dml2_policy_build_synthetic_soc_states() validates that several
derived maximum clock values are non-zero before constructing
synthetic SOC states.
However, max_fclk_mhz is not included in the validation despite
later logic assuming the presence of at least one valid FCLK level.
If all FCLK entries are zero, num_fclk_dpms remains zero, causing
an integer underflow (0 - 1) and out-of-bounds array access.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 7966f319c66d ("drm/amd/display: Introduce DML2")
Signed-off-by: Danila Chernetsov <[email protected]>
---
drivers/gpu/drm/amd/display/dc/dml2_0/dml2_policy.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/display/dc/dml2_0/dml2_policy.c
b/drivers/gpu/drm/amd/display/dc/dml2_0/dml2_policy.c
index ef693f608d59..70f418ee5dd2 100644
--- a/drivers/gpu/drm/amd/display/dc/dml2_0/dml2_policy.c
+++ b/drivers/gpu/drm/amd/display/dc/dml2_0/dml2_policy.c
@@ -157,7 +157,8 @@ int dml2_policy_build_synthetic_soc_states(struct
dml2_policy_build_synthetic_so
num_uclk_dpms++;
}
- if (!max_dcfclk_mhz || !max_dispclk_mhz || !max_dppclk_mhz ||
!max_phyclk_mhz || !max_dtbclk_mhz)
+ if (!max_dcfclk_mhz || !max_dispclk_mhz || !max_dppclk_mhz ||
!max_phyclk_mhz ||
+ !max_dtbclk_mhz || !max_fclk_mhz)
return -1;
p->out_states->num_states = 0;
--
2.25.1
