From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Tom Chung <chiahsuan.chung@amd.com>,
Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>,
Roman Li <roman.li@amd.com>, Alex Hung <alex.hung@amd.com>,
Aurabindo Pillai <aurabindo.pillai@amd.com>,
Harry Wentland <harry.wentland@amd.com>,
Hamza Mahfooz <hamza.mahfooz@amd.com>,
Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>,
Alex Deucher <alexander.deucher@amd.com>,
Bin Lan <lanbincn@qq.com>
Subject: [PATCH 6.1 52/64] drm/amd/display: Fix out-of-bounds access in dcn21_link_encoder_create
Date: Tue, 21 Jan 2025 18:52:51 +0100 [thread overview]
Message-ID: <20250121174523.533878477@linuxfoundation.org> (raw)
In-Reply-To: <20250121174521.568417761@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
commit 63de35a8fcfca59ae8750d469a7eb220c7557baf upstream.
An issue was identified in the dcn21_link_encoder_create function where
an out-of-bounds access could occur when the hpd_source index was used
to reference the link_enc_hpd_regs array. This array has a fixed size
and the index was not being checked against the array's bounds before
accessing it.
This fix adds a conditional check to ensure that the hpd_source index is
within the valid range of the link_enc_hpd_regs array. If the index is
out of bounds, the function now returns NULL to prevent undefined
behavior.
References:
[ 65.920507] ------------[ cut here ]------------
[ 65.920510] UBSAN: array-index-out-of-bounds in drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn21/dcn21_resource.c:1312:29
[ 65.920519] index 7 is out of range for type 'dcn10_link_enc_hpd_registers [5]'
[ 65.920523] CPU: 3 PID: 1178 Comm: modprobe Tainted: G OE 6.8.0-cleanershaderfeatureresetasdntipmi200nv2132 #13
[ 65.920525] Hardware name: AMD Majolica-RN/Majolica-RN, BIOS WMJ0429N_Weekly_20_04_2 04/29/2020
[ 65.920527] Call Trace:
[ 65.920529] <TASK>
[ 65.920532] dump_stack_lvl+0x48/0x70
[ 65.920541] dump_stack+0x10/0x20
[ 65.920543] __ubsan_handle_out_of_bounds+0xa2/0xe0
[ 65.920549] dcn21_link_encoder_create+0xd9/0x140 [amdgpu]
[ 65.921009] link_create+0x6d3/0xed0 [amdgpu]
[ 65.921355] create_links+0x18a/0x4e0 [amdgpu]
[ 65.921679] dc_create+0x360/0x720 [amdgpu]
[ 65.921999] ? dmi_matches+0xa0/0x220
[ 65.922004] amdgpu_dm_init+0x2b6/0x2c90 [amdgpu]
[ 65.922342] ? console_unlock+0x77/0x120
[ 65.922348] ? dev_printk_emit+0x86/0xb0
[ 65.922354] dm_hw_init+0x15/0x40 [amdgpu]
[ 65.922686] amdgpu_device_init+0x26a8/0x33a0 [amdgpu]
[ 65.922921] amdgpu_driver_load_kms+0x1b/0xa0 [amdgpu]
[ 65.923087] amdgpu_pci_probe+0x1b7/0x630 [amdgpu]
[ 65.923087] local_pci_probe+0x4b/0xb0
[ 65.923087] pci_device_probe+0xc8/0x280
[ 65.923087] really_probe+0x187/0x300
[ 65.923087] __driver_probe_device+0x85/0x130
[ 65.923087] driver_probe_device+0x24/0x110
[ 65.923087] __driver_attach+0xac/0x1d0
[ 65.923087] ? __pfx___driver_attach+0x10/0x10
[ 65.923087] bus_for_each_dev+0x7d/0xd0
[ 65.923087] driver_attach+0x1e/0x30
[ 65.923087] bus_add_driver+0xf2/0x200
[ 65.923087] driver_register+0x64/0x130
[ 65.923087] ? __pfx_amdgpu_init+0x10/0x10 [amdgpu]
[ 65.923087] __pci_register_driver+0x61/0x70
[ 65.923087] amdgpu_init+0x7d/0xff0 [amdgpu]
[ 65.923087] do_one_initcall+0x49/0x310
[ 65.923087] ? kmalloc_trace+0x136/0x360
[ 65.923087] do_init_module+0x6a/0x270
[ 65.923087] load_module+0x1fce/0x23a0
[ 65.923087] init_module_from_file+0x9c/0xe0
[ 65.923087] ? init_module_from_file+0x9c/0xe0
[ 65.923087] idempotent_init_module+0x179/0x230
[ 65.923087] __x64_sys_finit_module+0x5d/0xa0
[ 65.923087] do_syscall_64+0x76/0x120
[ 65.923087] entry_SYSCALL_64_after_hwframe+0x6e/0x76
[ 65.923087] RIP: 0033:0x7f2d80f1e88d
[ 65.923087] Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 b5 0f 00 f7 d8 64 89 01 48
[ 65.923087] RSP: 002b:00007ffc7bc1aa78 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[ 65.923087] RAX: ffffffffffffffda RBX: 0000564c9c1db130 RCX: 00007f2d80f1e88d
[ 65.923087] RDX: 0000000000000000 RSI: 0000564c9c1e5480 RDI: 000000000000000f
[ 65.923087] RBP: 0000000000040000 R08: 0000000000000000 R09: 0000000000000002
[ 65.923087] R10: 000000000000000f R11: 0000000000000246 R12: 0000564c9c1e5480
[ 65.923087] R13: 0000564c9c1db260 R14: 0000000000000000 R15: 0000564c9c1e54b0
[ 65.923087] </TASK>
[ 65.923927] ---[ end trace ]---
Cc: Tom Chung <chiahsuan.chung@amd.com>
Cc: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
Cc: Roman Li <roman.li@amd.com>
Cc: Alex Hung <alex.hung@amd.com>
