From mboxrd@z Thu Jan  1 00:00:00 1970
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Thu, 16 Jun 2016 08:30:23 +0000
Subject: [patch v2] drm/amdgpu: missing bounds check in amdgpu_set_pp_force_state()
Message-Id: <20160616083023.GA7046@mwanda>
List-Id: <kernel-janitors.vger.kernel.org>
References: <20160616080949.GI32247@mwanda>
In-Reply-To: <20160616080949.GI32247@mwanda>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: Alex Deucher <alexander.deucher@amd.com>
Cc: Jammy Zhou <Jammy.Zhou@amd.com>, kernel-janitors@vger.kernel.org, dri-devel@lists.freedesktop.org, Geliang Tang <geliangtang@163.com>, Eric Huang <JinHuiEric.Huang@amd.com>, Rex Zhu <Rex.Zhu@amd.com>, Christian =?iso-8859-1?Q?K=F6nig?= <christian.koenig@amd.com>

There is no limit on high "idx" can go.  It should be less than
ARRAY_SIZE(data.states) which is 16.

The "data" variable wasn't declared in that scope so I shifted the code
around a bit to make it work.  Also I made "idx" unsigned.

Fixes: f3898ea12fc1 ('drm/amd/powerplay: add some sysfs interfaces for powerplay.')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
v2: make idx unsigned

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c
index 589b36e..0e13d80 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c
@@ -270,30 +270,28 @@ static ssize_t amdgpu_set_pp_force_state(struct device *dev,
 	struct drm_device *ddev = dev_get_drvdata(dev);
 	struct amdgpu_device *adev = ddev->dev_private;
 	enum amd_pm_state_type state = 0;
-	long idx;
+	unsigned long idx;
 	int ret;
 
 	if (strlen(buf) = 1)
 		adev->pp_force_state_enabled = false;
-	else {
-		ret = kstrtol(buf, 0, &idx);
+	else if (adev->pp_enabled) {
+		struct pp_states_info data;
 
-		if (ret) {
+		ret = kstrtoul(buf, 0, &idx);
+		if (ret || idx >= ARRAY_SIZE(data.states)) {
 			count = -EINVAL;
 			goto fail;
 		}
 
-		if (adev->pp_enabled) {
-			struct pp_states_info data;
-			amdgpu_dpm_get_pp_num_states(adev, &data);
-			state = data.states[idx];
-			/* only set user selected power states */
-			if (state != POWER_STATE_TYPE_INTERNAL_BOOT &&
-				state != POWER_STATE_TYPE_DEFAULT) {
-				amdgpu_dpm_dispatch_task(adev,
-						AMD_PP_EVENT_ENABLE_USER_STATE, &state, NULL);
-				adev->pp_force_state_enabled = true;
-			}
+		amdgpu_dpm_get_pp_num_states(adev, &data);
+		state = data.states[idx];
+		/* only set user selected power states */
+		if (state != POWER_STATE_TYPE_INTERNAL_BOOT &&
+		    state != POWER_STATE_TYPE_DEFAULT) {
+			amdgpu_dpm_dispatch_task(adev,
+					AMD_PP_EVENT_ENABLE_USER_STATE, &state, NULL);
+			adev->pp_force_state_enabled = true;
 		}
 	}
 fail:

