From patchwork Wed Jan 11 18:16:50 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Hamza Mahfooz <hamza.mahfooz@amd.com>
X-Patchwork-Id: 42132
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:4e01:0:0:0:0:0 with SMTP id p1csp3471008wrt;
        Wed, 11 Jan 2023 10:21:20 -0800 (PST)
X-Google-Smtp-Source: 
 AMrXdXv8U/ut229IqWfoQ9QyYQ8/diQuRF4Vyq4PnCOfwcVqJsRNuiYoux0nDfiIkMVgwDCxl9t8
X-Received: by 2002:a05:6a00:2999:b0:58a:9bef:5cd3 with SMTP id
 cj25-20020a056a00299900b0058a9bef5cd3mr7891505pfb.17.1673461279883;
        Wed, 11 Jan 2023 10:21:19 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1673461279; cv=pass;
        d=google.com; s=arc-20160816;
        b=NbzE1vmMT7DOi9NTsU6FKfTl6r8Bbx7stXPFYNhmi+WOJ9bEkZgTqDKqqArIKeWphv
         13KRUIC4VU7ITFLbmkhtMeiUgmytDuRqG0AmoqWH0VvplGAkkKmgv5d0C/9zYf7p5PJ+
         ufOH3pbvkbSUK3X4O/0cUg/dlUIN5hKGNuIT9C2msy+4xF4G4O3+O3sleJx6y2YC1AtX
         oIloDYhHgo/03zN9oUTbI406bmgljI5GULVXKajZ8TRPUWz7BHt9Djx4IKARTTHs1uoz
         3nYZKzhB+CRhja3blpTMsmkuumjtYBVSxWxugIwzjbRQu+DovjCpI3Kol8JZpOj8zf7g
         Qs8A==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=jz1SD9FAVBusK61stxg6P0Q2X0HsS0WZuUbXpxWa4ds=;
        b=EWjS2kCJO+HH8OmFpO/3YjDiwG6aUjOpyGTAyStb2ekGDwZwx1eNFJJA/CttlUU1/P
         hX5oRBYQwZSIcE+bis6g2TzZARCCTeo3JBAc657PYLcHdMCFb6O+HCDtX1r16krVgkjM
         fv5q5I15frds65XMYFQ9KVkZKvIsC81HqDUdx8kII5cMe2nhVn5OsuWyw1Y5XTI9z4Op
         A/8HwrywZ5J2LFTx6J2MMlwy5Nv39qi35+CvwYhgW0tRU8kJVSFye6JnCWS+7J1KOpTD
         3woDD7rYaSrBr9kxX9t1WtR6feP7bes0tggiaXMOYk9mzN6aasiMd8if1BQ276dQHeka
         Miiw==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@amd.com header.s=selector1 header.b="eph+/68f";
       arc=pass (i=1 spf=pass spfdomain=amd.com dmarc=pass
 fromdomain=amd.com);
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amd.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 b2-20020a056a000a8200b005788695bef5si15914151pfl.154.2023.01.11.10.21.06;
        Wed, 11 Jan 2023 10:21:19 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@amd.com header.s=selector1 header.b="eph+/68f";
       arc=pass (i=1 spf=pass spfdomain=amd.com dmarc=pass
 fromdomain=amd.com);
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amd.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234545AbjAKSRQ (ORCPT <rfc822;syz17693488234@gmail.com>
        + 99 others); Wed, 11 Jan 2023 13:17:16 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58620 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S235046AbjAKSRM (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 11 Jan 2023 13:17:12 -0500
Received: from NAM10-DM6-obe.outbound.protection.outlook.com
 (mail-dm6nam10on2057.outbound.protection.outlook.com [40.107.93.57])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9E3A0193C2
        for <linux-kernel@vger.kernel.org>;
