Commit 4d0ed265 authored Aug 24, 2024 by Alex Hung Committed by Jinjiang Tu Aug 24, 2024

drm/amd/display: Check pipe offset before setting vblank

stable inclusion
from stable-v5.10.222
commit b2e9abc95583ac7bbb2c47da4d476a798146dfd6
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGSBL
CVE: CVE-2024-42120

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b2e9abc95583ac7bbb2c47da4d476a798146dfd6



--------------------------------

[ Upstream commit 5396a70e8cf462ec5ccf2dc8de103c79de9489e6 ]

pipe_ctx has a size of MAX_PIPES so checking its index before accessing
the array.

This fixes an OVERRUN issue reported by Coverity.

Reviewed-by: Rodrigo Siqueira <rodrigo.siqueira@amd.com>
Acked-by: Wayne Lin <wayne.lin@amd.com>
Signed-off-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Jinjiang Tu <tujinjiang@huawei.com>

parent 3e84c5c1

drivers/gpu/drm/amd/display/dc/irq/dce110/irq_service_dce110.c

+6 −2

Original line number	Diff line number	Diff line
		@@ -211,8 +211,12 @@ bool dce110_vblank_set(struct irq_service *irq_service,
		info->ext_id);
		uint8_t pipe_offset = dal_irq_src - IRQ_TYPE_VBLANK;

		struct timing_generator *tg =
		dc->current_state->res_ctx.pipe_ctx[pipe_offset].stream_res.tg;
		struct timing_generator *tg;

		if (pipe_offset >= MAX_PIPES)
		return false;

		tg = dc->current_state->res_ctx.pipe_ctx[pipe_offset].stream_res.tg;

		if (enable) {
		if (!tg \|\| !tg->funcs->arm_vert_intr(tg, 2)) {