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Dan Carpenter <dan.carpenter@oracle.com>
Subject: [patch v2] drm/amdgpu: missing bounds check in
 amdgpu_set_pp_force_state()
Date: Thu, 16 Jun 2016 11:30:23 +0300
Message-ID: <20160616083023.GA7046@mwanda>
References: <20160616080949.GI32247@mwanda>
Mime-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Return-path: <dri-devel-bounces@lists.freedesktop.org>
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69])
 by gabe.freedesktop.org (Postfix) with ESMTPS id 6CF316E254
 for <dri-devel@lists.freedesktop.org>; Thu, 16 Jun 2016 08:30:48 +0000 (UTC)
Content-Disposition: inline
In-Reply-To: <20160616080949.GI32247@mwanda>
List-Unsubscribe: <https://lists.freedesktop.org/mailman/options/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <https://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <https://lists.freedesktop.org/mailman/listinfo/dri-devel>,
 <mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>
To: Alex Deucher <alexander.deucher@amd.com>
Cc: Jammy Zhou <Jammy.Zhou@amd.com>, kernel-janitors@vger.kernel.org, dri-devel@lists.freedesktop.org, Geliang Tang <geliangtang@163.com>, Eric Huang <JinHuiEric.Huang@amd.com>, Rex Zhu <Rex.Zhu@amd.com>, Christian =?iso-8859-1?Q?K=F6nig?= <christian.koenig@amd.com>
List-Id: dri-devel@lists.freedesktop.org