 Wed, 11 Jan 2023 10:17:11 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=n/ysFQ1fld7rsQtANygzZi0E8HGLV82eE1cQ2a8whEQdGGFqv9bo6LH4IdZ6/jdtAlo08cVqnZoErPdUxCeVh1KW76CpYA7zgptYFbsIlf6OIfeUZn6/M/QjtXQw/ybGRrPlIn9vaPtLJkmoD1iKvvF/bpkEj00vvooWDPy1I26n5A0n2icGUm6QQoxXoMiC89yZISyAFGIvMjFA6azqEhvrMOPSxVs/sp5XaX8wh2JZQgEcL2zNoA4IHPhFORv8AASMgRwMdQFqNGz0kEuML1J/F+xr5OMjBkc8Sn1P12lkoHWmHPdxVYvdXa32uiyO8IUqrfBZxJg4ufPRG7kQWw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=jz1SD9FAVBusK61stxg6P0Q2X0HsS0WZuUbXpxWa4ds=;
 b=VN+jQjIGscXVw/tik85Q9PkWE0fXgmvr9+Mn4miFh3ZR07VSqiZOOfZ2M8PVflTIbvXbQ2uOt2bBPebKdpzCJ/5L/zvcWXXa3QwMsk3JqVVbxFD15kdwbPQqR9TBfdAavANqddTVTaqYhRlckwWSmCRdP+++PtnJEiCRuN+yX3yKz7Zgb6URFM6nGGbiKRC7yUkqTpXlFqKdAHDI7zsMIxRvefBfYGftBUmEq+87oeY4SgryADl+sfh21XtoM5wsr0paLlu//40GeBp424A7gEG0fEmsH15/JadkRHYUcTUIfmqyR3+zTGRQLuqPxnSjPzjFO5hkCTGvmDzVmAkIXA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 165.204.84.17) smtp.rcpttodomain=lists.freedesktop.org smtp.mailfrom=amd.com;
 dmarc=pass (p=quarantine sp=quarantine pct=100) action=none
 header.from=amd.com; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=jz1SD9FAVBusK61stxg6P0Q2X0HsS0WZuUbXpxWa4ds=;
 b=eph+/68fp0hpSOqD6WUBSYPz6yDnU1wdfn70pqX9O0OdAdCM8D8HEs/i02ZlIHyje5ahc1kdo8lkEzGhHG71aH2zx/tvr39N8VkRzVhJO/xkLcEfX6lM9+P0/nqqsNsewyEyzBQdlhSejwG69pYdV0lgKt6fx7JenzJ2GA2mrEw=
Received: from DM6PR02CA0130.namprd02.prod.outlook.com (2603:10b6:5:1b4::32)
 by DM4PR12MB5913.namprd12.prod.outlook.com (2603:10b6:8:66::22) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5986.18; Wed, 11 Jan
 2023 18:17:09 +0000
Received: from DS1PEPF0000E638.namprd02.prod.outlook.com
 (2603:10b6:5:1b4:cafe::88) by DM6PR02CA0130.outlook.office365.com
 (2603:10b6:5:1b4::32) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.13 via Frontend
 Transport; Wed, 11 Jan 2023 18:17:09 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17)
 smtp.mailfrom=amd.com; dkim=none (message not signed)
 header.d=none;dmarc=pass action=none header.from=amd.com;
Received-SPF: Pass (protection.outlook.com: domain of amd.com designates
 165.204.84.17 as permitted sender) receiver=protection.outlook.com;
 client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; pr=C
Received: from SATLEXMB04.amd.com (165.204.84.17) by
 DS1PEPF0000E638.mail.protection.outlook.com (10.167.17.70) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.20.6002.11 via Frontend Transport; Wed, 11 Jan 2023 18:17:08 +0000
Received: from hamza-pc.localhost (10.180.168.240) by SATLEXMB04.amd.com
 (10.181.40.145) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.34; Wed, 11 Jan
 2023 12:17:06 -0600
From: Hamza Mahfooz <hamza.mahfooz@amd.com>
To: <amd-gfx@lists.freedesktop.org>
CC: Hamza Mahfooz <hamza.mahfooz@amd.com>,
 Harry Wentland <harry.wentland@amd.com>, Leo Li <sunpeng.li@amd.com>,
 Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>,
 Alex Deucher <alexander.deucher@amd.com>,
 =?utf-8?q?Christian_K=C3=B6nig?= <christian.koenig@amd.com>, "Pan,
 Xinhui" <Xinhui.Pan@amd.com>, David Airlie <airlied@gmail.com>,
 Daniel Vetter <daniel@ffwll.ch>, Wayne Lin <Wayne.Lin@amd.com>,
 Aurabindo Pillai <aurabindo.pillai@amd.com>, Roman Li <roman.li@amd.com>,
