[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <SN1PR12MB2445380EECE2FAEEF81C5758F5FD9@SN1PR12MB2445.namprd12.prod.outlook.com>
Date: Thu, 12 Jan 2023 06:42:09 +0000
From: "Liu, HaoPing (Alan)" <HaoPing.Liu@....com>
To: "Mahfooz, Hamza" <Hamza.Mahfooz@....com>,
"amd-gfx@...ts.freedesktop.org" <amd-gfx@...ts.freedesktop.org>
CC: "Wentland, Harry" <Harry.Wentland@....com>,
"Li, Sun peng (Leo)" <Sunpeng.Li@....com>,
"Siqueira, Rodrigo" <Rodrigo.Siqueira@....com>,
"Deucher, Alexander" <Alexander.Deucher@....com>,
"Koenig, Christian" <Christian.Koenig@....com>,
"Pan, Xinhui" <Xinhui.Pan@....com>,
David Airlie <airlied@...il.com>,
Daniel Vetter <daniel@...ll.ch>,
"Lin, Wayne" <Wayne.Lin@....com>,
"Pillai, Aurabindo" <Aurabindo.Pillai@....com>,
"Li, Roman" <Roman.Li@....com>, "Wu, Hersen" <hersenxs.wu@....com>,
"Zuo, Jerry" <Jerry.Zuo@....com>,
"Dhillon, Jasdeep" <Jasdeep.Dhillon@....com>,
"Liu, Aaron" <Aaron.Liu@....com>,
"dri-devel@...ts.freedesktop.org" <dri-devel@...ts.freedesktop.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH] drm/amd/display: fix possible buffer overflow relating to
secure display
[AMD Official Use Only - General]
Reviewed-by: Alan Liu <HaoPing.Liu@....com>
Thanks,
Alan
-----Original Message-----
From: Mahfooz, Hamza <Hamza.Mahfooz@....com>
Sent: Thursday, January 12, 2023 2:17 AM
To: amd-gfx@...ts.freedesktop.org
Cc: Mahfooz, Hamza <Hamza.Mahfooz@....com>; Wentland, Harry <Harry.Wentland@....com>; Li, Sun peng (Leo) <Sunpeng.Li@....com>; Siqueira, Rodrigo <Rodrigo.Siqueira@....com>; Deucher, Alexander <Alexander.Deucher@....com>; Koenig, Christian <Christian.Koenig@....com>; Pan, Xinhui <Xinhui.Pan@....com>; David Airlie <airlied@...il.com>; Daniel Vetter <daniel@...ll.ch>; Lin, Wayne <Wayne.Lin@....com>; Pillai, Aurabindo <Aurabindo.Pillai@....com>; Li, Roman <Roman.Li@....com>; Wu, Hersen <hersenxs.wu@....com>; Zuo, Jerry <Jerry.Zuo@....com>; Liu, HaoPing (Alan) <HaoPing.Liu@....com>; Dhillon, Jasdeep <Jasdeep.Dhillon@....com>; Liu, Aaron <Aaron.Liu@....com>; dri-devel@...ts.freedesktop.org; linux-kernel@...r.kernel.org
Subject: [PATCH] drm/amd/display: fix possible buffer overflow relating to secure display
It is possible that adev->dm.dc->caps.max_links is greater than AMDGPU_MAX_CRTCS. So, to not potentially access unallocated memory use
adev->mode_info.num_crtc to do the bounds check instead of
adev->dm.dc->caps.max_links.
Fixes: 278b2b5ba2f2 ("drm/amd/display: Implement multiple secure display")
Fixes: 65a2fbe75cd5 ("drm/amd/display: Fix when disabling secure_display")
Signed-off-by: Hamza Mahfooz <hamza.mahfooz@....com>
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 2 +-
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crc.c | 8 +++++---
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
index b4d60eedbcbf..86a268cc4b21 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -1742,7 +1742,7 @@ static void amdgpu_dm_fini(struct amdgpu_device *adev)
#if defined(CONFIG_DRM_AMD_SECURE_DISPLAY)
if (adev->dm.secure_display_ctxs) {
- for (i = 0; i < adev->dm.dc->caps.max_links; i++) {
+ for (i = 0; i < adev->mode_info.num_crtc; i++) {
if (adev->dm.secure_display_ctxs[i].crtc) {
flush_work(&adev->dm.secure_display_ctxs[i].notify_ta_work);
flush_work(&adev->dm.secure_display_ctxs[i].forward_roi_work);
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crc.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crc.c
index 8841c447d0e2..8873ecada27c 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crc.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crc.c
@@ -223,7 +223,7 @@ int amdgpu_dm_crtc_configure_crc_source(struct drm_crtc *crtc, #if defined(CONFIG_DRM_AMD_SECURE_DISPLAY)
/* Disable secure_display if it was enabled */
if (!enable) {
- for (i = 0; i < adev->dm.dc->caps.max_links; i++) {
+ for (i = 0; i < adev->mode_info.num_crtc; i++) {
if (adev->dm.secure_display_ctxs[i].crtc == crtc) {
/* stop ROI update on this crtc */
flush_work(&adev->dm.secure_display_ctxs[i].notify_ta_work);
@@ -544,12 +544,14 @@ amdgpu_dm_crtc_secure_display_create_contexts(struct amdgpu_device *adev)
struct secure_display_context *secure_display_ctxs = NULL;
int i;
- secure_display_ctxs = kcalloc(AMDGPU_MAX_CRTCS, sizeof(struct secure_display_context), GFP_KERNEL);
+ secure_display_ctxs = kcalloc(adev->mode_info.num_crtc,
+ sizeof(struct secure_display_context),
+ GFP_KERNEL);
if (!secure_display_ctxs)
return NULL;
- for (i = 0; i < adev->dm.dc->caps.max_links; i++) {
+ for (i = 0; i < adev->mode_info.num_crtc; i++) {
INIT_WORK(&secure_display_ctxs[i].forward_roi_work, amdgpu_dm_forward_crc_window);
INIT_WORK(&secure_display_ctxs[i].notify_ta_work, amdgpu_dm_crtc_notify_ta_to_read);
secure_display_ctxs[i].crtc = &adev->mode_info.crtcs[i]->base;
--
2.38.1
Powered by blists - more mailing lists