From: Hersen Wu hersenxs.wu@amd.com
stable inclusion from stable-v6.10.9 commit 36c39a8dcce210649f2f45f252abaa09fcc1ae87 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAU9L0 CVE: CVE-2024-46816
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit cf8b16857db702ceb8d52f9219a4613363e2b1cf ]
[Why] Coverity report OVERRUN warning. There are only max_links elements within dc->links. link count could up to AMDGPU_DM_MAX_DISPLAY_INDEX 31.
[How] Make sure link count less than max_links.
Reviewed-by: Harry Wentland harry.wentland@amd.com Acked-by: Tom Chung chiahsuan.chung@amd.com Signed-off-by: Hersen Wu hersenxs.wu@amd.com Tested-by: Daniel Wheeler daniel.wheeler@amd.com Signed-off-by: Alex Deucher alexander.deucher@amd.com Signed-off-by: Sasha Levin sashal@kernel.org Conflicts: drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c [This conflict is caused by the lack of definition of the MAX_LINKS variable. Manually adapt the variable value.] Signed-off-by: Cheng Yu serein.chengyu@huawei.com --- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c index 56324bd42fde..07a37407879f 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c @@ -3395,17 +3395,17 @@ static int amdgpu_dm_initialize_drm_device(struct amdgpu_device *adev) goto fail; }
+ if (link_cnt > MAX_PIPES * 2) { + DRM_ERROR( + "KMS: Cannot support more than %d display indexes\n", + MAX_PIPES * 2); + goto fail; + } + /* loops over all connectors on the board */ for (i = 0; i < link_cnt; i++) { struct dc_link *link = NULL;
- if (i > AMDGPU_DM_MAX_DISPLAY_INDEX) { - DRM_ERROR( - "KMS: Cannot support more than %d display indexes\n", - AMDGPU_DM_MAX_DISPLAY_INDEX); - continue; - } - aconnector = kzalloc(sizeof(*aconnector), GFP_KERNEL); if (!aconnector) goto fail;