 hersen wu <hersenxs.wu@amd.com>, Fangzhi Zuo <Jerry.Zuo@amd.com>,
 Alan Liu <HaoPing.Liu@amd.com>, Jasdeep Dhillon <jdhillon@amd.com>,
 Aaron Liu <aaron.liu@amd.com>, <dri-devel@lists.freedesktop.org>,
 <linux-kernel@vger.kernel.org>
Subject: [PATCH] drm/amd/display: fix possible buffer overflow relating to
 secure display
Date: Wed, 11 Jan 2023 13:16:50 -0500
Message-ID: <20230111181652.158060-1-hamza.mahfooz@amd.com>
X-Mailer: git-send-email 2.38.1
MIME-Version: 1.0
X-Originating-IP: [10.180.168.240]
X-ClientProxiedBy: SATLEXMB04.amd.com (10.181.40.145) To SATLEXMB04.amd.com
 (10.181.40.145)
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DS1PEPF0000E638:EE_|DM4PR12MB5913:EE_
X-MS-Office365-Filtering-Correlation-Id: c3b09087-9a1a-41a3-f726-08daf4000d89
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
 JSu6qe4MM440xMuoo6oIAvFOzt8UKrxQbmsfPzNWwySnIVNtwGdcVYcd6tj47ySrJdYCghLU0Lmk/Gaw+hhSm5OKf9JPvaFmB8c1nLQA24MrbFpx9GTM6rzwfdb/UeXbr29pjYVpH6hJnqRBT5kKqh6PzVYoSdkOnWrm1GqUwVNAfWPn7ZJKW6rcUWEB+UGkSm3QFzVIMh4hb1FRsc/7hcNnHLH41B6gaX8PZBXFVWEd9cEgB88m/y8V0+wbEGoQOZC7bjuzH7AlCEkaUdUOYcfKfdM2YyfV/Ps1OAXWLaS1iQO7j0Fg5by+G0PruVFfQcJAPwrcKj1iSl34tNTqGpI4bnYqxJUd69l4oyAF5LyTB+oRUSboie2vaDHCam2sQwzjTJUsbvqsSN8lgG+pPKfFwKWEkT53pU0XNhalAEczygxJHCfcw/VJqS/Khru2Su5luLQVbjldP4ASJsRPXkYElumuOfdDUPf0sGf22B6i0Itl37dCRahlyEXY3l8U3iwq2tXqch8DZnUXJjkXfcvs5OvfUnHZL5w2PKwwJXuhndgdAK0vgWc/zgJHuylm1WCI34GswviV6MVdNWgE0xqJgQNKp7xiIPErcTb5XZ9OnS+VaqeqfUrthm9NNNNRztWneL3EJjOqlaLfBAKCIpbOEUyOWZgdKIg6yT83WoMkObTMbaETLb4YFs+oHUR3Zz616BSP3uEWohIP8G+J2+CotW1iQ+yxT8+EMcmigIZMgGItY+orPRYDjzob0NuOks4TNnvNhFI+iJvcVMzrNQ==
X-Forefront-Antispam-Report: 
 CIP:165.204.84.17;CTRY:US;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:SATLEXMB04.amd.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230022)(4636009)(39860400002)(136003)(396003)(376002)(346002)(451199015)(36840700001)(40470700004)(46966006)(16526019)(316002)(40480700001)(186003)(26005)(5660300002)(44832011)(1076003)(478600001)(2616005)(41300700001)(426003)(47076005)(70206006)(4326008)(54906003)(8676002)(6916009)(70586007)(336012)(82310400005)(83380400001)(8936002)(40460700003)(86362001)(36756003)(6666004)(36860700001)(82740400003)(356005)(2906002)(81166007)(36900700001)(16060500005);DIR:OUT;SFP:1101;
X-OriginatorOrg: amd.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Jan 2023 18:17:08.9731
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 c3b09087-9a1a-41a3-f726-08daf4000d89
X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[SATLEXMB04.amd.com]
X-MS-Exchange-CrossTenant-AuthSource: 
 DS1PEPF0000E638.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR12MB5913
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
        RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1754751335145176057?=
X-GMAIL-MSGID: =?utf-8?q?1754751335145176057?=

It is possible that adev->dm.dc->caps.max_links is greater than
AMDGPU_MAX_CRTCS. So, to not potentially access unallocated memory use
adev->mode_info.num_crtc to do the bounds check instead of
adev->dm.dc->caps.max_links.

