From nobody Fri Dec 19 18:59:43 2025
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
 [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3A53C128836;
	Sun, 24 Mar 2024 22:53:54 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1711320835; cv=none;
 b=mFfwn5+Ugrgzpl3rxBkt/TavuCU4Ua4GT26stikJpLzSYTRmklLxYG0rFFXsfA/9kTlXEMgQ31W2kjPsNXFpI1wRsC8L1Q38XsG2GMCGpSSSXH4GXkSTj4z5nxu+0YLz0uLI+kMnHukYMlXKXj4wDVS6wLIK14e1XICSlJvZ0MA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1711320835; c=relaxed/simple;
	bh=r94iDyI3IDylZBFHddqhoES6VAbPF+0tOiw1jowT+zQ=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=DUT9dEJ87PriqkOyHxxVuIVR7T2RUYrXe6gt8w7aau9PZR0iB8Ho20513SM3Uju08GaMlEOn89obrGMLdY8DQ2mJfcZAmCrjqOjU+nslY9VtIPOdX76inWdXqcRFKx24MxlVl8bL6LocaYu9eeD8LtnLBvgUPEVsoMzLJbtuHYQ=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=tjPWlIAC; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="tjPWlIAC"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 502E7C43390;
	Sun, 24 Mar 2024 22:53:53 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1711320834;
	bh=r94iDyI3IDylZBFHddqhoES6VAbPF+0tOiw1jowT+zQ=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=tjPWlIACfpPbJ0TeUIxNVaedXSk7j89HAip1cNbJ1PsvOw/sWWOAPGr2VSDV3xydY
	 uaSo5zYe+oKLfVIQM9T6HrCBo6Mh3mjiof7/dSnKMFBNfW+/wZDeSj9gqv1uRJ3l/N
	 CwXAudkGcdH0NXkGG+7DcykCEodWctW15GVwDBYc273H2/ftTt01vW+26rcKH49Gyx
	 XnLEn/zbSDauFsbpMPW5n2XxaO1fqMHcu9WohgJlxkAmLPxYiBMLlTq8Cja8WEEzlq
	 po6RKGUgGc9YsWOLyOVWkazsMSbD7Zz+p35JcrDRFca9SG9/ny5GcnkqhXxEWyFX8P
	 GXOsoVVc8dRrQ==
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org,
	stable@vger.kernel.org
Cc: Harry Wentland <harry.wentland@amd.com>,
	Arthur Grillo <arthurgrillo@riseup.net>,
	Melissa Wen <mwen@igalia.com>,
	Melissa Wen <melissa.srw@gmail.com>,
	Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.7 399/713] drm/vkms: Avoid reading beyond LUT array
Date: Sun, 24 Mar 2024 18:42:05 -0400
Message-ID: <20240324224720.1345309-400-sashal@kernel.org>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20240324224720.1345309-1-sashal@kernel.org>
References: <20240324224720.1345309-1-sashal@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-stable: review
X-Patchwork-Hint: Ignore
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Harry Wentland <harry.wentland@amd.com>

[ Upstream commit 2fee84030d12d9fddfa874e4562d71761a129277 ]

When the floor LUT index (drm_fixp2int(lut_index) is the last
index of the array the ceil LUT index will point to an entry
beyond the array. Make sure we guard against it and use the
value of the floor LUT index.

v3:
 - Drop bits from commit description that didn't contribute
   anything of value

Fixes: db1f254f2cfa ("drm/vkms: Add support to 1D gamma LUT")
Signed-off-by: Harry Wentland <harry.wentland@amd.com>
Cc: Arthur Grillo <arthurgrillo@riseup.net>
Reviewed-by: Arthur Grillo <arthurgrillo@riseup.net>
Reviewed-by: Melissa Wen <mwen@igalia.com>
Signed-off-by: Melissa Wen <melissa.srw@gmail.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20231108163647.106853-6=
-harry.wentland@amd.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/vkms/vkms_composer.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/drivers/gpu/drm/vkms/vkms_composer.c b/drivers/gpu/drm/vkms/vk=
ms_composer.c
index 3c99fb8b54e2d..e7441b227b3ce 100644
--- a/drivers/gpu/drm/vkms/vkms_composer.c
+++ b/drivers/gpu/drm/vkms/vkms_composer.c
@@ -123,6 +123,8 @@ static u16 apply_lut_to_channel_value(const struct vkms=
_color_lut *lut, u16 chan
 				      enum lut_channel channel)
 {
 	s64 lut_index =3D get_lut_index(lut, channel_value);
+	u16 *floor_lut_value, *ceil_lut_value;
+	u16 floor_channel_value, ceil_channel_value;
=20
 	/*
 	 * This checks if `struct drm_color_lut` has any gap added by the compiler
@@ -130,11 +132,15 @@ static u16 apply_lut_to_channel_value(const struct vk=
ms_color_lut *lut, u16 chan
 	 */
 	static_assert(sizeof(struct drm_color_lut) =3D=3D sizeof(__u16) * 4);
=20
-	u16 *floor_lut_value =3D (__u16 *)&lut->base[drm_fixp2int(lut_index)];
-	u16 *ceil_lut_value =3D (__u16 *)&lut->base[drm_fixp2int_ceil(lut_index)];
+	floor_lut_value =3D (__u16 *)&lut->base[drm_fixp2int(lut_index)];
+	if (drm_fixp2int(lut_index) =3D=3D (lut->lut_length - 1))
+		/* We're at the end of the LUT array, use same value for ceil and floor =
*/
+		ceil_lut_value =3D floor_lut_value;
+	else
+		ceil_lut_value =3D (__u16 *)&lut->base[drm_fixp2int_ceil(lut_index)];
=20
-	u16 floor_channel_value =3D floor_lut_value[channel];
-	u16 ceil_channel_value =3D ceil_lut_value[channel];
+	floor_channel_value =3D floor_lut_value[channel];
+	ceil_channel_value =3D ceil_lut_value[channel];
=20
 	return lerp_u16(floor_channel_value, ceil_channel_value,
 			lut_index & DRM_FIXED_DECIMAL_MASK);
--=20
2.43.0