drm/amd/display: Guard against invalid RPTR/WPTR being set

From Nicholas Kazlauskas
195514bda626b16fb6ef9ff4172dc0433a3c105b in linux-6.1.y/6.1.66
1ffa8602e39b89469dc703ebab7a7e44c33da0f7 in mainline linux

diff --git a/sys/dev/pci/drm/amd/display/dmub/src/dmub_srv.c b/sys/dev/pci/drm/amd/display/dmub/src/dmub_srv.c
index 6b8bd55..e951fd8 100644 (file)
--- a/sys/dev/pci/drm/amd/display/dmub/src/dmub_srv.c
+++ b/sys/dev/pci/drm/amd/display/dmub/src/dmub_srv.c
@@ -675,9 +675,16 @@ enum dmub_status dmub_srv_sync_inbox1(struct dmub_srv *dmub)
                return DMUB_STATUS_INVALID;
 
        if (dmub->hw_funcs.get_inbox1_rptr && dmub->hw_funcs.get_inbox1_wptr) {
-               dmub->inbox1_rb.rptr = dmub->hw_funcs.get_inbox1_rptr(dmub);
-               dmub->inbox1_rb.wrpt = dmub->hw_funcs.get_inbox1_wptr(dmub);
-               dmub->inbox1_last_wptr = dmub->inbox1_rb.wrpt;
+               uint32_t rptr = dmub->hw_funcs.get_inbox1_rptr(dmub);
+               uint32_t wptr = dmub->hw_funcs.get_inbox1_wptr(dmub);
+
+               if (rptr > dmub->inbox1_rb.capacity || wptr > dmub->inbox1_rb.capacity) {
+                       return DMUB_STATUS_HW_FAILURE;
+               } else {
+                       dmub->inbox1_rb.rptr = rptr;
+                       dmub->inbox1_rb.wrpt = wptr;
+                       dmub->inbox1_last_wptr = dmub->inbox1_rb.wrpt;
+               }
        }
 
        return DMUB_STATUS_OK;
@@ -711,6 +718,11 @@ enum dmub_status dmub_srv_cmd_queue(struct dmub_srv *dmub,
        if (!dmub->hw_init)
                return DMUB_STATUS_INVALID;
 
+       if (dmub->inbox1_rb.rptr > dmub->inbox1_rb.capacity ||
+           dmub->inbox1_rb.wrpt > dmub->inbox1_rb.capacity) {
+               return DMUB_STATUS_HW_FAILURE;
+       }
+
        if (dmub_rb_push_front(&dmub->inbox1_rb, cmd))
                return DMUB_STATUS_OK;