From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 22 Apr 2025 08:52:45 +0000 (+0200)
Subject: 5.10-stable patches
X-Git-Tag: v6.1.135~69
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f208e4c0ab4079ed21c5e3680084134d22b2b792;p=thirdparty%2Fkernel%2Fstable-queue.git

5.10-stable patches

added patches:
	drm-amd-display-fix-out-of-bounds-access-in-dcn21_link_encoder_create.patch
	drm-amd-display-stop-amdgpu_dm-initialize-when-link-nums-greater-than-max_links.patch
---

diff --git a/queue-5.10/drm-amd-display-fix-out-of-bounds-access-in-dcn21_link_encoder_create.patch b/queue-5.10/drm-amd-display-fix-out-of-bounds-access-in-dcn21_link_encoder_create.patch
new file mode 100644
index 0000000000..40df381965
--- /dev/null
+++ b/queue-5.10/drm-amd-display-fix-out-of-bounds-access-in-dcn21_link_encoder_create.patch
@@ -0,0 +1,107 @@
+From 63de35a8fcfca59ae8750d469a7eb220c7557baf Mon Sep 17 00:00:00 2001
+From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+Date: Wed, 25 Sep 2024 20:04:15 +0530
+Subject: drm/amd/display: Fix out-of-bounds access in 'dcn21_link_encoder_create'
+
+From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+
+commit 63de35a8fcfca59ae8750d469a7eb220c7557baf upstream.
+
+An issue was identified in the dcn21_link_encoder_create function where
+an out-of-bounds access could occur when the hpd_source index was used
+to reference the link_enc_hpd_regs array. This array has a fixed size
+and the index was not being checked against the array's bounds before
+accessing it.
+
+This fix adds a conditional check to ensure that the hpd_source index is
+within the valid range of the link_enc_hpd_regs array. If the index is
+out of bounds, the function now returns NULL to prevent undefined
+behavior.
+
+References:
+
+[   65.920507] ------------[ cut here ]------------
+[   65.920510] UBSAN: array-index-out-of-bounds in drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn21/dcn21_resource.c:1312:29
+[   65.920519] index 7 is out of range for type 'dcn10_link_enc_hpd_registers [5]'
+[   65.920523] CPU: 3 PID: 1178 Comm: modprobe Tainted: G           OE      6.8.0-cleanershaderfeatureresetasdntipmi200nv2132 #13
+[   65.920525] Hardware name: AMD Majolica-RN/Majolica-RN, BIOS WMJ0429N_Weekly_20_04_2 04/29/2020
+[   65.920527] Call Trace:
+[   65.920529]  <TASK>
+[   65.920532]  dump_stack_lvl+0x48/0x70
+[   65.920541]  dump_stack+0x10/0x20
+[   65.920543]  __ubsan_handle_out_of_bounds+0xa2/0xe0
+[   65.920549]  dcn21_link_encoder_create+0xd9/0x140 [amdgpu]
+[   65.921009]  link_create+0x6d3/0xed0 [amdgpu]
+[   65.921355]  create_links+0x18a/0x4e0 [amdgpu]
+[   65.921679]  dc_create+0x360/0x720 [amdgpu]
+[   65.921999]  ? dmi_matches+0xa0/0x220
+[   65.922004]  amdgpu_dm_init+0x2b6/0x2c90 [amdgpu]
+[   65.922342]  ? console_unlock+0x77/0x120
+[   65.922348]  ? dev_printk_emit+0x86/0xb0
+[   65.922354]  dm_hw_init+0x15/0x40 [amdgpu]
+[   65.922686]  amdgpu_device_init+0x26a8/0x33a0 [amdgpu]
+[   65.922921]  amdgpu_driver_load_kms+0x1b/0xa0 [amdgpu]
+[   65.923087]  amdgpu_pci_probe+0x1b7/0x630 [amdgpu]
+[   65.923087]  local_pci_probe+0x4b/0xb0
+[   65.923087]  pci_device_probe+0xc8/0x280
+[   65.923087]  really_probe+0x187/0x300
+[   65.923087]  __driver_probe_device+0x85/0x130
+[   65.923087]  driver_probe_device+0x24/0x110
+[   65.923087]  __driver_attach+0xac/0x1d0
+[   65.923087]  ? __pfx___driver_attach+0x10/0x10
+[   65.923087]  bus_for_each_dev+0x7d/0xd0
+[   65.923087]  driver_attach+0x1e/0x30
+[   65.923087]  bus_add_driver+0xf2/0x200
+[   65.923087]  driver_register+0x64/0x130
+[   65.923087]  ? __pfx_amdgpu_init+0x10/0x10 [amdgpu]
+[   65.923087]  __pci_register_driver+0x61/0x70
+[   65.923087]  amdgpu_init+0x7d/0xff0 [amdgpu]
+[   65.923087]  do_one_initcall+0x49/0x310
+[   65.923087]  ? kmalloc_trace+0x136/0x360
+[   65.923087]  do_init_module+0x6a/0x270
+[   65.923087]  load_module+0x1fce/0x23a0
+[   65.923087]  init_module_from_file+0x9c/0xe0
+[   65.923087]  ? init_module_from_file+0x9c/0xe0
+[   65.923087]  idempotent_init_module+0x179/0x230
+[   65.923087]  __x64_sys_finit_module+0x5d/0xa0
+[   65.923087]  do_syscall_64+0x76/0x120
+[   65.923087]  entry_SYSCALL_64_after_hwframe+0x6e/0x76
