From: Dan Carpenter <dan.carpenter@linaro.org>
Date: Tue, 6 Jun 2023 08:33:46 +0000 (+0300)
Subject: drm/amd/pm: Fix memory some memory corruption
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=b7588507152148eaf0f19feb98c65b72ab40a726;p=linux.git

drm/amd/pm: Fix memory some memory corruption

The "od_table" is a pointer to a large struct, but this code is doing
pointer math as if it were pointing to bytes.  It results in writing
far outside the struct.

Fixes: 2e8452ea4ef6 ("drm/amd/pm: fulfill the OD support for SMU13.0.0")
Fixes: 2a9aa52e4617 ("drm/amd/pm: fulfill the OD support for SMU13.0.7")
Reviewed-by: Evan Quan <evan.quan@amd.com>
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
---

diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c
index 5ac5ea770c1c0..413e592f0ed61 100644
--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c
+++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c
@@ -1535,7 +1535,7 @@ static int smu_v13_0_0_od_edit_dpm_table(struct smu_context *smu,
 		 * settings. Thus we do not cache it.
 		 */
 		offset_of_featurectrlmask = offsetof(OverDriveTable_t, FeatureCtrlMask);
-		if (memcmp(od_table + offset_of_featurectrlmask,
+		if (memcmp((u8 *)od_table + offset_of_featurectrlmask,
 			   table_context->user_overdrive_table + offset_of_featurectrlmask,
 			   sizeof(OverDriveTableExternal_t) - offset_of_featurectrlmask)) {
 			smu_v13_0_0_dump_od_table(smu, od_table);
@@ -1548,7 +1548,7 @@ static int smu_v13_0_0_od_edit_dpm_table(struct smu_context *smu,
 
 			od_table->OverDriveTable.FeatureCtrlMask = 0;
 			memcpy(table_context->user_overdrive_table + offset_of_featurectrlmask,
-			       od_table + offset_of_featurectrlmask,
+			       (u8 *)od_table + offset_of_featurectrlmask,
 			       sizeof(OverDriveTableExternal_t) - offset_of_featurectrlmask);
 
 			if (!memcmp(table_context->user_overdrive_table,
diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c
index 0bd086360efae..cda4e818aab7e 100644
--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c
+++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c
@@ -1524,7 +1524,7 @@ static int smu_v13_0_7_od_edit_dpm_table(struct smu_context *smu,
 		 * settings. Thus we do not cache it.
 		 */
 		offset_of_featurectrlmask = offsetof(OverDriveTable_t, FeatureCtrlMask);
-		if (memcmp(od_table + offset_of_featurectrlmask,
+		if (memcmp((u8 *)od_table + offset_of_featurectrlmask,
 			   table_context->user_overdrive_table + offset_of_featurectrlmask,
 			   sizeof(OverDriveTableExternal_t) - offset_of_featurectrlmask)) {
 			smu_v13_0_7_dump_od_table(smu, od_table);
@@ -1537,7 +1537,7 @@ static int smu_v13_0_7_od_edit_dpm_table(struct smu_context *smu,
 
 			od_table->OverDriveTable.FeatureCtrlMask = 0;
 			memcpy(table_context->user_overdrive_table + offset_of_featurectrlmask,
-			       od_table + offset_of_featurectrlmask,
+			       (u8 *)od_table + offset_of_featurectrlmask,
 			       sizeof(OverDriveTableExternal_t) - offset_of_featurectrlmask);
 
 			if (!memcmp(table_context->user_overdrive_table,