drm/radeon: fix potential buffer overflow in ni_set_mc_special_registers()

From Alexey Kodanev
deb603c5928e546609c0d5798e231d0205748943 in linux 5.15.y/5.15.61
136f614931a2bb73616b292cf542da3a18daefd5 in mainline linux

diff --git a/sys/dev/pci/drm/radeon/ni_dpm.c b/sys/dev/pci/drm/radeon/ni_dpm.c
index 769f666..672d223 100644 (file)
--- a/sys/dev/pci/drm/radeon/ni_dpm.c
+++ b/sys/dev/pci/drm/radeon/ni_dpm.c
@@ -2741,10 +2741,10 @@ static int ni_set_mc_special_registers(struct radeon_device *rdev,
                                        table->mc_reg_table_entry[k].mc_data[j] |= 0x100;
                        }
                        j++;
-                       if (j > SMC_NISLANDS_MC_REGISTER_ARRAY_SIZE)
-                               return -EINVAL;
                        break;
                case MC_SEQ_RESERVE_M >> 2:
+                       if (j >= SMC_NISLANDS_MC_REGISTER_ARRAY_SIZE)
+                               return -EINVAL;
                        temp_reg = RREG32(MC_PMG_CMD_MRS1);
                        table->mc_reg_address[j].s1 = MC_PMG_CMD_MRS1 >> 2;
                        table->mc_reg_address[j].s0 = MC_SEQ_PMG_CMD_MRS1_LP >> 2;
@@ -2753,8 +2753,6 @@ static int ni_set_mc_special_registers(struct radeon_device *rdev,
                                        (temp_reg & 0xffff0000) |
                                        (table->mc_reg_table_entry[k].mc_data[i] & 0x0000ffff);
                        j++;
-                       if (j > SMC_NISLANDS_MC_REGISTER_ARRAY_SIZE)
-                               return -EINVAL;
                        break;
                default:
                        break;