diff options
| author | Nicholas Kazlauskas <nicholas.kazlauskas@amd.com> | 2023-09-13 16:18:44 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2023-11-28 17:15:18 +0000 |
| commit | 5b37ee61b89d17978a4a2a19287136b1c94342a2 (patch) | |
| tree | 89af2e24d2c9a8f3b34ca29104f2c351e01e1b71 | |
| parent | f3385c9b8ed4e4f37b9c382874e765b4c072ff93 (diff) | |
| download | linux-stable-5b37ee61b89d17978a4a2a19287136b1c94342a2.tar.gz linux-stable-5b37ee61b89d17978a4a2a19287136b1c94342a2.tar.bz2 linux-stable-5b37ee61b89d17978a4a2a19287136b1c94342a2.zip | |
drm/amd/display: Guard against invalid RPTR/WPTR being set
commit 1ffa8602e39b89469dc703ebab7a7e44c33da0f7 upstream.
[WHY]
HW can return invalid values on register read, guard against these being
set and causing us to access memory out of range and page fault.
[HOW]
Guard at sync_inbox1 and guard at pushing commands.
Cc: Mario Limonciello <mario.limonciello@amd.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Reviewed-by: Hansen Dsouza <hansen.dsouza@amd.com>
Acked-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | drivers/gpu/drm/amd/display/dmub/src/dmub_srv.c | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/drivers/gpu/drm/amd/display/dmub/src/dmub_srv.c b/drivers/gpu/drm/amd/display/dmub/src/dmub_srv.c index bdaf43892f47..d91f03466740 100644 --- a/drivers/gpu/drm/amd/display/dmub/src/dmub_srv.c +++ b/drivers/gpu/drm/amd/display/dmub/src/dmub_srv.c @@ -657,9 +657,16 @@ enum dmub_status dmub_srv_sync_inbox1(struct dmub_srv *dmub) return DMUB_STATUS_INVALID; if (dmub->hw_funcs.get_inbox1_rptr && dmub->hw_funcs.get_inbox1_wptr) { - dmub->inbox1_rb.rptr = dmub->hw_funcs.get_inbox1_rptr(dmub); - dmub->inbox1_rb.wrpt = dmub->hw_funcs.get_inbox1_wptr(dmub); - dmub->inbox1_last_wptr = dmub->inbox1_rb.wrpt; + uint32_t rptr = dmub->hw_funcs.get_inbox1_rptr(dmub); + uint32_t wptr = dmub->hw_funcs.get_inbox1_wptr(dmub); + + if (rptr > dmub->inbox1_rb.capacity || wptr > dmub->inbox1_rb.capacity) { + return DMUB_STATUS_HW_FAILURE; + } else { + dmub->inbox1_rb.rptr = rptr; + dmub->inbox1_rb.wrpt = wptr; + dmub->inbox1_last_wptr = dmub->inbox1_rb.wrpt; + } } return DMUB_STATUS_OK; @@ -693,6 +700,11 @@ enum dmub_status dmub_srv_cmd_queue(struct dmub_srv *dmub, if (!dmub->hw_init) return DMUB_STATUS_INVALID; + if (dmub->inbox1_rb.rptr > dmub->inbox1_rb.capacity || + dmub->inbox1_rb.wrpt > dmub->inbox1_rb.capacity) { + return DMUB_STATUS_HW_FAILURE; + } + if (dmub_rb_push_front(&dmub->inbox1_rb, cmd)) return DMUB_STATUS_OK; |