[PATCH] drm/amd/display: fix the system memory page fault because of copy overflow

[Lee Jones]

On Fri, 15 Jan 2021, Christian König wrote:

> Am 15.01.21 um 19:46 schrieb Huang Rui:
> > The buffer is allocated with the size of pointer and copy with the size of
> > data structure. Then trigger the system memory page fault. Use the
> > orignal data structure to get the object size.
> > 
> > Fixes: a8e30005b drm/amd/display/dc/core/dc_link: Move some local data
> > from the stack to the heap
> > 
> > Signed-off-by: Huang Rui <ray.huang at amd.com>
> > Cc: Lee Jones <lee.jones at linaro.org>
> > ---
> >   drivers/gpu/drm/amd/display/dc/core/dc_link.c | 4 ++--
> >   1 file changed, 2 insertions(+), 2 deletions(-)
> > 
> > diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_link.c b/drivers/gpu/drm/amd/display/dc/core/dc_link.c
> > index 69573d67056d..73178978ae74 100644
> > --- a/drivers/gpu/drm/amd/display/dc/core/dc_link.c
> > +++ b/drivers/gpu/drm/amd/display/dc/core/dc_link.c
> > @@ -1380,7 +1380,7 @@ static bool dc_link_construct(struct dc_link *link,
> >   	DC_LOGGER_INIT(dc_ctx->logger);
> > -	info = kzalloc(sizeof(info), GFP_KERNEL);
> > +	info = kzalloc(sizeof(struct integrated_info), GFP_KERNEL);
> 
> That should probably be sizeof(*info) instead, we usually try to avoid
> sizeof(struct ...) in the kernel.
> 
> There are some automated scripts in place which will send you a patch to
> change it otherwise.
> 
> >   	if (!info)
> >   		goto create_fail;
> > @@ -1545,7 +1545,7 @@ static bool dc_link_construct(struct dc_link *link,
> >   	}
> >   	if (bios->integrated_info)
> > -		memcpy(info, bios->integrated_info, sizeof(*info));
> > +		memcpy(info, bios->integrated_info, sizeof(struct integrated_info));
> 
> This can then also stay as it is.
> 
> Apart from that good catch.

Yes, agreed.

Sorry for the fuss.

-- 
Lee Jones [李琼斯]
Senior Technical Lead - Developer Services
Linaro.org │ Open source software for Arm SoCs
Follow Linaro: Facebook | Twitter | Blog