Lekensteyn
2012-Oct-21 10:53 UTC
[Nouveau] [PATCH] drm/nouveau/bios: use size provided by _ROM method
From: Peter Wu <lekensteyn at gmail.com> Since commit "drm/nouveau/bios: attempt to fetch entire acpi rom image in one shot", the ACPI spec is broken in order to gain speed. In theory, since the _ROM method is supposed to return 4 KiB only, the returned buffer size could be less than the requested length. This could lead to reading past the buffer boundaries which could make worse thing happen. To fix that, do not read more than the buffer contains. As an extra side-effect, the function returns the bytes that have really been read which is more natural. Signed-off-by: Peter Wu <lekensteyn at gmail.com> --- drivers/gpu/drm/nouveau/nouveau_acpi.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpu/drm/nouveau/nouveau_acpi.c b/drivers/gpu/drm/nouveau/nouveau_acpi.c index 48783e1..368e45c 100644 --- a/drivers/gpu/drm/nouveau/nouveau_acpi.c +++ b/drivers/gpu/drm/nouveau/nouveau_acpi.c @@ -356,6 +356,7 @@ static int nouveau_rom_call(acpi_handle rom_handle, uint8_t *bios, return -ENODEV; } obj = (union acpi_object *)buffer.pointer; + len = min(len, (int)obj->buffer.size); memcpy(bios+offset, obj->buffer.pointer, len); kfree(buffer.pointer); return len; -- 1.7.9.5
Marcin Slusarz
2012-Oct-21 12:20 UTC
[Nouveau] [PATCH] drm/nouveau/bios: use size provided by _ROM method
On Sun, Oct 21, 2012 at 12:53:15PM +0200, Lekensteyn wrote:> From: Peter Wu <lekensteyn at gmail.com> > > Since commit "drm/nouveau/bios: attempt to fetch entire acpi rom image in one > shot", the ACPI spec is broken in order to gain speed. In theory, since the > _ROM method is supposed to return 4 KiB only, the returned buffer size could be > less than the requested length. This could lead to reading past the buffer > boundaries which could make worse thing happen. To fix that, do not read more > than the buffer contains. As an extra side-effect, the function returns the > bytes that have really been read which is more natural. > > Signed-off-by: Peter Wu <lekensteyn at gmail.com> > --- > drivers/gpu/drm/nouveau/nouveau_acpi.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/gpu/drm/nouveau/nouveau_acpi.c b/drivers/gpu/drm/nouveau/nouveau_acpi.c > index 48783e1..368e45c 100644 > --- a/drivers/gpu/drm/nouveau/nouveau_acpi.c > +++ b/drivers/gpu/drm/nouveau/nouveau_acpi.c > @@ -356,6 +356,7 @@ static int nouveau_rom_call(acpi_handle rom_handle, uint8_t *bios, > return -ENODEV; > } > obj = (union acpi_object *)buffer.pointer; > + len = min(len, (int)obj->buffer.size); > memcpy(bios+offset, obj->buffer.pointer, len); > kfree(buffer.pointer); > return len; > --BTW, _ROM method from https://lkml.org/lkml/2012/10/21/11 multiplies length by 8, so maybe we can read 32kB in one batch? Marcin