Fixes: 278b2b5ba2f2 ("drm/amd/display: Implement multiple secure display")
Fixes: 65a2fbe75cd5 ("drm/amd/display: Fix when disabling secure_display")
Signed-off-by: Hamza Mahfooz <hamza.mahfooz@amd.com>
Reviewed-by: Alan Liu <HaoPing.Liu@amd.com>
Signed-off-by: Hamza Mahfooz <hamza.mahfooz@amd.com>
---
 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c     | 2 +-
 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crc.c | 8 +++++---
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
index b4d60eedbcbf..86a268cc4b21 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -1742,7 +1742,7 @@ static void amdgpu_dm_fini(struct amdgpu_device *adev)
 
 #if defined(CONFIG_DRM_AMD_SECURE_DISPLAY)
 	if (adev->dm.secure_display_ctxs) {
-		for (i = 0; i < adev->dm.dc->caps.max_links; i++) {
+		for (i = 0; i < adev->mode_info.num_crtc; i++) {
 			if (adev->dm.secure_display_ctxs[i].crtc) {
 				flush_work(&adev->dm.secure_display_ctxs[i].notify_ta_work);
 				flush_work(&adev->dm.secure_display_ctxs[i].forward_roi_work);
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crc.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crc.c
index 8841c447d0e2..8873ecada27c 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crc.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crc.c
@@ -223,7 +223,7 @@ int amdgpu_dm_crtc_configure_crc_source(struct drm_crtc *crtc,
 #if defined(CONFIG_DRM_AMD_SECURE_DISPLAY)
 		/* Disable secure_display if it was enabled */
 		if (!enable) {
-			for (i = 0; i < adev->dm.dc->caps.max_links; i++) {
+			for (i = 0; i < adev->mode_info.num_crtc; i++) {
 				if (adev->dm.secure_display_ctxs[i].crtc == crtc) {
 					/* stop ROI update on this crtc */
 					flush_work(&adev->dm.secure_display_ctxs[i].notify_ta_work);
@@ -544,12 +544,14 @@ amdgpu_dm_crtc_secure_display_create_contexts(struct amdgpu_device *adev)
 	struct secure_display_context *secure_display_ctxs = NULL;
 	int i;
 
-	secure_display_ctxs = kcalloc(AMDGPU_MAX_CRTCS, sizeof(struct secure_display_context), GFP_KERNEL);
+	secure_display_ctxs = kcalloc(adev->mode_info.num_crtc,
+				      sizeof(struct secure_display_context),
+				      GFP_KERNEL);
 
 	if (!secure_display_ctxs)
 		return NULL;
 
-	for (i = 0; i < adev->dm.dc->caps.max_links; i++) {
+	for (i = 0; i < adev->mode_info.num_crtc; i++) {
 		INIT_WORK(&secure_display_ctxs[i].forward_roi_work, amdgpu_dm_forward_crc_window);
 		INIT_WORK(&secure_display_ctxs[i].notify_ta_work, amdgpu_dm_crtc_notify_ta_to_read);
 		secure_display_ctxs[i].crtc = &adev->mode_info.crtcs[i]->base;