+[   65.923087] RIP: 0033:0x7f2d80f1e88d
+[   65.923087] Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 b5 0f 00 f7 d8 64 89 01 48
+[   65.923087] RSP: 002b:00007ffc7bc1aa78 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
+[   65.923087] RAX: ffffffffffffffda RBX: 0000564c9c1db130 RCX: 00007f2d80f1e88d
+[   65.923087] RDX: 0000000000000000 RSI: 0000564c9c1e5480 RDI: 000000000000000f
+[   65.923087] RBP: 0000000000040000 R08: 0000000000000000 R09: 0000000000000002
+[   65.923087] R10: 000000000000000f R11: 0000000000000246 R12: 0000564c9c1e5480
+[   65.923087] R13: 0000564c9c1db260 R14: 0000000000000000 R15: 0000564c9c1e54b0
+[   65.923087]  </TASK>
+[   65.923927] ---[ end trace ]---
+
+Cc: Tom Chung <chiahsuan.chung@amd.com>
+Cc: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
+Cc: Roman Li <roman.li@amd.com>
+Cc: Alex Hung <alex.hung@amd.com>
+Cc: Aurabindo Pillai <aurabindo.pillai@amd.com>
+Cc: Harry Wentland <harry.wentland@amd.com>
+Cc: Hamza Mahfooz <hamza.mahfooz@amd.com>
+Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+Reviewed-by: Roman Li <roman.li@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Bin Lan <bin.lan.cn@windriver.com>
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c
+@@ -1698,7 +1698,7 @@ static struct link_encoder *dcn21_link_e
+ 		kzalloc(sizeof(struct dcn21_link_encoder), GFP_KERNEL);
+ 	int link_regs_id;
+ 
+-	if (!enc21)
++	if (!enc21 || enc_init_data->hpd_source >= ARRAY_SIZE(link_enc_hpd_regs))
+ 		return NULL;
+ 
+ 	link_regs_id =
diff --git a/queue-5.10/drm-amd-display-stop-amdgpu_dm-initialize-when-link-nums-greater-than-max_links.patch b/queue-5.10/drm-amd-display-stop-amdgpu_dm-initialize-when-link-nums-greater-than-max_links.patch
new file mode 100644
index 0000000000..0d46d19f25
--- /dev/null
+++ b/queue-5.10/drm-amd-display-stop-amdgpu_dm-initialize-when-link-nums-greater-than-max_links.patch
@@ -0,0 +1,60 @@
+From cf8b16857db702ceb8d52f9219a4613363e2b1cf Mon Sep 17 00:00:00 2001
+From: Hersen Wu <hersenxs.wu@amd.com>
+Date: Wed, 24 Apr 2024 16:15:15 -0400
+Subject: drm/amd/display: Stop amdgpu_dm initialize when link nums greater than max_links
+
+From: Hersen Wu <hersenxs.wu@amd.com>
+
+commit cf8b16857db702ceb8d52f9219a4613363e2b1cf upstream.
+
+[Why]
+Coverity report OVERRUN warning. There are
+only max_links elements within dc->links. link
+count could up to AMDGPU_DM_MAX_DISPLAY_INDEX 31.
+
+[How]
+Make sure link count less than max_links.
+
+Reviewed-by: Harry Wentland <harry.wentland@amd.com>
+Acked-by: Tom Chung <chiahsuan.chung@amd.com>
+Signed-off-by: Hersen Wu <hersenxs.wu@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+[Minor conflict resolved due to code context change. And the macro MAX_LINKS
+ is introduced by Commit 60df5628144b ("drm/amd/display: handle invalid
+ connector indices") after 6.10. So here we still use the original array
+ length MAX_PIPES * 2]
+Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c |   14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -3397,17 +3397,17 @@ static int amdgpu_dm_initialize_drm_devi
+ 			goto fail;
+ 		}
+ 
++	if (link_cnt > (MAX_PIPES * 2)) {
++		DRM_ERROR(
++			"KMS: Cannot support more than %d display indexes\n",
++				MAX_PIPES * 2);
++		goto fail;
++	}
++
+ 	/* loops over all connectors on the board */
+ 	for (i = 0; i < link_cnt; i++) {
+ 		struct dc_link *link = NULL;
+ 
+-		if (i > AMDGPU_DM_MAX_DISPLAY_INDEX) {
+-			DRM_ERROR(
+-				"KMS: Cannot support more than %d display indexes\n",
+-					AMDGPU_DM_MAX_DISPLAY_INDEX);
+-			continue;
+-		}
+-
+ 		aconnector = kzalloc(sizeof(*aconnector), GFP_KERNEL);
+ 		if (!aconnector)
+ 			goto fail;
diff --git a/queue-5.10/series b/queue-5.10/series
index c6d08fa074..ca80894c31 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -153,3 +153,5 @@ nvme-avoid-double-free-special-payload.patch
 powerpc-rtas-prevent-spectre-v1-gadget-construction-in-sys_rtas.patch
 phy-tegra-xusb-fix-return-value-of-tegra_xusb_find_port_node-function.patch
 wifi-ath10k-avoid-null-pointer-error-during-sdio-remove.patch
+drm-amd-display-stop-amdgpu_dm-initialize-when-link-nums-greater-than-max_links.patch
+drm-amd-display-fix-out-of-bounds-access-in-dcn21_link_encoder_create.patch