[PATCH 1/2] drm/amdgpu: fix parsing indirect register list v2

Tue, 12 Jun 2018 02:08:24 -0700 

WARN_ON possible buffer overflow and avoid unnecessary dereference.

v2: change BUG_ON to WARN_ON

Change-Id: I6666d7dcf60acf524f290460d2ffe3f1f5f46354
Signed-off-by: Evan Quan <evan.q...@amd.com>
---
 drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c 
b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
index c382969..ae35bbe 100644
--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
@@ -1839,13 +1839,15 @@ static void gfx_v9_1_parse_ind_reg_list(int 
*register_list_format,
                                int indirect_offset,
                                int list_size,
                                int *unique_indirect_regs,
-                               int *unique_indirect_reg_count,
+                               int unique_indirect_reg_count,
                                int *indirect_start_offsets,
-                               int *indirect_start_offsets_count)
+                               int *indirect_start_offsets_count,
+                               int max_start_offsets_count)
 {
        int idx;
 
        for (; indirect_offset < list_size; indirect_offset++) {
+               WARN_ON(*indirect_start_offsets_count >= 
max_start_offsets_count);
                indirect_start_offsets[*indirect_start_offsets_count] = 
indirect_offset;
                *indirect_start_offsets_count = *indirect_start_offsets_count + 
1;
 
@@ -1853,14 +1855,14 @@ static void gfx_v9_1_parse_ind_reg_list(int 
*register_list_format,
                        indirect_offset += 2;
 
                        /* look for the matching indice */
-                       for (idx = 0; idx < *unique_indirect_reg_count; idx++) {
+                       for (idx = 0; idx < unique_indirect_reg_count; idx++) {
                                if (unique_indirect_regs[idx] ==
                                        register_list_format[indirect_offset] ||
                                        !unique_indirect_regs[idx])
                                        break;
                        }
 
-                       BUG_ON(idx >= *unique_indirect_reg_count);
+                       BUG_ON(idx >= unique_indirect_reg_count);
 
                        if (!unique_indirect_regs[idx])
                                unique_indirect_regs[idx] = 
register_list_format[indirect_offset];
@@ -1895,9 +1897,10 @@ static int gfx_v9_1_init_rlc_save_restore_list(struct 
amdgpu_device *adev)
                                    
adev->gfx.rlc.reg_list_format_direct_reg_list_length,
                                    adev->gfx.rlc.reg_list_format_size_bytes >> 
2,
                                    unique_indirect_regs,
-                                   &unique_indirect_reg_count,
+                                   unique_indirect_reg_count,
                                    indirect_start_offsets,
-                                   &indirect_start_offsets_count);
+                                   &indirect_start_offsets_count,
+                                   ARRAY_SIZE(indirect_start_offsets));
 
        /* enable auto inc in case it is disabled */
        tmp = RREG32(SOC15_REG_OFFSET(GC, 0, mmRLC_SRM_CNTL));
-- 
2.7.4

_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx

Reply via email to