platform/wmi: Extend wmidev_query_block() to reject undersized data

Wer-Wolf · ij-intel · commit 1aeded2f55f0 · 2026-04-13T14:11:25.000+03:00
WMI drivers using the buffer-based WMI API are expected to reject undersized query results. Extend wmidev_query_block() to enable the WMI driver core to perform this size check internally. Signed-off-by: Armin Wolf <W_Armin@gmx.de> Link: https://patch.msgid.link/20260406203237.2970-6-W_Armin@gmx.de Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
diff --git a/drivers/platform/wmi/core.c b/drivers/platform/wmi/core.c
@@ -565,13 +565,15 @@ EXPORT_SYMBOL_GPL(wmidev_block_query);
  * @wdev: A wmi bus device from a driver
  * @instance: Instance index
  * @out: WMI buffer to fill
+ * @min_size: Minimum size of the result data in bytes
  *
- * Query a WMI data block, the caller must free the resulting data inside @out.
- * Said data is guaranteed to be aligned on a 8-byte boundary.
+ * Query a WMI data block, the caller must free the resulting data inside @out
+ * using kfree(). Said data is guaranteed to be aligned on a 8-byte boundary.
  *
  * Return: 0 on success or a negative error code on failure.
  */
-int wmidev_query_block(struct wmi_device *wdev, u8 instance, struct wmi_buffer *out)
+int wmidev_query_block(struct wmi_device *wdev, u8 instance, struct wmi_buffer *out,
+		       size_t min_size)
 {
 	union acpi_object *obj;
 	int ret;
@@ -580,7 +582,7 @@ int wmidev_query_block(struct wmi_device *wdev, u8 instance, struct wmi_buffer *
 	if (!obj)
 		return -EIO;
 
-	ret = wmi_unmarshal_acpi_object(obj, out, 0);
+	ret = wmi_unmarshal_acpi_object(obj, out, min_size);
 	kfree(obj);
 
 	return ret;
diff --git a/drivers/platform/x86/intel/wmi/sbl-fw-update.c b/drivers/platform/x86/intel/wmi/sbl-fw-update.c
@@ -28,15 +28,10 @@ static int get_fwu_request(struct device *dev, u32 *out)
 	__le32 *result;
 	int ret;
 
-	ret = wmidev_query_block(to_wmi_device(dev), 0, &buffer);
+	ret = wmidev_query_block(to_wmi_device(dev), 0, &buffer, sizeof(*result));
 	if (ret < 0)
 		return ret;
 
-	if (buffer.length < sizeof(*result)) {
-		kfree(buffer.data);
-		return -ENODATA;
-	}
-
 	result = buffer.data;
 	*out = le32_to_cpu(*result);
 	kfree(result);
diff --git a/drivers/platform/x86/wmi-bmof.c b/drivers/platform/x86/wmi-bmof.c
@@ -62,7 +62,7 @@ static int wmi_bmof_probe(struct wmi_device *wdev, const void *context)
 	if (!buffer)
 		return -ENOMEM;
 
-	ret = wmidev_query_block(wdev, 0, buffer);
+	ret = wmidev_query_block(wdev, 0, buffer, 0);
 	if (ret < 0)
 		return ret;
 
diff --git a/include/linux/wmi.h b/include/linux/wmi.h
@@ -73,7 +73,8 @@ int wmidev_invoke_method(struct wmi_device *wdev, u8 instance, u32 method_id,
 int wmidev_invoke_procedure(struct wmi_device *wdev, u8 instance, u32 method_id,
 			    const struct wmi_buffer *in);
 
-int wmidev_query_block(struct wmi_device *wdev, u8 instance, struct wmi_buffer *out);
+int wmidev_query_block(struct wmi_device *wdev, u8 instance, struct wmi_buffer *out,
+		       size_t min_size);
 
 int wmidev_set_block(struct wmi_device *wdev, u8 instance, const struct wmi_buffer *in);
 