VGhlcmUgaXMgbm8gbGltaXQgb24gaGlnaCAiaWR4IiBjYW4gZ28uICBJdCBzaG91bGQgYmUgbGVz
cyB0aGFuCkFSUkFZX1NJWkUoZGF0YS5zdGF0ZXMpIHdoaWNoIGlzIDE2LgoKVGhlICJkYXRhIiB2
YXJpYWJsZSB3YXNuJ3QgZGVjbGFyZWQgaW4gdGhhdCBzY29wZSBzbyBJIHNoaWZ0ZWQgdGhlIGNv
ZGUKYXJvdW5kIGEgYml0IHRvIG1ha2UgaXQgd29yay4gIEFsc28gSSBtYWRlICJpZHgiIHVuc2ln
bmVkLgoKRml4ZXM6IGYzODk4ZWExMmZjMSAoJ2RybS9hbWQvcG93ZXJwbGF5OiBhZGQgc29tZSBz
eXNmcyBpbnRlcmZhY2VzIGZvciBwb3dlcnBsYXkuJykKU2lnbmVkLW9mZi1ieTogRGFuIENhcnBl
bnRlciA8ZGFuLmNhcnBlbnRlckBvcmFjbGUuY29tPgotLS0KdjI6IG1ha2UgaWR4IHVuc2lnbmVk
CgpkaWZmIC0tZ2l0IGEvZHJpdmVycy9ncHUvZHJtL2FtZC9hbWRncHUvYW1kZ3B1X3BtLmMgYi9k
cml2ZXJzL2dwdS9kcm0vYW1kL2FtZGdwdS9hbWRncHVfcG0uYwppbmRleCA1ODliMzZlLi4wZTEz
ZDgwIDEwMDY0NAotLS0gYS9kcml2ZXJzL2dwdS9kcm0vYW1kL2FtZGdwdS9hbWRncHVfcG0uYwor
KysgYi9kcml2ZXJzL2dwdS9kcm0vYW1kL2FtZGdwdS9hbWRncHVfcG0uYwpAQCAtMjcwLDMwICsy
NzAsMjggQEAgc3RhdGljIHNzaXplX3QgYW1kZ3B1X3NldF9wcF9mb3JjZV9zdGF0ZShzdHJ1Y3Qg
ZGV2aWNlICpkZXYsCiAJc3RydWN0IGRybV9kZXZpY2UgKmRkZXYgPSBkZXZfZ2V0X2RydmRhdGEo
ZGV2KTsKIAlzdHJ1Y3QgYW1kZ3B1X2RldmljZSAqYWRldiA9IGRkZXYtPmRldl9wcml2YXRlOwog
CWVudW0gYW1kX3BtX3N0YXRlX3R5cGUgc3RhdGUgPSAwOwotCWxvbmcgaWR4OworCXVuc2lnbmVk
IGxvbmcgaWR4OwogCWludCByZXQ7CiAKIAlpZiAoc3RybGVuKGJ1ZikgPT0gMSkKIAkJYWRldi0+
cHBfZm9yY2Vfc3RhdGVfZW5hYmxlZCA9IGZhbHNlOwotCWVsc2UgewotCQlyZXQgPSBrc3RydG9s
KGJ1ZiwgMCwgJmlkeCk7CisJZWxzZSBpZiAoYWRldi0+cHBfZW5hYmxlZCkgeworCQlzdHJ1Y3Qg
cHBfc3RhdGVzX2luZm8gZGF0YTsKIAotCQlpZiAocmV0KSB7CisJCXJldCA9IGtzdHJ0b3VsKGJ1
ZiwgMCwgJmlkeCk7CisJCWlmIChyZXQgfHwgaWR4ID49IEFSUkFZX1NJWkUoZGF0YS5zdGF0ZXMp
KSB7CiAJCQljb3VudCA9IC1FSU5WQUw7CiAJCQlnb3RvIGZhaWw7CiAJCX0KIAotCQlpZiAoYWRl
di0+cHBfZW5hYmxlZCkgewotCQkJc3RydWN0IHBwX3N0YXRlc19pbmZvIGRhdGE7Ci0JCQlhbWRn
cHVfZHBtX2dldF9wcF9udW1fc3RhdGVzKGFkZXYsICZkYXRhKTsKLQkJCXN0YXRlID0gZGF0YS5z
dGF0ZXNbaWR4XTsKLQkJCS8qIG9ubHkgc2V0IHVzZXIgc2VsZWN0ZWQgcG93ZXIgc3RhdGVzICov
Ci0JCQlpZiAoc3RhdGUgIT0gUE9XRVJfU1RBVEVfVFlQRV9JTlRFUk5BTF9CT09UICYmCi0JCQkJ
c3RhdGUgIT0gUE9XRVJfU1RBVEVfVFlQRV9ERUZBVUxUKSB7Ci0JCQkJYW1kZ3B1X2RwbV9kaXNw
YXRjaF90YXNrKGFkZXYsCi0JCQkJCQlBTURfUFBfRVZFTlRfRU5BQkxFX1VTRVJfU1RBVEUsICZz
dGF0ZSwgTlVMTCk7Ci0JCQkJYWRldi0+cHBfZm9yY2Vfc3RhdGVfZW5hYmxlZCA9IHRydWU7Ci0J
CQl9CisJCWFtZGdwdV9kcG1fZ2V0X3BwX251bV9zdGF0ZXMoYWRldiwgJmRhdGEpOworCQlzdGF0
ZSA9IGRhdGEuc3RhdGVzW2lkeF07CisJCS8qIG9ubHkgc2V0IHVzZXIgc2VsZWN0ZWQgcG93ZXIg
c3RhdGVzICovCisJCWlmIChzdGF0ZSAhPSBQT1dFUl9TVEFURV9UWVBFX0lOVEVSTkFMX0JPT1Qg
JiYKKwkJICAgIHN0YXRlICE9IFBPV0VSX1NUQVRFX1RZUEVfREVGQVVMVCkgeworCQkJYW1kZ3B1
X2RwbV9kaXNwYXRjaF90YXNrKGFkZXYsCisJCQkJCUFNRF9QUF9FVkVOVF9FTkFCTEVfVVNFUl9T
VEFURSwgJnN0YXRlLCBOVUxMKTsKKwkJCWFkZXYtPnBwX2ZvcmNlX3N0YXRlX2VuYWJsZWQgPSB0
cnVlOwogCQl9CiAJfQogZmFpbDoKX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX18KZHJpLWRldmVsIG1haWxpbmcgbGlzdApkcmktZGV2ZWxAbGlzdHMuZnJlZWRl
c2t0b3Aub3JnCmh0dHBzOi8vbGlzdHMuZnJlZWRlc2t0b3Aub3JnL21haWxtYW4vbGlzdGluZm8v
ZHJpLWRldmVsCg==