From b6fc9f3959d370782641e35544760acb401012bf Mon Sep 17 00:00:00 2001 From: Jonathan Gray Date: Mon, 11 Dec 2023 05:20:30 +0000 Subject: drm/amd/display: Guard against invalid RPTR/WPTR being set From Nicholas Kazlauskas 195514bda626b16fb6ef9ff4172dc0433a3c105b in linux-6.1.y/6.1.66 1ffa8602e39b89469dc703ebab7a7e44c33da0f7 in mainline linux --- sys/dev/pci/drm/amd/display/dmub/src/dmub_srv.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) (limited to 'sys') diff --git a/sys/dev/pci/drm/amd/display/dmub/src/dmub_srv.c b/sys/dev/pci/drm/amd/display/dmub/src/dmub_srv.c index 6b8bd556c87..e951fd837aa 100644 --- a/sys/dev/pci/drm/amd/display/dmub/src/dmub_srv.c +++ b/sys/dev/pci/drm/amd/display/dmub/src/dmub_srv.c @@ -675,9 +675,16 @@ enum dmub_status dmub_srv_sync_inbox1(struct dmub_srv *dmub) return DMUB_STATUS_INVALID; if (dmub->hw_funcs.get_inbox1_rptr && dmub->hw_funcs.get_inbox1_wptr) { - dmub->inbox1_rb.rptr = dmub->hw_funcs.get_inbox1_rptr(dmub); - dmub->inbox1_rb.wrpt = dmub->hw_funcs.get_inbox1_wptr(dmub); - dmub->inbox1_last_wptr = dmub->inbox1_rb.wrpt; + uint32_t rptr = dmub->hw_funcs.get_inbox1_rptr(dmub); + uint32_t wptr = dmub->hw_funcs.get_inbox1_wptr(dmub); + + if (rptr > dmub->inbox1_rb.capacity || wptr > dmub->inbox1_rb.capacity) { + return DMUB_STATUS_HW_FAILURE; + } else { + dmub->inbox1_rb.rptr = rptr; + dmub->inbox1_rb.wrpt = wptr; + dmub->inbox1_last_wptr = dmub->inbox1_rb.wrpt; + } } return DMUB_STATUS_OK; @@ -711,6 +718,11 @@ enum dmub_status dmub_srv_cmd_queue(struct dmub_srv *dmub, if (!dmub->hw_init) return DMUB_STATUS_INVALID; + if (dmub->inbox1_rb.rptr > dmub->inbox1_rb.capacity || + dmub->inbox1_rb.wrpt > dmub->inbox1_rb.capacity) { + return DMUB_STATUS_HW_FAILURE; + } + if (dmub_rb_push_front(&dmub->inbox1_rb, cmd)) return DMUB_STATUS_OK; -- cgit v1.2.3