From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Alex Hung <alex.hung@amd.com>,
Harry Wentland <harry.wentland@amd.com>,
Tom Chung <chiahsuan.chung@amd.com>,
Daniel Wheeler <daniel.wheeler@amd.com>,
Alex Deucher <alexander.deucher@amd.com>,
Sasha Levin <sashal@kernel.org>,
sunpeng.li@amd.com, Rodrigo.Siqueira@amd.com,
christian.koenig@amd.com, Xinhui.Pan@amd.com, airlied@gmail.com,
daniel@ffwll.ch, hamza.mahfooz@amd.com, wayne.lin@amd.com,
amd-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org
Subject: [PATCH AUTOSEL 5.15 11/47] drm/amd/display: Check msg_id before processing transcation
Date: Wed, 31 Jul 2024 20:31:01 -0400 [thread overview]
Message-ID: <20240801003256.3937416-11-sashal@kernel.org> (raw)
In-Reply-To: <20240801003256.3937416-1-sashal@kernel.org>
From: Alex Hung <alex.hung@amd.com>
[ Upstream commit fa71face755e27dc44bc296416ebdf2c67163316 ]
[WHY & HOW]
HDCP_MESSAGE_ID_INVALID (-1) is not a valid msg_id nor is it a valid
array index, and it needs checking before used.
This fixes 4 OVERRUN issues reported by Coverity.
Reviewed-by: Harry Wentland <harry.wentland@amd.com>
Acked-by: Tom Chung <chiahsuan.chung@amd.com>
Signed-off-by: Alex Hung <alex.hung@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/hdcp/hdcp_msg.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/dc/hdcp/hdcp_msg.c b/drivers/gpu/drm/amd/display/dc/hdcp/hdcp_msg.c
index 4233955e3c47b..c9851492ec84a 100644
--- a/drivers/gpu/drm/amd/display/dc/hdcp/hdcp_msg.c
+++ b/drivers/gpu/drm/amd/display/dc/hdcp/hdcp_msg.c
@@ -131,13 +131,21 @@ static bool hdmi_14_process_transaction(
const uint8_t hdcp_i2c_addr_link_primary = 0x3a; /* 0x74 >> 1*/
const uint8_t hdcp_i2c_addr_link_secondary = 0x3b; /* 0x76 >> 1*/
struct i2c_command i2c_command;
- uint8_t offset = hdcp_i2c_offsets[message_info->msg_id];
+ uint8_t offset;
struct i2c_payload i2c_payloads[] = {
- { true, 0, 1, &offset },
+ { true, 0, 1, 0 },
/* actual hdcp payload, will be filled later, zeroed for now*/
{ 0 }
};
+ if (message_info->msg_id == HDCP_MESSAGE_ID_INVALID) {
+ DC_LOG_ERROR("%s: Invalid message_info msg_id - %d\n", __func__, message_info->msg_id);
+ return false;
+ }
+
+ offset = hdcp_i2c_offsets[message_info->msg_id];
+ i2c_payloads[0].data = &offset;
+
switch (message_info->link) {
case HDCP_LINK_SECONDARY:
i2c_payloads[0].address = hdcp_i2c_addr_link_secondary;
@@ -311,6 +319,11 @@ static bool dp_11_process_transaction(
struct dc_link *link,
struct hdcp_protection_message *message_info)
{
+ if (message_info->msg_id == HDCP_MESSAGE_ID_INVALID) {
+ DC_LOG_ERROR("%s: Invalid message_info msg_id - %d\n", __func__, message_info->msg_id);
+ return false;
+ }
+
return dpcd_access_helper(
link,
message_info->length,
--
2.43.0
next prev parent reply other threads:[~2024-08-01 0:33 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-01 0:30 [PATCH AUTOSEL 5.15 01/47] drm/amd/display: Assign linear_pitch_alignment even for VM Sasha Levin