Cc: Aurabindo Pillai <aurabindo.pillai@amd.com>
Cc: Harry Wentland <harry.wentland@amd.com>
Cc: Hamza Mahfooz <hamza.mahfooz@amd.com>
Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
Reviewed-by: Roman Li <roman.li@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Bin Lan <lanbincn@qq.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c
+++ b/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c
@@ -1340,7 +1340,7 @@ static struct link_encoder *dcn21_link_e
kzalloc(sizeof(struct dcn21_link_encoder), GFP_KERNEL);
int link_regs_id;
- if (!enc21)
+ if (!enc21 || enc_init_data->hpd_source >= ARRAY_SIZE(link_enc_hpd_regs))
return NULL;
link_regs_id =
next prev parent reply other threads:[~2025-01-21 18:05 UTC|newest]
Thread overview: 74+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-21 17:51 [PATCH 6.1 00/64] 6.1.127-rc1 review Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 01/64] net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field() Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 02/64] bpf: Fix bpf_sk_select_reuseport() memory leak Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 03/64] openvswitch: fix lockup on tx to unregistering netdev with carrier Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 04/64] pktgen: Avoid out-of-bounds access in get_imix_entries Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 05/64] net: add exit_batch_rtnl() method Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 06/64] gtp: use " Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 07/64] gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp() Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 08/64] gtp: Destroy device along with udp sockets netns dismantle Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 09/64] nfp: bpf: prevent integer overflow in nfp_bpf_event_output() Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 10/64] net: xilinx: axienet: Fix IRQ coalescing packet count overflow Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 11/64] net/mlx5: Fix RDMA TX steering prio Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 12/64] net/mlx5: Clear port select structure when fail to create Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 13/64] drm/v3d: Ensure job pointer is set to NULL after job completion Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 14/64] hwmon: (tmp513) Fix division of negative numbers Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 15/64] Revert "mtd: spi-nor: core: replace dummy buswidth from addr to data" Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 16/64] i2c: mux: demux-pinctrl: check initial mux selection, too Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 17/64] i2c: rcar: fix NACK handling when being a target Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 18/64] nvmet: propagate npwg topology Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 19/64] mac802154: check local interfaces before deleting sdata list Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 20/64] hfs: Sanity check the root record Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 21/64] fs: fix missing declaration of init_files Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 22/64] kheaders: Ignore silly-rename files Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 23/64] cachefiles: Parse the "secctx" immediately Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 24/64] scsi: ufs: core: Honor runtime/system PM levels if set by host controller drivers Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 25/64] selftests: tc-testing: reduce rshift value Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 26/64] ACPI: resource: acpi_dev_irq_override(): Check DMI match last Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 27/64] iomap: avoid avoid truncating 64-bit offset to 32 bits Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 28/64] poll_wait: add mb() to fix theoretical race between waitqueue_active() and .poll() Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 29/64] x86/asm: Make serialize() always_inline Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 30/64] ALSA: hda/realtek: Add support for Ayaneo System using CS35L41 HDA Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 31/64] zram: fix potential UAF of zram table Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 32/64] mptcp: be sure to send ack when mptcp-level window