From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
To: Alex Deucher <alexander.deucher@amd.com>
Cc: Nikita Zhandarovich <n.zhandarovich@fintech.ru>,
Christian König <christian.koenig@amd.com>,
David Airlie <airlied@gmail.com>, Simona Vetter <simona@ffwll.ch>,
<amd-gfx@lists.freedesktop.org>,
<dri-devel@lists.freedesktop.org>, <linux-kernel@vger.kernel.org>,
<lvc-project@linuxtesting.org>
Subject: [PATCH] drm/radeon: Fix OOB read in MC register table init
Date: Fri, 29 May 2026 15:14:34 +0300 [thread overview]
Message-ID: <20260529121436.1633842-1-n.zhandarovich@fintech.ru> (raw)
radeon_atom_init_mc_reg_table() copies the previous mc_data[] entry when
pre_reg_data requests DATA_EQU_PREV. However, the loop starts at i == 0,
so a malformed or unexpected table can make the first entry use
DATA_EQU_PREV and trigger an out-of-bounds read from mc_data[i - 1].
Emulate a fix for a similar issue in amdgpu_atombios_init_mc_reg_table,
see commit 51dfc0a4d609 ("drm/amdgpu: fix mc_data out-of-bounds read
warning"), by skipping DATA_EQU_PREV for the first entry.
Found by Linux Verification Center (linuxtesting.org) with static
analysis tool SVACE.
Fixes: ae5b0abbb6f7 ("drm/radeon/kms: add atom helper functions for dpm (v3)")
Cc: stable@vger.kernel.org
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
---
P.S. checkpatch warns that too many tabs were used but I can't do much
about surrounding code being already too deeply nested.
drivers/gpu/drm/radeon/radeon_atombios.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/radeon/radeon_atombios.c b/drivers/gpu/drm/radeon/radeon_atombios.c
index 3dd9724b331d..c6d229a4322f 100644
--- a/drivers/gpu/drm/radeon/radeon_atombios.c
+++ b/drivers/gpu/drm/radeon/radeon_atombios.c
@@ -4032,6 +4032,8 @@ int radeon_atom_init_mc_reg_table(struct radeon_device *rdev,
(u32)le32_to_cpu(*((u32 *)reg_data + j));
j++;
} else if ((reg_table->mc_reg_address[i].pre_reg_data & LOW_NIBBLE_MASK) == DATA_EQU_PREV) {
+ if (i == 0)
+ continue;
reg_table->mc_reg_table_entry[num_ranges].mc_data[i] =
reg_table->mc_reg_table_entry[num_ranges].mc_data[i - 1];
}
next reply other threads:[~2026-05-29 12:14 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-29 12:14 Nikita Zhandarovich [this message]
2026-06-04 6:32 ` Claude review: drm/radeon: Fix OOB read in MC register table init Claude Code Review Bot
2026-06-04 6:32 ` Claude Code Review Bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260529121436.1633842-1-n.zhandarovich@fintech.ru \
--to=n.zhandarovich@fintech.ru \
--cc=airlied@gmail.com \
--cc=alexander.deucher@amd.com \
--cc=amd-gfx@lists.freedesktop.org \
--cc=christian.koenig@amd.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lvc-project@linuxtesting.org \
--cc=simona@ffwll.ch \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox