From: Jiang Liu <gerry@linux.alibaba.com> mainline inclusion from mainline-v6.14-rc3 commit 1abb2648698bf10783d2236a6b4a7ca5e8021699 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBPC78 CVE: CVE-2025-21780 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- It malicious user provides a small pptable through sysfs and then a bigger pptable, it may cause buffer overflow attack in function smu_sys_set_pp_table(). Reviewed-by: Lijo Lazar <lijo.lazar@amd.com> Signed-off-by: Jiang Liu <gerry@linux.alibaba.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> Cc: stable@vger.kernel.org Conflicts: drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c [The smu->mutex in the context has not been removed.] Signed-off-by: Wang Zhaolong <wangzhaolong1@huawei.com> --- drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c b/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c index ee27970cfff9..98c9ac875daa 100644 --- a/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c +++ b/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c @@ -325,12 +325,14 @@ int smu_sys_set_pp_table(struct smu_context *smu, void *buf, size_t size) dev_err(smu->adev->dev, "pp table size not matched !\n"); return -EIO; } mutex_lock(&smu->mutex); - if (!smu_table->hardcode_pptable) + if (!smu_table->hardcode_pptable || smu_table->power_play_table_size < size) { + kfree(smu_table->hardcode_pptable); smu_table->hardcode_pptable = kzalloc(size, GFP_KERNEL); + } if (!smu_table->hardcode_pptable) { ret = -ENOMEM; goto failed; } -- 2.34.3