Commit 8db6f83b authored by Nicolai Hähnle's avatar Nicolai Hähnle Committed by Alex Deucher

drm/amdgpu: remove cgs_acpi_method_argument member method_length

It was redundant with data_length, and in fact set incorrectly in one case
leading to an out-of-bound read by memcpy in acpi_ut_copy_esimple_to_isimple,
reported by CONFIG_KASAN=y.
Signed-off-by: default avatarNicolai Hähnle <Nicolai.Haehnle@amd.com>
Reviewed-by: default avatarAlex Deucher <alexander.deucher@amd.com>
Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
parent 840dd4c6
...@@ -973,11 +973,11 @@ static int amdgpu_cgs_acpi_eval_object(struct cgs_device *cgs_device, ...@@ -973,11 +973,11 @@ static int amdgpu_cgs_acpi_eval_object(struct cgs_device *cgs_device,
params->integer.value = argument->value; params->integer.value = argument->value;
break; break;
case ACPI_TYPE_STRING: case ACPI_TYPE_STRING:
params->string.length = argument->method_length; params->string.length = argument->data_length;
params->string.pointer = argument->pointer; params->string.pointer = argument->pointer;
break; break;
case ACPI_TYPE_BUFFER: case ACPI_TYPE_BUFFER:
params->buffer.length = argument->method_length; params->buffer.length = argument->data_length;
params->buffer.pointer = argument->pointer; params->buffer.pointer = argument->pointer;
break; break;
default: default:
...@@ -1080,17 +1080,14 @@ int amdgpu_cgs_call_acpi_method(struct cgs_device *cgs_device, ...@@ -1080,17 +1080,14 @@ int amdgpu_cgs_call_acpi_method(struct cgs_device *cgs_device,
struct cgs_acpi_method_info info = {0}; struct cgs_acpi_method_info info = {0};
acpi_input[0].type = CGS_ACPI_TYPE_INTEGER; acpi_input[0].type = CGS_ACPI_TYPE_INTEGER;
acpi_input[0].method_length = sizeof(uint32_t);
acpi_input[0].data_length = sizeof(uint32_t); acpi_input[0].data_length = sizeof(uint32_t);
acpi_input[0].value = acpi_function; acpi_input[0].value = acpi_function;
acpi_input[1].type = CGS_ACPI_TYPE_BUFFER; acpi_input[1].type = CGS_ACPI_TYPE_BUFFER;
acpi_input[1].method_length = CGS_ACPI_MAX_BUFFER_SIZE;
acpi_input[1].data_length = input_size; acpi_input[1].data_length = input_size;
acpi_input[1].pointer = pinput; acpi_input[1].pointer = pinput;
acpi_output.type = CGS_ACPI_TYPE_BUFFER; acpi_output.type = CGS_ACPI_TYPE_BUFFER;
acpi_output.method_length = CGS_ACPI_MAX_BUFFER_SIZE;
acpi_output.data_length = output_size; acpi_output.data_length = output_size;
acpi_output.pointer = poutput; acpi_output.pointer = poutput;
......
...@@ -189,7 +189,6 @@ typedef unsigned long cgs_handle_t; ...@@ -189,7 +189,6 @@ typedef unsigned long cgs_handle_t;
struct cgs_acpi_method_argument { struct cgs_acpi_method_argument {
uint32_t type; uint32_t type;
uint32_t method_length;
uint32_t data_length; uint32_t data_length;
union{ union{
uint32_t value; uint32_t value;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment