drm/amdgpu: remove cgs_acpi_method_argument member method_length
authorNicolai Hähnle <Nicolai.Haehnle@amd.com>
Tue, 14 Jun 2016 10:10:07 +0000 (12:10 +0200)
committerAlex Deucher <alexander.deucher@amd.com>
Thu, 7 Jul 2016 18:51:32 +0000 (14:51 -0400)
It was redundant with data_length, and in fact set incorrectly in one case
leading to an out-of-bound read by memcpy in acpi_ut_copy_esimple_to_isimple,
reported by CONFIG_KASAN=y.

Signed-off-by: Nicolai Hähnle <Nicolai.Haehnle@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c
drivers/gpu/drm/amd/include/cgs_common.h

index 1f9fd07d5d165fcf811f701916702811a1faf0e3..9ffdd090d9ec5bc6bf7a9d9130bd5d10009a59e8 100644 (file)
@@ -973,11 +973,11 @@ static int amdgpu_cgs_acpi_eval_object(struct cgs_device *cgs_device,
                                params->integer.value = argument->value;
                                break;
                        case ACPI_TYPE_STRING:
-                               params->string.length = argument->method_length;
+                               params->string.length = argument->data_length;
                                params->string.pointer = argument->pointer;
                                break;
                        case ACPI_TYPE_BUFFER:
-                               params->buffer.length = argument->method_length;
+                               params->buffer.length = argument->data_length;
                                params->buffer.pointer = argument->pointer;
                                break;
                        default:
@@ -1080,17 +1080,14 @@ int amdgpu_cgs_call_acpi_method(struct cgs_device *cgs_device,
        struct cgs_acpi_method_info info = {0};
 
        acpi_input[0].type = CGS_ACPI_TYPE_INTEGER;
-       acpi_input[0].method_length = sizeof(uint32_t);
        acpi_input[0].data_length = sizeof(uint32_t);
        acpi_input[0].value = acpi_function;
 
        acpi_input[1].type = CGS_ACPI_TYPE_BUFFER;
-       acpi_input[1].method_length = CGS_ACPI_MAX_BUFFER_SIZE;
        acpi_input[1].data_length = input_size;
        acpi_input[1].pointer = pinput;
 
        acpi_output.type = CGS_ACPI_TYPE_BUFFER;
-       acpi_output.method_length = CGS_ACPI_MAX_BUFFER_SIZE;
        acpi_output.data_length = output_size;
        acpi_output.pointer = poutput;
 
index 7464daf89ca1319fb64a11646bfa26d98c473e5d..f12c25747b9e36b38d368db26cc7e2f79a5ce277 100644 (file)
@@ -189,7 +189,6 @@ typedef unsigned long cgs_handle_t;
 
 struct cgs_acpi_method_argument {
        uint32_t type;
-       uint32_t method_length;
        uint32_t data_length;
        union{
                uint32_t value;