From nobody Sun Apr 5 17:08:11 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id AAB9BC61DB3 for ; Thu, 12 Jan 2023 06:42:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231308AbjALGmS (ORCPT ); Thu, 12 Jan 2023 01:42:18 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39790 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229977AbjALGmP (ORCPT ); Thu, 12 Jan 2023 01:42:15 -0500 Received: from NAM12-DM6-obe.outbound.protection.outlook.com (mail-dm6nam12on2045.outbound.protection.outlook.com [40.107.243.45]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 60EC7321AD for ; Wed, 11 Jan 2023 22:42:11 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jnvIX+AVbxgZe6GYOtkk2sBo70aB6tORPE8XH0zlq9zc+qXV6FbP9sTLeJsXn8LNUnSDnD/kELA9Hq8hCll7JOcfwDAS2F8xDKJTw0B/+OAfjxdSwktQgB5v66IZnW6FBq8aBxL/WC1vKqqfdgS0kDuJiebLD/E0U+y/MV90FsLdDmxQu2Z/fMgZ6IXYv700f1gM3mDC8IwAux6i9EfQbxBclb+TsgsfI2S7+h/DDK+0ZrcNWjeXezJoZVPan51QuG3O478zSBLAmo4Uwm0Si7OchCM/259xUY0HYmOUixrM10/2YkUMCT9xQIhzgHGS6nVTkR06OcqKjzx46EDvMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1D8UaR9dayMi01Fe0pyUdZwhFBTd0o5JKl0usI5wL8c=; b=HNgzzpUMivFAiKr1sHOLSr9TA6Z1gHXpMJXNjvWx5aQMnnLfgkFnDIR4/gsU/+4y3DrXJlrkCoV1431LNaAIX7Hcfr/gPJ2GMToFzRDfCL5q1pRn2FsM9GVqSLXsOKuTqQkGW7GCDTnMeV3s3CwpIw1cvOMWUWeQRnvtL4UGQlIVHPDM/lJji2e/yqQ+n5YrSOnMY06x3memFD4j3zst/pPvy6n/2RJncqdO9c1GS3DD5BPitL1VkQxWZRxv4lLQtvGLgkzvAHmkp3t6+JlmgCmVwdWSrY/gdHoMw/6Jd70MT0a5LW57RodgRUxWJpNvOz/hpVbjO0A0J7D4V8SISw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1D8UaR9dayMi01Fe0pyUdZwhFBTd0o5JKl0usI5wL8c=; b=3THP1Glpb9qenQw+E8+L7FQDhFGXnNQzuf4dn0/wmkoK5rtElyW1vOmt60OW4t6SaufiFOBuR8CCIvWHRoIDKzx3oT4yxiyiLZYXIxAptE0t+a71RB+pGdY9n2Bjd1Y2YITzTPkU1C8vX1V7WhLJE1vM76rsPc/jYHlr/ybCXus= Received: from SN1PR12MB2445.namprd12.prod.outlook.com (2603:10b6:802:31::24) by SA1PR12MB5638.namprd12.prod.outlook.com (2603:10b6:806:229::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5986.18; Thu, 12 Jan 2023 06:42:09 +0000 Received: from SN1PR12MB2445.namprd12.prod.outlook.com ([fe80::9f5d:df0:ee52:8ef1]) by SN1PR12MB2445.namprd12.prod.outlook.com ([fe80::9f5d:df0:ee52:8ef1%7]) with mapi id 15.20.5986.018; Thu, 12 Jan 2023 06:42:09 +0000 From: "Liu, HaoPing (Alan)" To: "Mahfooz, Hamza" , "amd-gfx@lists.freedesktop.org" CC: "Wentland, Harry" , "Li, Sun peng (Leo)" , "Siqueira, Rodrigo" , "Deucher, Alexander" , "Koenig, Christian" , "Pan, Xinhui" , David Airlie , Daniel Vetter , "Lin, Wayne" , "Pillai, Aurabindo" , "Li, Roman" , "Wu, Hersen" , "Zuo, Jerry" , "Dhillon, Jasdeep" , "Liu, Aaron" , "dri-devel@lists.freedesktop.org" , "linux-kernel@vger.kernel.org" Subject: RE: [PATCH] drm/amd/display: fix possible buffer overflow relating to secure display Thread-Topic: [PATCH] drm/amd/display: fix possible buffer overflow relating to secure display Thread-Index: AQHZJejrc9pBgmR53kuE7QBnTZtaw66aVdNw Date: Thu, 12 Jan 2023 06:42:09 +0000 Message-ID: References: <20230111181652.158060-1-hamza.mahfooz@amd.com> In-Reply-To: <20230111181652.158060-1-hamza.mahfooz@amd.