From nobody Mon Jun 8 12:14:20 2026 Received: from exchange.fintech.ru (exchange.fintech.ru [195.54.195.159]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 747A93CE49E for ; Fri, 29 May 2026 12:14:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.54.195.159 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780056886; cv=none; b=HKgM0k0yg0mfAdblIpkmUn1KgaQ9N/rakxZN8JUyLbbNVkwxBGh6qPn1l7J9+ztNd/fOKGqpCybG56Smn5ELvyo/S/4VGbaK7kjo9JVzyBaz0dRUQ3+lMwHRRWoxzpRtxVops0wYCF3FSv0xbMQAmqoT/D31wgE1bmCsitarOCk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780056886; c=relaxed/simple; bh=hHsg5jy1mFXecFBx+LQlw04Z0OBSKOSlzdeyh1tCLAw=; h=From:To:CC:Subject:Date:Message-ID:MIME-Version:Content-Type; b=nIw8xqwxGzknVOJst7jd4UsvslZqu8KNmwpVOxovtCypnhAeXGrlCEDql6TNAJCYqWpgSpDVQCjl1/KEOcm+7r8Zm4yUiVQa0rlw9zJ8eyhqYjK8jCPeG4Vp5C7tHZEnARszDW45gmONadwawS+Nky4ZdxQhylGPbopreG891Hs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=fintech.ru; spf=pass smtp.mailfrom=fintech.ru; arc=none smtp.client-ip=195.54.195.159 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=fintech.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=fintech.ru Received: from Ex16-01.fintech.ru (10.0.10.18) by exchange.fintech.ru (195.54.195.159) with Microsoft SMTP Server (TLS) id 14.3.498.0; Fri, 29 May 2026 15:14:42 +0300 Received: from localhost (10.0.253.153) by Ex16-01.fintech.ru (10.0.10.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.4; Fri, 29 May 2026 15:14:41 +0300 From: Nikita Zhandarovich To: Alex Deucher CC: Nikita Zhandarovich , =?UTF-8?q?Christian=20K=C3=B6nig?= , David Airlie , Simona Vetter , , , , Subject: [PATCH] drm/radeon: Fix OOB read in MC register table init Date: Fri, 29 May 2026 15:14:34 +0300 Message-ID: <20260529121436.1633842-1-n.zhandarovich@fintech.ru> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: Ex16-02.fintech.ru (10.0.10.19) To Ex16-01.fintech.ru (10.0.10.18) Content-Type: text/plain; charset="utf-8" radeon_atom_init_mc_reg_table() copies the previous mc_data[] entry when pre_reg_data requests DATA_EQU_PREV. However, the loop starts at i =3D=3D 0, so a malformed or unexpected table can make the first entry use DATA_EQU_PREV and trigger an out-of-bounds read from mc_data[i - 1]. Emulate a fix for a similar issue in amdgpu_atombios_init_mc_reg_table, see commit 51dfc0a4d609 ("drm/amdgpu: fix mc_data out-of-bounds read warning"), by skipping DATA_EQU_PREV for the first entry. Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE. Fixes: ae5b0abbb6f7 ("drm/radeon/kms: add atom helper functions for dpm (v3= )") Cc: stable@vger.kernel.org Signed-off-by: Nikita Zhandarovich --- P.S. checkpatch warns that too many tabs were used but I can't do much about surrounding code being already too deeply nested. drivers/gpu/drm/radeon/radeon_atombios.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/gpu/drm/radeon/radeon_atombios.c b/drivers/gpu/drm/rad= eon/radeon_atombios.c index 3dd9724b331d..c6d229a4322f 100644 --- a/drivers/gpu/drm/radeon/radeon_atombios.c +++ b/drivers/gpu/drm/radeon/radeon_atombios.c @@ -4032,6 +4032,8 @@ int radeon_atom_init_mc_reg_table(struct radeon_devic= e *rdev, (u32)le32_to_cpu(*((u32 *)reg_data + j)); j++; } else if ((reg_table->mc_reg_address[i].pre_reg_data & LOW_NIBBLE= _MASK) =3D=3D DATA_EQU_PREV) { + if (i =3D=3D 0) + continue; reg_table->mc_reg_table_entry[num_ranges].mc_data[i] =3D reg_table->mc_reg_table_entry[num_ranges].mc_data[i - 1]; }