re-opens Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 33/64] selftests: mptcp: avoid spurious errors on disconnect Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 34/64] net: ethernet: xgbe: re-add aneg to supported features in PHY quirks Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 35/64] vsock/virtio: discard packets if the transport changes Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 36/64] vsock/virtio: cancel close work in the destructor Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 37/64] vsock: reset socket state when de-assigning the transport Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 38/64] vsock: prevent null-ptr-deref in vsock_*[has_data|has_space] Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 39/64] filemap: avoid truncating 64-bit offset to 32 bits Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 40/64] fs/proc: fix softlockup in __read_vmcore (part 2) Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 41/64] gpiolib: cdev: Fix use after free in lineinfo_changed_notify Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 42/64] pmdomain: imx8mp-blk-ctrl: add missing loop break condition Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 43/64] irqchip: Plug a OF node reference leak in platform_irqchip_probe() Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 44/64] irqchip/gic-v3: Handle CPU_PM_ENTER_FAILED correctly Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 45/64] irqchip/gic-v3-its: Dont enable interrupts in its_irq_set_vcpu_affinity() Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 46/64] hrtimers: Handle CPU state correctly on hotplug Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 47/64] drm/i915/fb: Relax clear color alignment to 64 bytes Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 48/64] Revert "PCI: Use preserve_config in place of pci_flags" Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 49/64] iio: imu: inv_icm42600: fix spi burst write not supported Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 50/64] iio: imu: inv_icm42600: fix timestamps after suspend if sensor is on Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 51/64] iio: adc: rockchip_saradc: fix information leak in triggered buffer Greg Kroah-Hartman
2025-01-21 17:52 ` Greg Kroah-Hartman [this message]
2025-01-21 17:52 ` [PATCH 6.1 53/64] drm/amdgpu: fix usage slab after free Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 54/64] block: fix uaf for flush rq while iterating tags Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 55/64] Revert "drm/amdgpu: rework resume handling for display (v2)" Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 56/64] RDMA/rxe: Fix the qp flush warnings in req Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 57/64] scsi: sg: Fix slab-use-after-free read in sg_release() Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 58/64] Revert "regmap: detach regmap from dev on regmap_exit" Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 59/64] wifi: ath10k: avoid NULL pointer error during sdio remove Greg Kroah-Hartman
2025-01-21 17:52 ` [PATCH 6.1 60/64] erofs: tidy up EROFS on-disk naming Greg Kroah-Hartman
2025-01-21 17:53 ` [PATCH 6.1 61/64] erofs: handle NONHEAD !delta[1] lclusters gracefully Greg Kroah-Hartman
2025-01-21 17:53 ` [PATCH 6.1 62/64] nfsd: add list_head nf_gc to struct nfsd_file Greg Kroah-Hartman
2025-01-21 17:53 ` [PATCH 6.1 63/64] x86/xen: fix SLS mitigation in xen_hypercall_iret() Greg Kroah-Hartman
2025-01-21 17:53 ` [PATCH 6.1 64/64] net: fix data-races around sk->sk_forward_alloc Greg Kroah-Hartman
2025-01-21 18:44 ` [PATCH 6.1 00/64] 6.1.127-rc1 review Florian Fainelli
2025-01-21 19:32 ` Peter Schneider
2025-01-21 21:57 ` Salvatore Bonaccorso
2025-01-22 7:35 ` Greg Kroah-Hartman
2025-01-22 7:38 ` Greg Kroah-Hartman
2025-01-22 5:32 ` Ron Economos
2025-01-21 23:35 ` Shuah Khan
2025-01-21 23:46 ` SeongJae Park
2025-01-22 20:17 ` [PATCH 6.1] " Hardik Garg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250121174523.533878477@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=Rodrigo.Siqueira@amd.com \
--cc=alex.hung@amd.com \
--cc=alexander.deucher@amd.com \
--cc=aurabindo.pillai@amd.com \
--cc=chiahsuan.chung@amd.com \
--cc=hamza.mahfooz@amd.com \
--cc=harry.wentland@amd.com \
--cc=lanbincn@qq.com \
--cc=patches@lists.linux.dev \
--cc=roman.li@amd.com \
--cc=srinivasan.shanmugam@amd.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox