From 55f3347720e1d305b131a51de3a56d4fa0dc44b6 Mon Sep 17 00:00:00 2001 From: Joshua Aberback Date: Mon, 30 Jun 2025 16:27:25 +0800 Subject: [PATCH] drm/amd/display: Increase block_sequence array size mainline inclusion from mainline-v6.15-rc1 commit 3a7810c212bcf2f722671dadf4b23ff70a7d23ee category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICGADE CVE: CVE-2025-38080 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=3a7810c212bcf2f722671dadf4b23ff70a7d23ee -------------------------------- [Why] It's possible to generate more than 50 steps in hwss_build_fast_sequence, for example with a 6-pipe asic where all pipes are in one MPC chain. This overflows the block_sequence buffer and corrupts block_sequence_steps, causing a crash. [How] Expand block_sequence to 100 items. A naive upper bound on the possible number of steps for a 6-pipe asic, ignoring the potential for steps to be mutually exclusive, is 91 with current code, therefore 100 is sufficient. Reviewed-by: Alvin Lee Signed-off-by: Joshua Aberback Signed-off-by: Wayne Lin Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Signed-off-by: Wei Li --- drivers/gpu/drm/amd/display/dc/inc/core_types.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/display/dc/inc/core_types.h b/drivers/gpu/drm/amd/display/dc/inc/core_types.h index eaad1260bfd1..4b284ce669ae 100644 --- a/drivers/gpu/drm/amd/display/dc/inc/core_types.h +++ b/drivers/gpu/drm/amd/display/dc/inc/core_types.h @@ -532,7 +532,7 @@ struct dc_state { */ struct bw_context bw_ctx; - struct block_sequence block_sequence[50]; + struct block_sequence block_sequence[100]; unsigned int block_sequence_steps; struct dc_dmub_cmd dc_dmub_cmd[10]; unsigned int dmub_cmd_count; -- Gitee