drm/amdgpu: NUL-terminate securedisplay debugfs input from userspace

author Candice Li <candice.li@amd.com>

Tue, 19 May 2026 10:42:09 +0000 (18:42 +0800)

committer Alex Deucher <alexander.deucher@amd.com>

Wed, 3 Jun 2026 17:53:00 +0000 (13:53 -0400)
author Candice Li <candice.li@amd.com>
Tue, 19 May 2026 10:42:09 +0000 (18:42 +0800)
committer Alex Deucher <alexander.deucher@amd.com>
Wed, 3 Jun 2026 17:53:00 +0000 (13:53 -0400)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_securedisplay.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_securedisplay.c

index 3739be1b71e0d301048f017453b7d1d90cf5a394..ab73e26c97e0f471cd9837bf33cbd33f86843e54 100644 (file)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_securedisplay.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_securedisplay.c
@@ -98,15 +98,18 @@ static ssize_t amdgpu_securedisplay_debugfs_write(struct file *f, const char __u
         uint32_t phy_id;
         uint32_t op;
         char str[64];
-       int ret;
+       long len;
+       ssize_t write_ret = size;
+       int ret, nargs;
  
-       if (*pos || size > sizeof(str) - 1)
+       if (*pos)
                 return -EINVAL;
  
-       memset(str,  0, sizeof(str));
-       ret = copy_from_user(str, buf, size);
-       if (ret)
+       len = strncpy_from_user(str, buf, sizeof(str));
+       if (len < 0)
                 return -EFAULT;
+       if (len == 0 || len >= sizeof(str))
+               return -EINVAL;
  
         ret = pm_runtime_get_sync(dev->dev);
         if (ret < 0) {
@@ -114,10 +117,14 @@ static ssize_t amdgpu_securedisplay_debugfs_write(struct file *f, const char __u
                 return ret;
         }
  
-       if (size < 3)
-               sscanf(str, "%u ", &op);
+       if (len < 3)
+               nargs = sscanf(str, "%u", &op);
         else
-               sscanf(str, "%u %u", &op, &phy_id);
+               nargs = sscanf(str, "%u %u", &op, &phy_id);
+       if (nargs < 1) {
+               write_ret = -EINVAL;
+               goto out;
+       }
  
         switch (op) {
         case 1:
@@ -135,9 +142,10 @@ static ssize_t amdgpu_securedisplay_debugfs_write(struct file *f, const char __u
                 mutex_unlock(&psp->securedisplay_context.mutex);
                 break;
         case 2:
-               if (size < 3 || phy_id >= TA_SECUREDISPLAY_MAX_PHY) {
+               if (nargs < 2 || phy_id >= TA_SECUREDISPLAY_MAX_PHY) {
                         dev_err(adev->dev, "Invalid input: %s\n", str);
-                       return -EINVAL;
+                       write_ret = -EINVAL;
+                       break;
                 }
                 mutex_lock(&psp->securedisplay_context.mutex);
                 psp_prep_securedisplay_cmd_buf(psp, &securedisplay_cmd,
@@ -157,11 +165,14 @@ static ssize_t amdgpu_securedisplay_debugfs_write(struct file *f, const char __u
                 break;
         default:
                 dev_err(adev->dev, "Invalid input: %s\n", str);
+               write_ret = -EINVAL;
+               break;
         }
  
+out:
         pm_runtime_put_autosuspend(dev->dev);
  
-       return size;
+       return write_ret;
  }
  
  static const struct file_operations amdgpu_securedisplay_debugfs_ops = {
author	Candice Li <candice.li@amd.com>
	Tue, 19 May 2026 10:42:09 +0000 (18:42 +0800)
committer	Alex Deucher <alexander.deucher@amd.com>
	Wed, 3 Jun 2026 17:53:00 +0000 (13:53 -0400)