Patch "drm/amd/display: Fix array-index-out-of-bounds in dml2/FCLKChangeSupport" has been added to the 6.9-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Mon, 22 Jul 2024 20:27:56 -0400

This is a note to let you know that I've just added the patch titled

    drm/amd/display: Fix array-index-out-of-bounds in dml2/FCLKChangeSupport

to the 6.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     drm-amd-display-fix-array-index-out-of-bounds-in-dml.patch
and it can be found in the queue-6.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit bd8a1e52db66084c2af3c362696644c29318a516
Author: Roman Li <Roman.Li@xxxxxxx>
Date:   Wed Jun 26 14:08:41 2024 -0400

    drm/amd/display: Fix array-index-out-of-bounds in dml2/FCLKChangeSupport
    
    [ Upstream commit 0ad4b4a2f6357c45fbe444ead1a929a0b4017d03 ]
    
    [Why]
    Potential out of bounds access in dml2_calculate_rq_and_dlg_params()
    because the value of out_lowest_state_idx used as an index for FCLKChangeSupport
    array can be greater than 1.
    
    [How]
    Currently dml2 core specifies identical values for all FCLKChangeSupport
    elements. Always use index 0 in the condition to avoid out of bounds access.
    
    Acked-by: Rodrigo Siqueira <rodrigo.siqueira@xxxxxxx>
    Signed-off-by: Jerry Zuo <jerry.zuo@xxxxxxx>
    Signed-off-by: Roman Li <Roman.Li@xxxxxxx>
    Tested-by: Daniel Wheeler <daniel.wheeler@xxxxxxx>
    Signed-off-by: Alex Deucher <alexander.deucher@xxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/gpu/drm/amd/display/dc/dml2/dml2_utils.c b/drivers/gpu/drm/amd/display/dc/dml2/dml2_utils.c
index b72ed3e78df05..bb4e812248aec 100644
--- a/drivers/gpu/drm/amd/display/dc/dml2/dml2_utils.c
+++ b/drivers/gpu/drm/amd/display/dc/dml2/dml2_utils.c
@@ -294,7 +294,7 @@ void dml2_calculate_rq_and_dlg_params(const struct dc *dc, struct dc_state *cont
 	context->bw_ctx.bw.dcn.clk.dcfclk_deep_sleep_khz = (unsigned int)in_ctx->v20.dml_core_ctx.mp.DCFCLKDeepSleep * 1000;
 	context->bw_ctx.bw.dcn.clk.dppclk_khz = 0;
 
-	if (in_ctx->v20.dml_core_ctx.ms.support.FCLKChangeSupport[in_ctx->v20.scratch.mode_support_params.out_lowest_state_idx] == dml_fclock_change_unsupported)
+	if (in_ctx->v20.dml_core_ctx.ms.support.FCLKChangeSupport[0] == dml_fclock_change_unsupported)
 		context->bw_ctx.bw.dcn.clk.fclk_p_state_change_support = false;
 	else
 		context->bw_ctx.bw.dcn.clk.fclk_p_state_change_support = true;







