From nobody Fri Apr  3 22:50:16 2026
Received: from n169-112.mail.139.com (n169-112.mail.139.com [120.232.169.112])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id C496B35E937;
	Mon, 23 Mar 2026 07:14:18 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=120.232.169.112
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1774250062; cv=none;
 b=W8CiMr5rt9uX/4jCM0JqubJd0f/Z7/yE11J+zSpqazvmQlboNdi5JxfqdyOvQzWAUuhSjgxLewkxvo6VMzRJC2Y/o7IG4oKDVB+PlExH4fWw9AfUw022SrHoOZE6sabgZ7KFgZucRLiBWh4xMndIkhBCi+ravmmxjfPAsDuHYCc=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1774250062; c=relaxed/simple;
	bh=NF6nNzU/zFiq2eQA6Z8WTaoY9/W/gmTBJvRtLaQWLfA=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version:Content-Type;
 b=NZp1QDsnDhxRPuSRXnSwttPmcSpDYMaDIMZkjEJdDWb3dZIotnDzoyzy45SBHgJhm2wDKE+qGGM0Ps6f9iFwE/ax+/CCspKRdAiPiscOQyOm0aeauZgF6VOfXo0IOgxbkx1Fuifw/3Ty3F97Qj3OR/s2TOGYypTudRgCSyn0mNk=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=139.com;
 spf=pass smtp.mailfrom=139.com;
 dkim=pass (1024-bit key) header.d=139.com header.i=@139.com
 header.b=Qjb0yY6B; arc=none smtp.client-ip=120.232.169.112
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=139.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=139.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=139.com header.i=@139.com
 header.b="Qjb0yY6B"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=139.com; s=dkim; l=0;
	h=from:subject:message-id:to:cc:mime-version;
	bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;
	b=Qjb0yY6B7X0bw5KlbHxtQX35mPUQPswgg5F+lvaIzO7V5Hqc2YhkiDQ1+zUZRgVIoXE1VQkogm1vm
	 dMnHnoLdXl5UQWh0t+0Bu94Y4+Z2shJ0ShjnTYU4Nno+uPa/9DOcxWjuDqZ/IR6+WDIAP30PbRfq5u
	 l+R3pVyfFLlVby9k=
X-RM-TagInfo: emlType=0                                       
X-RM-SPAM: 
X-RM-SPAM-FLAG: 00000000
Received: from NTT-kernel-dev (unknown[60.247.85.88])
	by rmsmtp-lg-appmail-24-12027 (RichMail) with SMTP id 2efb69c0e77a297-0029b;
	Mon, 23 Mar 2026 15:10:53 +0800 (CST)
X-RM-TRANSID: 2efb69c0e77a297-0029b
From: Li hongliang <1468888505@139.com>
To: gregkh@linuxfoundation.org,
	stable@vger.kernel.org,
	srinivasan.shanmugam@amd.com
Cc: patches@lists.linux.dev,
	linux-kernel@vger.kernel.org,
	alexander.deucher@amd.com,
	christian.koenig@amd.com,
	Xinhui.Pan@amd.com,
	airlied@gmail.com,
	daniel@ffwll.ch,
	sashal@kernel.org,
	guchun.chen@amd.com,
	amd-gfx@lists.freedesktop.org,
	dri-devel@lists.freedesktop.org
Subject: [PATCH 6.1.y] drm/amdgpu: Fix potential out-of-bounds access in
 'amdgpu_discovery_reg_base_init()'
Date: Mon, 23 Mar 2026 15:10:52 +0800
Message-Id: <20260323071052.4068410-1-1468888505@139.com>
X-Mailer: git-send-email 2.34.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>

[ Upstream commit cdb637d339572398821204a1142d8d615668f1e9 ]

The issue arises when the array 'adev->vcn.vcn_config' is accessed
before checking if the index 'adev->vcn.num_vcn_inst' is within the
bounds of the array.

The fix involves moving the bounds check before the array access. This
ensures that 'adev->vcn.num_vcn_inst' is within the bounds of the array
before it is used as an index.

Fixes the below:
drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c:1289 amdgpu_discovery_reg_bas=
e_init() error: testing array offset 'adev->vcn.num_vcn_inst' after use.

Fixes: a0ccc717c4ab ("drm/amdgpu/discovery: validate VCN and SDMA instances=
")
Cc: Christian K=C3=B6nig <christian.koenig@amd.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
[ Minor conflict resolved. ]
Signed-off-by: Li hongliang <1468888505@139.com>
---
 drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c b/drivers/gpu/dr=
m/amd/amdgpu/amdgpu_discovery.c
index 9b1c4d5be61f..a1e006d238cf 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c
@@ -1128,15 +1128,15 @@ static int amdgpu_discovery_reg_base_init(struct am=
dgpu_device *adev)
 				 *     0b10 : encode is disabled
 				 *     0b01 : decode is disabled
 				 */
-				adev->vcn.vcn_config[adev->vcn.num_vcn_inst] =3D
-					ip->revision & 0xc0;
-				ip->revision &=3D ~0xc0;
-				if (adev->vcn.num_vcn_inst < AMDGPU_MAX_VCN_INSTANCES)
+				if (adev->vcn.num_vcn_inst < AMDGPU_MAX_VCN_INSTANCES) {
+					adev->vcn.vcn_config[adev->vcn.num_vcn_inst] =3D
+						ip->revision & 0xc0;
 					adev->vcn.num_vcn_inst++;
-				else
+				} else
 					dev_err(adev->dev, "Too many VCN instances: %d vs %d\n",
 						adev->vcn.num_vcn_inst + 1,
 						AMDGPU_MAX_VCN_INSTANCES);
+				ip->revision &=3D ~0xc0;
 			}
 			if (le16_to_cpu(ip->hw_id) =3D=3D SDMA0_HWID ||
 			    le16_to_cpu(ip->hw_id) =3D=3D SDMA1_HWID ||
--=20
2.34.1