<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<p style="font-family:Arial;font-size:11pt;color:#0078D7;margin:5pt;" align="Left">
[AMD Official Use Only - Internal Distribution Only]<br>
</p>
<br>
<div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Thanks</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Reviewed-by: <font size="2"><span style="font-size:11pt">Bhawanpreet Lakha <Bhawanpreet.Lakha@amd.com></span></font><br>
</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Dan Carpenter <dan.carpenter@oracle.com><br>
<b>Sent:</b> March 2, 2021 6:15 AM<br>
<b>To:</b> Wentland, Harry <Harry.Wentland@amd.com>; Lakha, Bhawanpreet <Bhawanpreet.Lakha@amd.com><br>
<b>Cc:</b> Li, Sun peng (Leo) <Sunpeng.Li@amd.com>; Deucher, Alexander <Alexander.Deucher@amd.com>; Koenig, Christian <Christian.Koenig@amd.com>; David Airlie <airlied@linux.ie>; Daniel Vetter <daniel@ffwll.ch>; Dan Carpenter <dan.carpenter@oracle.com>; Lakha,
 Bhawanpreet <Bhawanpreet.Lakha@amd.com>; Siqueira, Rodrigo <Rodrigo.Siqueira@amd.com>; Liu, Wenjing <Wenjing.Liu@amd.com>; amd-gfx@lists.freedesktop.org <amd-gfx@lists.freedesktop.org>; dri-devel@lists.freedesktop.org <dri-devel@lists.freedesktop.org>; kernel-janitors@vger.kernel.org
 <kernel-janitors@vger.kernel.org><br>
<b>Subject:</b> [PATCH] drm/amd/display: Fix off by one in hdmi_14_process_transaction()</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">The hdcp_i2c_offsets[] array did not have an entry for<br>
HDCP_MESSAGE_ID_WRITE_CONTENT_STREAM_TYPE so it led to an off by one<br>
read overflow.  I added an entry and copied the 0x0 value for the offset<br>
from similar code in drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c.<br>
<br>
I also declared several of these arrays as having HDCP_MESSAGE_ID_MAX<br>
entries.  This doesn't change the code, but it's just a belt and<br>
suspenders approach to try future proof the code.<br>
<br>
Fixes: 4c283fdac08a ("drm/amd/display: Add HDCP module")<br>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com><br>
---<br>
>From static analysis, as mentioned in the commit message the offset<br>
is basically an educated guess.<br>
<br>
I reported this bug on Apr 16, 2020 but I guess we lost take of it.<br>
<br>
 drivers/gpu/drm/amd/display/dc/hdcp/hdcp_msg.c | 9 +++++----<br>
 1 file changed, 5 insertions(+), 4 deletions(-)<br>
<br>
diff --git a/drivers/gpu/drm/amd/display/dc/hdcp/hdcp_msg.c b/drivers/gpu/drm/amd/display/dc/hdcp/hdcp_msg.c<br>
index 5e384a8a83dc..51855a2624cf 100644<br>
--- a/drivers/gpu/drm/amd/display/dc/hdcp/hdcp_msg.c<br>
+++ b/drivers/gpu/drm/amd/display/dc/hdcp/hdcp_msg.c<br>
@@ -39,7 +39,7 @@<br>
 #define HDCP14_KSV_SIZE 5<br>
 #define HDCP14_MAX_KSV_FIFO_SIZE 127*HDCP14_KSV_SIZE<br>
 <br>
-static const bool hdcp_cmd_is_read[] = {<br>
+static const bool hdcp_cmd_is_read[HDCP_MESSAGE_ID_MAX] = {<br>
         [HDCP_MESSAGE_ID_READ_BKSV] = true,<br>
         [HDCP_MESSAGE_ID_READ_RI_R0] = true,<br>
         [HDCP_MESSAGE_ID_READ_PJ] = true,<br>
@@ -75,7 +75,7 @@ static const bool hdcp_cmd_is_read[] = {<br>
         [HDCP_MESSAGE_ID_WRITE_CONTENT_STREAM_TYPE] = false<br>
 };<br>
 <br>
-static const uint8_t hdcp_i2c_offsets[] = {<br>
+static const uint8_t hdcp_i2c_offsets[HDCP_MESSAGE_ID_MAX] = {<br>
         [HDCP_MESSAGE_ID_READ_BKSV] = 0x0,<br>
         [HDCP_MESSAGE_ID_READ_RI_R0] = 0x8,<br>
         [HDCP_MESSAGE_ID_READ_PJ] = 0xA,<br>
@@ -106,7 +106,8 @@ static const uint8_t hdcp_i2c_offsets[] = {<br>
         [HDCP_MESSAGE_ID_WRITE_REPEATER_AUTH_SEND_ACK] = 0x60,<br>
         [HDCP_MESSAGE_ID_WRITE_REPEATER_AUTH_STREAM_MANAGE] = 0x60,<br>
         [HDCP_MESSAGE_ID_READ_REPEATER_AUTH_STREAM_READY] = 0x80,<br>
-       [HDCP_MESSAGE_ID_READ_RXSTATUS] = 0x70<br>
+       [HDCP_MESSAGE_ID_READ_RXSTATUS] = 0x70,<br>
+       [HDCP_MESSAGE_ID_WRITE_CONTENT_STREAM_TYPE] = 0x0,<br>
 };<br>
 <br>
 struct protection_properties {<br>
@@ -184,7 +185,7 @@ static const struct protection_properties hdmi_14_protection = {<br>
         .process_transaction = hdmi_14_process_transaction<br>
 };<br>
 <br>
-static const uint32_t hdcp_dpcd_addrs[] = {<br>
+static const uint32_t hdcp_dpcd_addrs[HDCP_MESSAGE_ID_MAX] = {<br>
         [HDCP_MESSAGE_ID_READ_BKSV] = 0x68000,<br>
         [HDCP_MESSAGE_ID_READ_RI_R0] = 0x68005,<br>
         [HDCP_MESSAGE_ID_READ_PJ] = 0xFFFFFFFF,<br>
-- <br>
2.30.1<br>
<br>
</div>
</span></font></div>
</div>
</body>
</html>