drm/amd/display: fix the system memory page fault because of copy overflow

The buffer is allocated with the size of pointer and copy with the size of
data structure. Then trigger the system memory page fault. Use the
orignal data structure to get the object size.

Fixes: 3a00c04212d1 ("drm/amd/display/dc/core/dc_link: Move some local data from the stack to the heap")
Signed-off-by: Huang Rui <ray.huang@amd.com>
Cc: Lee Jones <lee.jones@linaro.org>
Reviewed-by: Jinzhou.Su <Jinzhou.Su@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>

diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_link.c b/drivers/gpu/drm/amd/display/dc/core/dc_link.c
index 69573d6..7317897 100644 (file)
--- a/drivers/gpu/drm/amd/display/dc/core/dc_link.c
+++ b/drivers/gpu/drm/amd/display/dc/core/dc_link.c
@@ -1380,7 +1380,7 @@ static bool dc_link_construct(struct dc_link *link,
 
        DC_LOGGER_INIT(dc_ctx->logger);
 
-       info = kzalloc(sizeof(info), GFP_KERNEL);
+       info = kzalloc(sizeof(struct integrated_info), GFP_KERNEL);
        if (!info)
                goto create_fail;
 
@@ -1545,7 +1545,7 @@ static bool dc_link_construct(struct dc_link *link,
        }
 
        if (bios->integrated_info)
-               memcpy(info, bios->integrated_info, sizeof(*info));
+               memcpy(info, bios->integrated_info, sizeof(struct integrated_info));
 
        /* Look for channel mapping corresponding to connector and device tag */
        for (i = 0; i < MAX_NUMBER_OF_EXT_DISPLAY_PATH; i++) {