drm/amdgpu: Fix NULL dereference in dpm sysfs handlers (38e0c89a) · Commits · 戴 / test

NULL dereference occurs when string that is not ended with space or newline is written to some dpm sysfs interface (for example pp_dpm_sclk). This happens because strsep replaces the tmp with NULL if the delimiter is not present in string, which is then dereferenced by tmp[0]. Reproduction example: sudo sh -c 'echo -n 1 > /sys/class/drm/card0/device/pp_dpm_sclk' Signed-off-by:

Paweł Gronowski <me@woland.xyz> Signed-off-by:

Alex Deucher <alexander.deucher@amd.com> Cc: stable@vger.kernel.org

drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c

+3 −6

Original line number	Diff line number	Diff line
		@@ -778,8 +778,7 @@ static ssize_t amdgpu_set_pp_od_clk_voltage(struct device *dev,
		tmp_str++;
		while (isspace(*++tmp_str));

		while (tmp_str[0]) {
		sub_str = strsep(&tmp_str, delimiter);
		while ((sub_str = strsep(&tmp_str, delimiter)) != NULL) {
		ret = kstrtol(sub_str, 0, &parameter[parameter_size]);
		if (ret)
		return -EINVAL;
		@@ -1039,8 +1038,7 @@ static ssize_t amdgpu_read_mask(const char buf, size_t count, uint32_t mask)
		memcpy(buf_cpy, buf, bytes);
		buf_cpy[bytes] = '\0';
		tmp = buf_cpy;
		while (tmp[0]) {
		sub_str = strsep(&tmp, delimiter);
		while ((sub_str = strsep(&tmp, delimiter)) != NULL) {
		if (strlen(sub_str)) {
		ret = kstrtol(sub_str, 0, &level);
		if (ret)
		@@ -1637,8 +1635,7 @@ static ssize_t amdgpu_set_pp_power_profile_mode(struct device *dev,
		i++;
		memcpy(buf_cpy, buf, count-i);
		tmp_str = buf_cpy;
		while (tmp_str[0]) {
		sub_str = strsep(&tmp_str, delimiter);
		while ((sub_str = strsep(&tmp_str, delimiter)) != NULL) {
		ret = kstrtol(sub_str, 0, &parameter[parameter_size]);
		if (ret)
		return -EINVAL;

Admin message