From: Candice Li <candice.li@amd.com>
Date: Tue, 19 May 2026 10:42:09 +0000 (+0800)
Subject: drm/amdgpu: NUL-terminate securedisplay debugfs input from userspace
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=66a856e3e5d92a09363dea37e9376921b30aaa6b;p=thirdparty%2Flinux.git

drm/amdgpu: NUL-terminate securedisplay debugfs input from userspace

Use strncpy_from_user() instead of copy_from_user() before sscanf() in
the securedisplay_test debugfs write handler so a full-length write
cannot leave the stack buffer without a terminator.

Signed-off-by: Candice Li <candice.li@amd.com>
Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
---

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_securedisplay.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_securedisplay.c
index 3739be1b71e0d..ab73e26c97e0f 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_securedisplay.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_securedisplay.c
@@ -98,15 +98,18 @@ static ssize_t amdgpu_securedisplay_debugfs_write(struct file *f, const char __u
 	uint32_t phy_id;
 	uint32_t op;
 	char str[64];
-	int ret;
+	long len;
+	ssize_t write_ret = size;
+	int ret, nargs;
 
-	if (*pos || size > sizeof(str) - 1)
+	if (*pos)
 		return -EINVAL;
 
-	memset(str,  0, sizeof(str));
-	ret = copy_from_user(str, buf, size);
-	if (ret)
+	len = strncpy_from_user(str, buf, sizeof(str));
+	if (len < 0)
 		return -EFAULT;
+	if (len == 0 || len >= sizeof(str))
+		return -EINVAL;
 
 	ret = pm_runtime_get_sync(dev->dev);
 	if (ret < 0) {
@@ -114,10 +117,14 @@ static ssize_t amdgpu_securedisplay_debugfs_write(struct file *f, const char __u
 		return ret;
 	}
 
-	if (size < 3)
-		sscanf(str, "%u ", &op);
+	if (len < 3)
+		nargs = sscanf(str, "%u", &op);
 	else
-		sscanf(str, "%u %u", &op, &phy_id);
+		nargs = sscanf(str, "%u %u", &op, &phy_id);
+	if (nargs < 1) {
+		write_ret = -EINVAL;
+		goto out;
+	}
 
 	switch (op) {
 	case 1:
@@ -135,9 +142,10 @@ static ssize_t amdgpu_securedisplay_debugfs_write(struct file *f, const char __u
 		mutex_unlock(&psp->securedisplay_context.mutex);
 		break;
 	case 2:
-		if (size < 3 || phy_id >= TA_SECUREDISPLAY_MAX_PHY) {
+		if (nargs < 2 || phy_id >= TA_SECUREDISPLAY_MAX_PHY) {
 			dev_err(adev->dev, "Invalid input: %s\n", str);
-			return -EINVAL;
+			write_ret = -EINVAL;
+			break;
 		}
 		mutex_lock(&psp->securedisplay_context.mutex);
 		psp_prep_securedisplay_cmd_buf(psp, &securedisplay_cmd,
@@ -157,11 +165,14 @@ static ssize_t amdgpu_securedisplay_debugfs_write(struct file *f, const char __u
 		break;
 	default:
 		dev_err(adev->dev, "Invalid input: %s\n", str);
+		write_ret = -EINVAL;
+		break;
 	}
 
+out:
 	pm_runtime_put_autosuspend(dev->dev);
 
-	return size;
+	return write_ret;
 }
 
 static const struct file_operations amdgpu_securedisplay_debugfs_ops = {