From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Alex Hung <alex.hung@amd.com>,
Austin Zheng <Austin.Zheng@amd.com>,
Rodrigo Siqueira <rodrigo.siqueira@amd.com>,
Daniel Wheeler <daniel.wheeler@amd.com>,
Alex Deucher <alexander.deucher@amd.com>,
Sasha Levin <sashal@kernel.org>,
chaitanya.dhere@amd.com, jun.lei@amd.com, harry.wentland@amd.com,
sunpeng.li@amd.com, Rodrigo.Siqueira@amd.com,
christian.koenig@amd.com, Xinhui.Pan@amd.com, airlied@gmail.com,
simona@ffwll.ch, dillon.varone@amd.com, Alvin.Lee2@amd.com,
Samson.Tam@amd.com, aurabindo.pillai@amd.com, rostrows@amd.com,
joshua.aberback@amd.com, amd-gfx@lists.freedesktop.org,
dri-devel@lists.freedesktop.org
Subject: [PATCH AUTOSEL 6.12 10/19] drm/amd/display: Fix out-of-bound accesses
Date: Mon, 10 Feb 2025 20:30:38 -0500 [thread overview]
Message-ID: <20250211013047.4096767-10-sashal@kernel.org> (raw)
In-Reply-To: <20250211013047.4096767-1-sashal@kernel.org>
From: Alex Hung <alex.hung@amd.com>
[ Upstream commit 8adbb2a98b00926315fd513b5fe2596b5716b82d ]
[WHAT & HOW]
hpo_stream_to_link_encoder_mapping has size MAX_HPO_DP2_ENCODERS(=4),
but location can have size up to 6. As a result, it is necessary to
check location against MAX_HPO_DP2_ENCODERS.
Similiarly, disp_cfg_stream_location can be used as an array index which
should be 0..5, so the ASSERT's conditions should be less without equal.
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3904
Reviewed-by: Austin Zheng <Austin.Zheng@amd.com>
Reviewed-by: Rodrigo Siqueira <rodrigo.siqueira@amd.com>
Signed-off-by: Alex Hung <alex.hung@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../amd/display/dc/dml2/dml21/dml21_translation_helper.c | 4 ++--
.../gpu/drm/amd/display/dc/dml2/dml2_translation_helper.c | 6 +++---
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_translation_helper.c b/drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_translation_helper.c
index 8dee0d397e032..55014c1521167 100644
--- a/drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_translation_helper.c
+++ b/drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_translation_helper.c
@@ -994,7 +994,7 @@ bool dml21_map_dc_state_into_dml_display_cfg(const struct dc *in_dc, struct dc_s
if (disp_cfg_stream_location < 0)
disp_cfg_stream_location = dml_dispcfg->num_streams++;
- ASSERT(disp_cfg_stream_location >= 0 && disp_cfg_stream_location <= __DML2_WRAPPER_MAX_STREAMS_PLANES__);
+ ASSERT(disp_cfg_stream_location >= 0 && disp_cfg_stream_location < __DML2_WRAPPER_MAX_STREAMS_PLANES__);
populate_dml21_timing_config_from_stream_state(&dml_dispcfg->stream_descriptors[disp_cfg_stream_location].timing, context->streams[stream_index], dml_ctx);
populate_dml21_output_config_from_stream_state(&dml_dispcfg->stream_descriptors[disp_cfg_stream_location].output, context->streams[stream_index], &context->res_ctx.pipe_ctx[stream_index]);
populate_dml21_stream_overrides_from_stream_state(&dml_dispcfg->stream_descriptors[disp_cfg_stream_location], context->streams[stream_index]);
