Commit 719fca74 authored by Nicholas Kazlauskas's avatar Nicholas Kazlauskas Committed by Zheng Zengkai
Browse files

drm/amd/display: Guard against invalid RPTR/WPTR being set 

stable inclusion
from stable-v6.6.3
commit 5a4d4bf6e3549a2b537c6cfe4a4e90468ad97367
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I8LBQP

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=5a4d4bf6e3549a2b537c6cfe4a4e90468ad97367



--------------------------------

commit 1ffa8602e39b89469dc703ebab7a7e44c33da0f7 upstream.

[WHY]
HW can return invalid values on register read, guard against these being
set and causing us to access memory out of range and page fault.

[HOW]
Guard at sync_inbox1 and guard at pushing commands.

Cc: Mario Limonciello <mario.limonciello@amd.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Reviewed-by: default avatarHansen Dsouza <hansen.dsouza@amd.com>
Acked-by: default avatarAlex Hung <alex.hung@amd.com>
Signed-off-by: default avatarNicholas Kazlauskas <nicholas.kazlauskas@amd.com>
Tested-by: default avatarDaniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarZheng Zengkai <zhengzengkai@huawei.com>
parent fde8b7f5

drivers/gpu/drm/amd/display/dmub/src/dmub_srv.c

+15 −3
Original line number Diff line number Diff line
@@ -658,10 +658,17 @@ enum dmub_status dmub_srv_sync_inbox1(struct dmub_srv *dmub) 
		return DMUB_STATUS_INVALID;



	if (dmub->hw_funcs.get_inbox1_rptr && dmub->hw_funcs.get_inbox1_wptr) {

		dmub->inbox1_rb.rptr = dmub->hw_funcs.get_inbox1_rptr(dmub);

		dmub->inbox1_rb.wrpt = dmub->hw_funcs.get_inbox1_wptr(dmub);

		uint32_t rptr = dmub->hw_funcs.get_inbox1_rptr(dmub);

		uint32_t wptr = dmub->hw_funcs.get_inbox1_wptr(dmub);



		if (rptr > dmub->inbox1_rb.capacity || wptr > dmub->inbox1_rb.capacity) {

			return DMUB_STATUS_HW_FAILURE;

		} else {

			dmub->inbox1_rb.rptr = rptr;

			dmub->inbox1_rb.wrpt = wptr;

			dmub->inbox1_last_wptr = dmub->inbox1_rb.wrpt;

		}

	}



	return DMUB_STATUS_OK;

}
@@ -694,6 +701,11 @@ enum dmub_status dmub_srv_cmd_queue(struct dmub_srv *dmub, 
	if (!dmub->hw_init)

		return DMUB_STATUS_INVALID;



	if (dmub->inbox1_rb.rptr > dmub->inbox1_rb.capacity ||

	    dmub->inbox1_rb.wrpt > dmub->inbox1_rb.capacity) {

		return DMUB_STATUS_HW_FAILURE;

	}



	if (dmub_rb_push_front(&dmub->inbox1_rb, cmd))

		return DMUB_STATUS_OK;