2024-08-01 0:30 ` [PATCH AUTOSEL 5.15 02/47] drm/amdgpu: fix overflowed array index read warning Sasha Levin
2024-08-01 0:30 ` [PATCH AUTOSEL 5.15 03/47] drm/amdgpu/pm: Check the return value of smum_send_msg_to_smc Sasha Levin
2024-08-01 0:30 ` [PATCH AUTOSEL 5.15 04/47] drm/amd/pm: fix warning using uninitialized value of max_vid_step Sasha Levin
2024-08-01 0:30 ` [PATCH AUTOSEL 5.15 05/47] drm/amd/pm: fix the Out-of-bounds read warning Sasha Levin
2024-08-01 0:30 ` [PATCH AUTOSEL 5.15 06/47] drm/amdgpu: fix uninitialized scalar variable warning Sasha Levin
2024-08-01 0:30 ` [PATCH AUTOSEL 5.15 07/47] drm/amd/display: Check gpio_id before used as array index Sasha Levin
2024-08-01 0:30 ` [PATCH AUTOSEL 5.15 08/47] drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6 Sasha Levin
2024-08-01 0:30 ` [PATCH AUTOSEL 5.15 09/47] drm/amd/display: Add array index check for hdcp ddc access Sasha Levin
2024-08-01 0:31 ` [PATCH AUTOSEL 5.15 10/47] drm/amd/display: Check num_valid_sets before accessing reader_wm_sets[] Sasha Levin
2024-08-01 0:31 ` Sasha Levin [this message]
2024-08-01 0:31 ` [PATCH AUTOSEL 5.15 12/47] drm/amd/display: Fix Coverity INTEGER_OVERFLOW within dal_gpio_service_create Sasha Levin
2024-08-01 0:31 ` [PATCH AUTOSEL 5.15 13/47] drm/amd/amdgpu: Check tbo resource pointer Sasha Levin
2024-08-01 0:31 ` [PATCH AUTOSEL 5.15 14/47] drm/amdgpu: Fix out-of-bounds write warning Sasha Levin
2024-08-01 0:31 ` [PATCH AUTOSEL 5.15 15/47] drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number Sasha Levin
2024-08-01 0:31 ` [PATCH AUTOSEL 5.15 16/47] drm/amdgpu: fix ucode out-of-bounds read warning Sasha Levin
2024-08-01 0:31 ` [PATCH AUTOSEL 5.15 17/47] drm/amdgpu: fix mc_data " Sasha Levin
2024-08-01 0:31 ` [PATCH AUTOSEL 5.15 18/47] drm/amdkfd: Reconcile the definition and use of oem_id in struct kfd_topology_device Sasha Levin
2024-08-01 0:31 ` [PATCH AUTOSEL 5.15 19/47] drm/amdgpu/pm: Check input value for CUSTOM profile mode setting on legacy SOCs Sasha Levin
2024-08-01 0:31 ` [PATCH AUTOSEL 5.15 20/47] drm/amdgpu: fix the waring dereferencing hive Sasha Levin
2024-08-01 0:31 ` [PATCH AUTOSEL 5.15 21/47] drm/amdgpu: the warning dereferencing obj for nbio_v7_4 Sasha Levin
2024-08-01 0:31 ` [PATCH AUTOSEL 5.15 22/47] drm/amdgpu: update type of buf size to u32 for eeprom functions Sasha Levin
2024-08-01 0:31 ` [PATCH AUTOSEL 5.15 23/47] cpufreq: scmi: Avoid overflow of target_freq in fast switch Sasha Levin
2024-08-01 0:31 ` [PATCH AUTOSEL 5.15 24/47] bpf, net: Use DEV_STAT_INC() Sasha Levin
2024-08-01 0:31 ` [PATCH AUTOSEL 5.15 25/47] PCI: al: Check IORESOURCE_BUS existence during probe Sasha Levin
2024-08-27 12:23 ` Pavel Machek
2024-08-01 0:31 ` [PATCH AUTOSEL 5.15 26/47] hwspinlock: Introduce hwspin_lock_bust() Sasha Levin
2024-08-01 0:31 ` [PATCH AUTOSEL 5.15 27/47] gpiolib: cdev: Add INIT_KFIFO() for linereq events Sasha Levin