@@ -1018,7 +1018,7 @@ bool dml21_map_dc_state_into_dml_display_cfg(const struct dc *in_dc, struct dc_s
if (disp_cfg_plane_location < 0)
disp_cfg_plane_location = dml_dispcfg->num_planes++;
- ASSERT(disp_cfg_plane_location >= 0 && disp_cfg_plane_location <= __DML2_WRAPPER_MAX_STREAMS_PLANES__);
+ ASSERT(disp_cfg_plane_location >= 0 && disp_cfg_plane_location < __DML2_WRAPPER_MAX_STREAMS_PLANES__);
populate_dml21_surface_config_from_plane_state(in_dc, &dml_dispcfg->plane_descriptors[disp_cfg_plane_location].surface, context->stream_status[stream_index].plane_states[plane_index]);
populate_dml21_plane_config_from_plane_state(dml_ctx, &dml_dispcfg->plane_descriptors[disp_cfg_plane_location], context->stream_status[stream_index].plane_states[plane_index], context, stream_index);
diff --git a/drivers/gpu/drm/amd/display/dc/dml2/dml2_translation_helper.c b/drivers/gpu/drm/amd/display/dc/dml2/dml2_translation_helper.c
index bde4250853b10..81ba8809a3b4c 100644
--- a/drivers/gpu/drm/amd/display/dc/dml2/dml2_translation_helper.c
+++ b/drivers/gpu/drm/amd/display/dc/dml2/dml2_translation_helper.c
@@ -746,7 +746,7 @@ static void populate_dml_output_cfg_from_stream_state(struct dml_output_cfg_st *
case SIGNAL_TYPE_DISPLAY_PORT_MST:
case SIGNAL_TYPE_DISPLAY_PORT:
out->OutputEncoder[location] = dml_dp;
- if (dml2->v20.scratch.hpo_stream_to_link_encoder_mapping[location] != -1)
+ if (location < MAX_HPO_DP2_ENCODERS && dml2->v20.scratch.hpo_stream_to_link_encoder_mapping[location] != -1)
out->OutputEncoder[dml2->v20.scratch.hpo_stream_to_link_encoder_mapping[location]] = dml_dp2p0;
break;
case SIGNAL_TYPE_EDP:
@@ -1303,7 +1303,7 @@ void map_dc_state_into_dml_display_cfg(struct dml2_context *dml2, struct dc_stat
if (disp_cfg_stream_location < 0)
disp_cfg_stream_location = dml_dispcfg->num_timings++;
- ASSERT(disp_cfg_stream_location >= 0 && disp_cfg_stream_location <= __DML2_WRAPPER_MAX_STREAMS_PLANES__);
+ ASSERT(disp_cfg_stream_location >= 0 && disp_cfg_stream_location < __DML2_WRAPPER_MAX_STREAMS_PLANES__);
populate_dml_timing_cfg_from_stream_state(&dml_dispcfg->timing, disp_cfg_stream_location, context->streams[i]);
populate_dml_output_cfg_from_stream_state(&dml_dispcfg->output, disp_cfg_stream_location, context->streams[i], current_pipe_context, dml2);
@@ -1343,7 +1343,7 @@ void map_dc_state_into_dml_display_cfg(struct dml2_context *dml2, struct dc_stat
if (disp_cfg_plane_location < 0)
disp_cfg_plane_location = dml_dispcfg->num_surfaces++;
- ASSERT(disp_cfg_plane_location >= 0 && disp_cfg_plane_location <= __DML2_WRAPPER_MAX_STREAMS_PLANES__);
+ ASSERT(disp_cfg_plane_location >= 0 && disp_cfg_plane_location < __DML2_WRAPPER_MAX_STREAMS_PLANES__);
populate_dml_surface_cfg_from_plane_state(dml2->v20.dml_core_ctx.project, &dml_dispcfg->surface, disp_cfg_plane_location, context->stream_status[i].plane_states[j]);
populate_dml_plane_cfg_from_plane_state(
--
2.39.5