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: MSIP_Label_4342314e-0df4-4b58-84bf-38bed6170a0f_Enabled=true; MSIP_Label_4342314e-0df4-4b58-84bf-38bed6170a0f_SetDate=2023-01-12T06:42:06Z; MSIP_Label_4342314e-0df4-4b58-84bf-38bed6170a0f_Method=Standard; MSIP_Label_4342314e-0df4-4b58-84bf-38bed6170a0f_Name=General; MSIP_Label_4342314e-0df4-4b58-84bf-38bed6170a0f_SiteId=3dd8961f-e488-4e60-8e11-a82d994e183d; MSIP_Label_4342314e-0df4-4b58-84bf-38bed6170a0f_ActionId=02755dbe-4a45-4d9b-9ba0-0840bcba0c63; MSIP_Label_4342314e-0df4-4b58-84bf-38bed6170a0f_ContentBits=1 msip_label_4342314e-0df4-4b58-84bf-38bed6170a0f_enabled: true msip_label_4342314e-0df4-4b58-84bf-38bed6170a0f_setdate: 2023-01-12T06:42:06Z msip_label_4342314e-0df4-4b58-84bf-38bed6170a0f_method: Standard msip_label_4342314e-0df4-4b58-84bf-38bed6170a0f_name: General msip_label_4342314e-0df4-4b58-84bf-38bed6170a0f_siteid: 3dd8961f-e488-4e60-8e11-a82d994e183d msip_label_4342314e-0df4-4b58-84bf-38bed6170a0f_actionid: 0ce0df51-fe90-4dc6-9203-7637d42ddf7c msip_label_4342314e-0df4-4b58-84bf-38bed6170a0f_contentbits: 0 authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=amd.com; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: SN1PR12MB2445:EE_|SA1PR12MB5638:EE_ x-ms-office365-filtering-correlation-id: 3d37a2f9-c4a8-435d-758d-08daf4682108 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: sgdmXbS2pC34nr3lRc4q0LxqWkougcEU0owJAiu0hYw04f8TYUi/BlrjyJN/pYhyQQtnxQDqjWi3LMRXnGgPEc1cNIA2kF+ZGdKBUDtbT/XimUxRruqyWcfV15e9UPHqYCP1rxYCiLehyXh+crIlUJIHdzxN4zCCACHfOExzLczvNpZvszNInTcIN+gdPHZ44eHfiArvNsc3be3ScwbMlMKuwc31HBpBp+cR46wQxsf3R7JKy1gsKpWR/HJQ+W7SZ8eYvsZr0cpNPB1wI3Sokb1ZP6F29n8Uyom+HuN/vLdOstm66dZP85PsT71VFVOul6NTMvBKqB/9E8BBUzGcnBzdFPItvj3aBD1RY0WSk1JBot8VG50dPAIt6nEKuggas4h8KbMaKsJ0TU68lKAO2pj8I9CrZGLIsjpiUsXAy6vapGfVoY6KNNzXzeRNsiDSTGjhhOvsnc+kXgbcKrH9W2BUqBUpayOazl3xr+ZYhW/A7d+64dSdVzf+Ryy+N+pJB45iYwvlRPJEhL3QFsnKIwhnaoOXMsMFSD3ohchPwpJW0RAIMz6NZfme65LhpTXksNamA6ozwaqRLrfhwL/0EqhkjT4gcaI2rDX5ric0wYNYv6avOV6asqe0PrIFo1a2L+/408EygiOfvrrwV2M8A9WET8MP2Dr2z3FImOPFZSl68MqbDGD5MqcYzqP+CrptmqhKP+mFe0wDTFgSRXroaQ== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SN1PR12MB2445.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(4636009)(136003)(346002)(376002)(39860400002)(366004)(396003)(451199015)(41300700001)(4326008)(110136005)(66446008)(83380400001)(8676002)(55016003)(76116006)(66946007)(66476007)(66556008)(64756008)(54906003)(316002)(86362001)(38070700005)(8936002)(5660300002)(38100700002)(122000001)(33656002)(52536014)(2906002)(6506007)(71200400001)(53546011)(478600001)(9686003)(186003)(26005)(7696005);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?YRXB0o7FYlU6QucrnmPp+jS44NQpV9YIHJwuiNZ77ftEfE8dD1LAipSjA9J9?= =?us-ascii?Q?