tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

platform/wmi: Extend wmidev_query_block() to reject undersized data

WMI drivers using the buffer-based WMI API are expected to reject
undersized query results. Extend wmidev_query_block() to enable
the WMI driver core to perform this size check internally.

Signed-off-by: Armin Wolf <W_Armin@gmx.de>
Link: https://patch.msgid.link/20260406203237.2970-6-W_Armin@gmx.de
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>

authored by

Armin Wolf and committed by
Ilpo Järvinen 1aeded2f 96b1b053

+10 -12
+6 -4
drivers/platform/wmi/core.c
··· 565 565 * @wdev: A wmi bus device from a driver 566 566 * @instance: Instance index 567 567 * @out: WMI buffer to fill 568 + * @min_size: Minimum size of the result data in bytes 568 569 * 569 - * Query a WMI data block, the caller must free the resulting data inside @out. 570 - * Said data is guaranteed to be aligned on a 8-byte boundary. 570 + * Query a WMI data block, the caller must free the resulting data inside @out 571 + * using kfree(). Said data is guaranteed to be aligned on a 8-byte boundary. 571 572 * 572 573 * Return: 0 on success or a negative error code on failure. 573 574 */ 574 - int wmidev_query_block(struct wmi_device *wdev, u8 instance, struct wmi_buffer *out) 575 + int wmidev_query_block(struct wmi_device *wdev, u8 instance, struct wmi_buffer *out, 576 + size_t min_size) 575 577 { 576 578 union acpi_object *obj; 577 579 int ret; ··· 582 580 if (!obj) 583 581 return -EIO; 584 582 585 - ret = wmi_unmarshal_acpi_object(obj, out, 0); 583 + ret = wmi_unmarshal_acpi_object(obj, out, min_size); 586 584 kfree(obj); 587 585 588 586 return ret;
+1 -6
drivers/platform/x86/intel/wmi/sbl-fw-update.c
··· 28 28 __le32 *result; 29 29 int ret; 30 30 31 - ret = wmidev_query_block(to_wmi_device(dev), 0, &buffer); 31 + ret = wmidev_query_block(to_wmi_device(dev), 0, &buffer, sizeof(*result)); 32 32 if (ret < 0) 33 33 return ret; 34 - 35 - if (buffer.length < sizeof(*result)) { 36 - kfree(buffer.data); 37 - return -ENODATA; 38 - } 39 34 40 35 result = buffer.data; 41 36 *out = le32_to_cpu(*result);
+1 -1
drivers/platform/x86/wmi-bmof.c
··· 62 62 if (!buffer) 63 63 return -ENOMEM; 64 64 65 - ret = wmidev_query_block(wdev, 0, buffer); 65 + ret = wmidev_query_block(wdev, 0, buffer, 0); 66 66 if (ret < 0) 67 67 return ret; 68 68
+2 -1
include/linux/wmi.h
··· 73 73 int wmidev_invoke_procedure(struct wmi_device *wdev, u8 instance, u32 method_id, 74 74 const struct wmi_buffer *in); 75 75 76 - int wmidev_query_block(struct wmi_device *wdev, u8 instance, struct wmi_buffer *out); 76 + int wmidev_query_block(struct wmi_device *wdev, u8 instance, struct wmi_buffer *out, 77 + size_t min_size); 77 78 78 79 int wmidev_set_block(struct wmi_device *wdev, u8 instance, const struct wmi_buffer *in); 79 80