next prev parent reply other threads:[~2025-02-11 1:31 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-11 1:30 [PATCH AUTOSEL 6.12 01/19] nvme-fc: go straight to connecting state when initializing Sasha Levin
2025-02-11 1:30 ` [PATCH AUTOSEL 6.12 02/19] nvme-fc: do not ignore connectivity loss during connecting Sasha Levin
2025-02-11 1:30 ` [PATCH AUTOSEL 6.12 03/19] hrtimers: Mark is_migration_base() with __always_inline Sasha Levin
2025-02-11 1:30 ` [PATCH AUTOSEL 6.12 04/19] powercap: call put_device() on an error path in powercap_register_control_type() Sasha Levin
2025-02-11 1:30 ` [PATCH AUTOSEL 6.12 05/19] btrfs: avoid starting new transaction when cleaning qgroup during subvolume drop Sasha Levin
2025-02-11 1:30 ` [PATCH AUTOSEL 6.12 06/19] futex: Pass in task to futex_queue() Sasha Levin
2025-02-11 1:30 ` [PATCH AUTOSEL 6.12 07/19] iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic() Sasha Levin
2025-02-11 1:30 ` [PATCH AUTOSEL 6.12 08/19] sched/debug: Provide slice length for fair tasks Sasha Levin
2025-02-11 1:30 ` [PATCH AUTOSEL 6.12 09/19] platform/x86/intel: pmc: fix ltr decode in pmc_core_ltr_show() Sasha Levin
2025-02-11 1:30 ` Sasha Levin [this message]
2025-02-11 1:30 ` [PATCH AUTOSEL 6.12 11/19] scsi: core: Use GFP_NOIO to avoid circular locking dependency Sasha Levin
2025-02-11 1:30 ` [PATCH AUTOSEL 6.12 12/19] scsi: ufs: core: Fix error return with query response Sasha Levin
2025-02-11 1:30 ` [PATCH AUTOSEL 6.12 13/19] scsi: qla1280: Fix kernel oops when debug level > 2 Sasha Levin
2025-02-11 1:30 ` [PATCH AUTOSEL 6.12 14/19] Revert "drm/amd/display: Use HW lock mgr for PSR1" Sasha Levin
2025-02-11 1:30 ` [PATCH AUTOSEL 6.12 15/19] ACPI: resource: IRQ override for Eluktronics MECH-17 Sasha Levin
2025-02-11 1:30 ` [PATCH AUTOSEL 6.12 16/19] smb: client: fix noisy when tree connecting to DFS interlink targets Sasha Levin
2025-02-11 1:30 ` [PATCH AUTOSEL 6.12 17/19] alpha/elf: Fix misc/setarch test of util-linux by removing 32bit support Sasha Levin
2025-02-11 1:30 ` [PATCH AUTOSEL 6.12 18/19] vboxsf: fix building with GCC 15 Sasha Levin
2025-02-11 1:30 ` [PATCH AUTOSEL 6.12 19/19] selftests: always check mask returned by statmount(2) Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250211013047.4096767-10-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=Alvin.Lee2@amd.com \
--cc=Austin.Zheng@amd.com \
--cc=Samson.Tam@amd.com \
--cc=Xinhui.Pan@amd.com \
--cc=airlied@gmail.com \
--cc=alex.hung@amd.com \
--cc=alexander.deucher@amd.com \
--cc=amd-gfx@lists.freedesktop.org \
--cc=aurabindo.pillai@amd.com \
--cc=chaitanya.dhere@amd.com \
--cc=christian.koenig@amd.com \
--cc=daniel.wheeler@amd.com \
--cc=dillon.varone@amd.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=harry.wentland@amd.com \
--cc=joshua.aberback@amd.com \
--cc=jun.lei@amd.com \
--cc=linux-kernel@vger.kernel.org \
--cc=rodrigo.siqueira@amd.com \
--cc=rostrows@amd.com \
--cc=simona@ffwll.ch \
--cc=stable@vger.kernel.org \
--cc=sunpeng.li@amd.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox