Commit b7588507 authored by Dan Carpenter's avatar Dan Carpenter Committed by Alex Deucher
Browse files

drm/amd/pm: Fix memory some memory corruption 



The "od_table" is a pointer to a large struct, but this code is doing
pointer math as if it were pointing to bytes.  It results in writing
far outside the struct.

Fixes: 2e8452ea ("drm/amd/pm: fulfill the OD support for SMU13.0.0")
Fixes: 2a9aa52e ("drm/amd/pm: fulfill the OD support for SMU13.0.7")
Reviewed-by: default avatarEvan Quan <evan.quan@amd.com>
Signed-off-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
parent d155cfff

drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c

+2 −2
Original line number Diff line number Diff line
@@ -1535,7 +1535,7 @@ static int smu_v13_0_0_od_edit_dpm_table(struct smu_context *smu, 
		 * settings. Thus we do not cache it.

		 */

		offset_of_featurectrlmask = offsetof(OverDriveTable_t, FeatureCtrlMask);

		if (memcmp(od_table + offset_of_featurectrlmask,

		if (memcmp((u8 *)od_table + offset_of_featurectrlmask,

			   table_context->user_overdrive_table + offset_of_featurectrlmask,

			   sizeof(OverDriveTableExternal_t) - offset_of_featurectrlmask)) {

			smu_v13_0_0_dump_od_table(smu, od_table);
@@ -1548,7 +1548,7 @@ static int smu_v13_0_0_od_edit_dpm_table(struct smu_context *smu, 


			od_table->OverDriveTable.FeatureCtrlMask = 0;

			memcpy(table_context->user_overdrive_table + offset_of_featurectrlmask,

			       od_table + offset_of_featurectrlmask,

			       (u8 *)od_table + offset_of_featurectrlmask,

			       sizeof(OverDriveTableExternal_t) - offset_of_featurectrlmask);



			if (!memcmp(table_context->user_overdrive_table,

drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c

+2 −2
Original line number Diff line number Diff line
@@ -1524,7 +1524,7 @@ static int smu_v13_0_7_od_edit_dpm_table(struct smu_context *smu, 
		 * settings. Thus we do not cache it.

		 */

		offset_of_featurectrlmask = offsetof(OverDriveTable_t, FeatureCtrlMask);

		if (memcmp(od_table + offset_of_featurectrlmask,

		if (memcmp((u8 *)od_table + offset_of_featurectrlmask,

			   table_context->user_overdrive_table + offset_of_featurectrlmask,

			   sizeof(OverDriveTableExternal_t) - offset_of_featurectrlmask)) {

			smu_v13_0_7_dump_od_table(smu, od_table);
@@ -1537,7 +1537,7 @@ static int smu_v13_0_7_od_edit_dpm_table(struct smu_context *smu, 


			od_table->OverDriveTable.FeatureCtrlMask = 0;

			memcpy(table_context->user_overdrive_table + offset_of_featurectrlmask,

			       od_table + offset_of_featurectrlmask,

			       (u8 *)od_table + offset_of_featurectrlmask,

			       sizeof(OverDriveTableExternal_t) - offset_of_featurectrlmask);



			if (!memcmp(table_context->user_overdrive_table,