thinkpad_acpi: buffer overflow in fan_get_status()

 */

 */

static int acpi_evalf(acpi_handle handle,

static int acpi_evalf(acpi_handle handle,

		      void *res, char *method, char *fmt, ...)

		      int *res, char *method, char *fmt, ...)

{

{

	char *fmt0 = fmt;

	char *fmt0 = fmt;

	struct acpi_object_list params;

	struct acpi_object_list params;

		success = (status == AE_OK &&

		success = (status == AE_OK &&

			   out_obj.type == ACPI_TYPE_INTEGER);

			   out_obj.type == ACPI_TYPE_INTEGER);

		if (success && res)

		if (success && res)

			*(int *)res = out_obj.integer.value;

			*res = out_obj.integer.value;

		break;

		break;

	case 'v':		/* void */

	case 'v':		/* void */

		success = status == AE_OK;

		success = status == AE_OK;

	 * Add TPACPI_FAN_RD_ACPI_FANS ? */

	 * Add TPACPI_FAN_RD_ACPI_FANS ? */

	switch (fan_status_access_mode) {

	switch (fan_status_access_mode) {

	case TPACPI_FAN_RD_ACPI_GFAN:

	case TPACPI_FAN_RD_ACPI_GFAN: {

		/* 570, 600e/x, 770e, 770x */

		/* 570, 600e/x, 770e, 770x */

		int res;

		if (unlikely(!acpi_evalf(gfan_handle, &s, NULL, "d")))

		if (unlikely(!acpi_evalf(gfan_handle, &res, NULL, "d")))

			return -EIO;

			return -EIO;

		if (likely(status))

		if (likely(status))

			*status = s & 0x07;

			*status = res & 0x07;

		break;

		break;

	}

	case TPACPI_FAN_RD_TPEC:

	case TPACPI_FAN_RD_TPEC:

		/* all except 570, 600e/x, 770e, 770x */

		/* all except 570, 600e/x, 770e, 770x */

		if (unlikely(!acpi_ec_read(fan_status_offset, &s)))

		if (unlikely(!acpi_ec_read(fan_status_offset, &s)))