2024-08-01 0:31 ` [PATCH AUTOSEL 5.15 28/47] smack: tcp: ipv4, fix incorrect labeling Sasha Levin
2024-08-01 0:31 ` [PATCH AUTOSEL 5.15 29/47] drm/bridge: tc358767: Check if fully initialized before signalling HPD event via IRQ Sasha Levin
2024-08-01 0:31 ` [PATCH AUTOSEL 5.15 30/47] wifi: cfg80211: make hash table duplicates more survivable Sasha Levin
2024-08-01 0:31 ` [PATCH AUTOSEL 5.15 31/47] drm/amd/display: added NULL check at start of dc_validate_stream Sasha Levin
2024-08-01 0:31 ` [PATCH AUTOSEL 5.15 32/47] drm/amd/display: Skip wbscl_set_scaler_filter if filter is null Sasha Levin
2024-08-01 0:31 ` [PATCH AUTOSEL 5.15 33/47] ALSA: vmaster: Return error for invalid input values Sasha Levin
2024-08-01 0:31 ` [PATCH AUTOSEL 5.15 34/47] ELF: fix kernel.randomize_va_space double read Sasha Levin
2024-08-01 0:31 ` [PATCH AUTOSEL 5.15 35/47] udf: Avoid excessive partition lengths Sasha Levin
2024-08-01 0:31 ` [PATCH AUTOSEL 5.15 36/47] riscv: mm: Take memory hotplug read-lock during kernel page table dump Sasha Levin
2024-08-01 0:31 ` [PATCH AUTOSEL 5.15 37/47] usb: uas: set host status byte on data completion error Sasha Levin
2024-08-01 0:31 ` [PATCH AUTOSEL 5.15 38/47] drm/amd/display: Check HDCP returned status Sasha Levin
2024-08-01 0:31 ` [PATCH AUTOSEL 5.15 39/47] cgroup: Protect css->cgroup write under css_set_lock Sasha Levin
2024-08-01 0:31 ` [PATCH AUTOSEL 5.15 40/47] um: line: always fill *error_out in setup_one_line() Sasha Levin
2024-08-01 0:31 ` [PATCH AUTOSEL 5.15 41/47] devres: Initialize an uninitialized struct member Sasha Levin
2024-08-01 0:31 ` [PATCH AUTOSEL 5.15 42/47] pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv Sasha Levin
2024-08-01 0:31 ` [PATCH AUTOSEL 5.15 43/47] hwmon: (lm95234) Fix underflows seen when writing limit attributes Sasha Levin
2024-08-01 0:31 ` [PATCH AUTOSEL 5.15 44/47] hwmon: (w83627ehf) " Sasha Levin
2024-08-01 0:31 ` [PATCH AUTOSEL 5.15 45/47] libbpf: Add NULL checks to bpf_object__{prev_map,next_map} Sasha Levin
2024-08-01 0:31 ` [PATCH AUTOSEL 5.15 46/47] wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id() Sasha Levin
2024-08-01 0:31 ` [PATCH AUTOSEL 5.15 47/47] i3c: mipi-i3c-hci: Error out instead on BUG_ON() in IBI DMA setup Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240801003256.3937416-11-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=Rodrigo.Siqueira@amd.com \
--cc=Xinhui.Pan@amd.com \
--cc=airlied@gmail.com \
--cc=alex.hung@amd.com \
--cc=alexander.deucher@amd.com \
--cc=amd-gfx@lists.freedesktop.org \
--cc=chiahsuan.chung@amd.com \
--cc=christian.koenig@amd.com \
--cc=daniel.wheeler@amd.com \
--cc=daniel@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=hamza.mahfooz@amd.com \
--cc=harry.wentland@amd.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=sunpeng.li@amd.com \
--cc=wayne.lin@amd.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox