git.ipfire.org Git - thirdparty/linux.git/commit

author	Harry Wentland <harry.wentland@amd.com>
	Mon, 11 May 2026 20:46:25 +0000 (16:46 -0400)
committer	Alex Deucher <alexander.deucher@amd.com>
	Wed, 3 Jun 2026 18:44:13 +0000 (14:44 -0400)
commit	adf67034b1f61f7119295208085bfd43f85f56af
tree	fc57ca4680cd3774b121a52d1a5ccbee7b1a5876	tree \| snapshot
parent	fb0707ce00eef4e2d60c3020e1c0432739703e4a	commit \| diff

drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs

[Why & How]
dp_sdp_message_debugfs_write() dereferences connector->base.state->crtc
without checking for NULL. A connector can be connected but not bound to
any CRTC (e.g. after hot-plug before the next atomic commit), causing a
kernel crash when writing to the sdp_message debugfs node.

The function also ignores the user-provided size argument and always
passes 36 bytes to copy_from_user(), reading past the user buffer when
size < 36.

Fix both issues by:
- Returning -ENODEV when connector->base.state or state->crtc is NULL
- Clamping write_size to min(size, sizeof(data))

Fixes: c7ba3653e977 ("drm/amd/display: Generic SDP message access in amdgpu")
Assisted-by: Copilot:claude-opus-4.6
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Ray Wu <ray.wu@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 6ab4c36a522842ff70474a1c0af2e40e50fc8300)
Cc: stable@vger.kernel.org