drm/amd/pm: bound pp_dpm_set_pp_table() memcpy

The powerplay path allocates hardcode_pp_table once with kmemdup(..., soft_pp_table_size). memcpy(..., size) used the sysfs store count (up to PAGE_SIZE) with no upper bound, causing heap overflow. Reject writes where size exceeds soft_pp_table_size. Signed-off-by: Asad Kamal <asad.kamal@amd.com> Reviewed-by: Yang Wang <kevinyang.wang@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
author: Asad Kamal <asad.kamal@amd.com> 2026-05-12 10:44:32 +0300
committer: Alex Deucher <alexander.deucher@amd.com> 2026-06-03 20:52:44 +0300
commit: f193e71fa9fab2e68ef85201b106e8f580d3a25b (patch)
tree: e25085235517cdabd0c108a820a0f7c30f40bc64
parent: 2064610469c5f7f5d665034ddd4c4365dff65f58 (diff)
download: linux-f193e71fa9fab2e68ef85201b106e8f580d3a25b.tar.xz
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c b/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c
index 5700bcc7ad9a..6f5c27bdc1e9 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c
@@ -665,6 +665,9 @@ static int pp_dpm_set_pp_table(void *handle, const char *buf, size_t size)
 	if (!hwmgr || !hwmgr->pm_en)
 		return -EINVAL;
 
+	if (size > hwmgr->soft_pp_table_size)
+		return -EINVAL;
+
 	if (!hwmgr->hardcode_pp_table) {
 		hwmgr->hardcode_pp_table = kmemdup(hwmgr->soft_pp_table,
 						   hwmgr->soft_pp_table_size,
author	Asad Kamal <asad.kamal@amd.com>	2026-05-12 10:44:32 +0300
committer	Alex Deucher <alexander.deucher@amd.com>	2026-06-03 20:52:44 +0300
commit	f193e71fa9fab2e68ef85201b106e8f580d3a25b (patch)
tree	e25085235517cdabd0c108a820a0f7c30f40bc64
parent	2064610469c5f7f5d665034ddd4c4365dff65f58 (diff)
download	linux-f193e71fa9fab2e68ef85201b106e8f580d3a25b.tar.xz