/IN+XPcgG6QkLFdg4+oOEuLEJ+uhn7MOfMpUKZdUHIdKv0XSHv5o8HUx2lHB?= =?us-ascii?Q?QjU0aqCnpySidS0ZHGSaigIDBjhVwDiqueapesTNZoDNk3nfDC2dfTFWckrV?= =?us-ascii?Q?FFYPl/ED6s18kGsX8UQ2Km80FwjJ98kc2h5fxmCWHOAEqqXXuFfHel/BSo7X?= =?us-ascii?Q?h7HDbRRJ9rBhVCaNrOiAraHn+MVggkQa/etmkigICjSRgIOfpOFGNLV+YK5d?= =?us-ascii?Q?oWK1zCrw8+qQws9iN+xW3DzMUx90iFFv9k3Zlb/HTmDl7uTeZon2ounGCDEi?= =?us-ascii?Q?TprN66dREl7Ba6ZbMDjihpqG90ujYZUAV81CfQIsPVuu0YI4dR0fHFJL9Eac?= =?us-ascii?Q?1TiBXdFSJWfjC4H11MPx/UQALAl2uFeT/Aul4NLP1ZwHGAKBzfgpizFC/yd2?= =?us-ascii?Q?higmTnpJ1XurgW+FAbugxZtVMR4X0dt9yOjg7ionYqS9aXI7x2BgZllD6HdJ?= =?us-ascii?Q?PQNzlsvUEaFR3Bv3VJPdiQyqltp0JsHY5RBs+d09sJJ0DGA+bQaIZyqE0Tqf?= =?us-ascii?Q?3jHKXWdnual0TPeC4RCLkH4QhRkJ99hDFtv0bCnGheOls/cM2ydmu1c0nANE?= =?us-ascii?Q?dXnylIax4Lm77IvvPThQR4kt80hrYipD8XeCCeRuWcNjDRz3TQn4b/eX+d4R?= =?us-ascii?Q?QBRWagv9iYgXyKiCdAR3V/pXxA/YrJyr/YkIjUfq1b1U0ug2xsxo8XqqE2ny?= =?us-ascii?Q?9FfOKgwYJOoc2zbU8ecKas3crm3U15iAmpufl3SJRiQ60KIlWxuoS05yus0R?= =?us-ascii?Q?ApYJXhoKvPWGwZlRzuV4sD5tKxEVX3omjJSr3QbVqpgKkOPlPdQ8oJK1MXjD?= =?us-ascii?Q?4IWS1Zf05N9XAyEBtJZVF0GK5y830O4HQm/xsxVpFc1PBu8lucN4nDEuPc28?= =?us-ascii?Q?4ZKdCnrOzTSSmnRq8jamlSP0AftlZJPzObVk5JiUhS8HlXqWi9BrIzderBdy?= =?us-ascii?Q?IbCAV6kkZlcn/IP7TzFcyTnb3hgVRYFX3YrJVw98mtPP8XEpe1ohNHKRthwG?= =?us-ascii?Q?I+plYEAGODdbrLyIQlVi16rRRkXEz/KvDDmu1lABAeMSKw875PmGYIsf/9Pm?= =?us-ascii?Q?l1Qm04QqE7TIOSezZmiQ/g6PR+n04aQYcCTkgRw5NbggsGzEBNwWpBXEdDIv?= =?us-ascii?Q?G9/YPDI0o/IW5hQYGXsg89g8K0tHeXSz2fONfnJWqZoMXVpp5JajEu0q6QgB?= =?us-ascii?Q?ss/Afpl8qBY4QqZtdFQqAsMfYmOb5iEt/fzh75qrtMppZWA0cbevPQ9i0SY6?= =?us-ascii?Q?iFFDNHlc0HyWt206r4V9ONAljGK1n/xaIrE15stM5b4SAjZgYWnWYn9xg4G4?= =?us-ascii?Q?fjRgR5o4BO5qGi9fkLElu4nV0n4lEvAU4dKuy0cvoluyZ2lMT4aUpXszgbGZ?= =?us-ascii?Q?rTqjUAaRQingMzXPPjpvRszu3FQwrn0WYPL/Lb1OkBYUQsQCC3j8NdqoGMDa?= =?us-ascii?Q?GrY5eAaDP9K9+L/cupRcZNdyZ6gi+w9EYBy59XAg9aUujO2VLY9VX6KZCt87?= =?us-ascii?Q?2XxZX39h3Y1x/HrYrAnpNJBogDHI481x24SkILQd?= Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: SN1PR12MB2445.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 3d37a2f9-c4a8-435d-758d-08daf4682108 X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Jan 2023 06:42:09.4168 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: Lxt0UzXxLz4STeIfO0leWNcjCC7HOvah4AFNUg1Ce9fEaqQbV7DKazqWOTHYVDQyOsCLZN3MSxh5Wo0W48cyaQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR12MB5638 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" [AMD Official Use Only - General] Reviewed-by: Alan Liu Thanks, Alan -----Original Message----- From: Mahfooz, Hamza =20 Sent: Thursday, January 12, 2023 2:17 AM To: amd-gfx@lists.freedesktop.org Cc: Mahfooz, Hamza ; Wentland, Harry ; Li, Sun peng (Leo) ; Siqueira, Rodrigo ; Deucher, Alexander ; Koen= ig, Christian ; Pan, Xinhui ;= David Airlie ; Daniel Vetter ; Lin, Wa= yne ; Pillai, Aurabindo ; Li, = Roman ; Wu, Hersen ; Zuo, Jerry ; Liu, HaoPing (Alan) ; Dhillon, Jasdee= p ; Liu, Aaron ; dri-devel@list= s.freedesktop.org; linux-kernel@vger.kernel.org Subject: [PATCH] drm/amd/display: fix possible buffer overflow relating to = secure display It is possible that adev->dm.dc->caps.max_links is greater than AMDGPU_MAX_= CRTCS. So, to not potentially access unallocated memory use adev->mode_info.num_crtc to do the bounds check instead of=20 adev->dm.dc->caps.max_links. Fixes: 278b2b5ba2f2 ("drm/amd/display: Implement multiple secure display") Fixes: 65a2fbe75cd5 ("drm/amd/display: Fix when disabling secure_display") Signed-off-by: Hamza Mahfooz --- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 2 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crc.c | 8 +++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gp= u/drm/amd/display/amdgpu_dm/amdgpu_dm.c index b4d60eedbcbf..86a268cc4b21 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c @@ -1742,7 +1742,7 @@ static void amdgpu_dm_fini(struct amdgpu_device *adev) =20 #if defined(CONFIG_DRM_AMD_SECURE_DISPLAY) if (adev->dm.secure_display_ctxs) { - for (i =3D 0; i < adev->dm.dc->caps.max_links; i++) { + for (i =3D 0; i < adev->mode_info.num_crtc; i++) { if (adev->dm.secure_display_ctxs[i].crtc) { flush_work(&adev->dm.secure_display_ctxs[i].notify_ta_work); flush_work(&adev->dm.secure_display_ctxs[i].forward_roi_work); diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crc.c b/driver= s/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crc.c index 8841c447d0e2..8873ecada27c 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crc.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crc.c @@ -223,7 +223,7 @@ int amdgpu_dm_crtc_configure_crc_source(struct drm_crtc= *crtc, #if defined(CONFIG_DRM_AMD_SECURE_DISPLAY) /* Disable secure_display if it was enabled */ if (!enable) { - for (i =3D 0; i < adev->dm.dc->caps.max_links; i++) { + for (i =3D 0; i < adev->mode_info.num_crtc; i++) { if (adev->dm.secure_display_ctxs[i].crtc =3D=3D crtc) { /* stop ROI update on this crtc */ flush_work(&adev->dm.secure_display_ctxs[i].notify_ta_work); @@ -544,12 +544,14 @@ amdgpu_dm_crtc_secure_display_create_contexts(struct = amdgpu_device *adev) struct secure_display_context *secure_display_ctxs =3D NULL; int i; =20 - secure_display_ctxs =3D kcalloc(AMDGPU_MAX_CRTCS, sizeof(struct secure_di= splay_context), GFP_KERNEL); + secure_display_ctxs =3D kcalloc(adev->mode_info.num_crtc, + sizeof(struct secure_display_context), + GFP_KERNEL); =20 if (!secure_display_ctxs) return NULL; =20 - for (i =3D 0; i < adev->dm.dc->caps.max_links; i++) { + for (i =3D 0; i < adev->mode_info.num_crtc; i++) { INIT_WORK(&secure_display_ctxs[i].forward_roi_work, amdgpu_dm_forward_cr= c_window); INIT_WORK(&secure_display_ctxs[i].notify_ta_work, amdgpu_dm_crtc_notify_= ta_to_read); secure_display_ctxs[i].crtc =3D &adev->mode_info.crtcs[i]->base; -- 2.38.1