @@ static int dell_wmi_ddv_buffer_read(struct seq_file *seq, enum dell_ddv_method m struct device *dev = seq->private; struct dell_wmi_ddv_data *data = dev_get_drvdata(dev); union acpi_object *obj; - union acpi_object buf; + u64 size; + u8 *buf; int ret; ret = dell_wmi_ddv_query_buffer(data->wdev, method, 0, &obj); if (ret < 0) return ret; - buf = obj->package.elements[1]; - ret = seq_write(seq, buf.buffer.pointer, buf.buffer.length); + size = obj->package.elements[0].integer.value; + buf = obj->package.elements[1].buffer.pointer; + ret = seq_write(seq, buf, size); kfree(obj); return ret; -- 2.30.2