commit 06888d571b51 ("drm/amd/display: Avoid HDCP over-read and corruption") fixed an overread with an invalid buffer length but added an unnecessary buffer and copy. Simplify the code by using a single uint64_t and __builtin_popcountll to count the number of bits set in the original bksv buffer instead of a loop. This also avoid a possible unaligned access of the temporary bksv. Signed-off-by: Joe Perches <joe@xxxxxxxxxxx> --- It seems quite odd 20 bits set is a magic number here. Should it be a specific be/le value instead? drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c index de872e7958b06..78a4c6dd95d99 100644 --- a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c +++ b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c @@ -28,17 +28,10 @@ static inline enum mod_hdcp_status validate_bksv(struct mod_hdcp *hdcp) { uint64_t n = 0; - uint8_t count = 0; - u8 bksv[sizeof(n)] = { }; - memcpy(bksv, hdcp->auth.msg.hdcp1.bksv, sizeof(hdcp->auth.msg.hdcp1.bksv)); - n = *(uint64_t *)bksv; + memcpy(&n, hdcp->auth.msg.hdcp1.bksv, sizeof(hdcp->auth.msg.hdcp1.bksv)); - while (n) { - count++; - n &= (n - 1); - } - return (count == 20) ? MOD_HDCP_STATUS_SUCCESS : + return (__builtin_popcountll(n) == 20) ? MOD_HDCP_STATUS_SUCCESS : MOD_HDCP_STATUS_HDCP1_INVALID_BKSV; }