After consuming the leading profile digit in tmp[0] and skipping i bytes of whitespace via *++buf, buf points at original + 1 + i. The number of bytes still inside the sysfs buffer is count - (1 + i), not count - i; using the latter copied one byte past the store buffer.
NUL-terminate buf_cpy before strsep() so parsing cannot run past the copied payload. Signed-off-by: Asad Kamal <[email protected]> --- drivers/gpu/drm/amd/pm/amdgpu_pm.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/pm/amdgpu_pm.c b/drivers/gpu/drm/amd/pm/amdgpu_pm.c index 60db9b66d08c..450ecb188aed 100644 --- a/drivers/gpu/drm/amd/pm/amdgpu_pm.c +++ b/drivers/gpu/drm/amd/pm/amdgpu_pm.c @@ -1379,6 +1379,7 @@ static ssize_t amdgpu_set_pp_power_profile_mode(struct device *dev, char tmp[2]; long int profile_mode = 0; const char delimiter[3] = {' ', '\n', '\0'}; + size_t len; tmp[0] = *(buf); tmp[1] = '\0'; @@ -1391,7 +1392,9 @@ static ssize_t amdgpu_set_pp_power_profile_mode(struct device *dev, return -EINVAL; while (isspace(*++buf)) i++; - memcpy(buf_cpy, buf, count-i); + len = count - 1 - i; + memcpy(buf_cpy, buf, len); + buf_cpy[len] = '\0'; tmp_str = buf_cpy; while ((sub_str = strsep(&tmp_str, delimiter)) != NULL) { if (strlen(sub_str) == 0) -- 2.46.0
