Ksawlii/kernel_samsung_a53x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
kernel_samsung_a53x/drivers/gpu/drm
History
Imre Deak 1d0e95746d drm/dp_mst: Fix MST sideband message body length check 
[ Upstream commit bd2fccac61b40eaf08d9546acc9fef958bfe4763 ]

Fix the MST sideband message body length check, which must be at least 1
byte accounting for the message body CRC (aka message data CRC) at the
end of the message.

This fixes a case where an MST branch device returns a header with a
correct header CRC (indicating a correctly received body length), with
the body length being incorrectly set to 0. This will later lead to a
memory corruption in drm_dp_sideband_append_payload() and the following
errors in dmesg:

   UBSAN: array-index-out-of-bounds in drivers/gpu/drm/display/drm_dp_mst_topology.c:786:25
   index -1 is out of range for type 'u8 [48]'
   Call Trace:
    drm_dp_sideband_append_payload+0x33d/0x350 [drm_display_helper]
    drm_dp_get_one_sb_msg+0x3ce/0x5f0 [drm_display_helper]
    drm_dp_mst_hpd_irq_handle_event+0xc8/0x1580 [drm_display_helper]

   memcpy: detected field-spanning write (size 18446744073709551615) of single field "&msg->msg[msg->curlen]" at drivers/gpu/drm/display/drm_dp_mst_topology.c:791 (size 256)
   Call Trace:
    drm_dp_sideband_append_payload+0x324/0x350 [drm_display_helper]
    drm_dp_get_one_sb_msg+0x3ce/0x5f0 [drm_display_helper]
    drm_dp_mst_hpd_irq_handle_event+0xc8/0x1580 [drm_display_helper]

Cc: <stable@vger.kernel.org>
Cc: Lyude Paul <lyude@redhat.com>
Reviewed-by: Lyude Paul <lyude@redhat.com>
Signed-off-by: Imre Deak <imre.deak@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20241125205314.1725887-1-imre.deak@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
2025-01-15 16:29:51 +01:00
..
amd Revert "drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read()" 2024-12-17 13:24:34 +01:00
arc Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
arm Revert "drm: komeda: Fix an issue related to normalized zpos" 2024-11-24 00:23:33 +01:00
armada Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
aspeed Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
ast Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
atmel-hlcdc Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
bochs Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
bridge drm/bridge: tc358767: Fix link properties discovery 2024-12-17 13:24:04 +01:00
etnaviv drm/etnaviv: flush shader L1 cache after user commandstream 2024-12-17 13:24:25 +01:00
exynos Revert "drivers:drm:exynos_drm_gsc:Fix wrong assignment in gsc_bind()" 2024-11-24 00:23:24 +01:00
fsl-dcu drm: fsl-dcu: enable PIXCLK on LS1021A 2024-12-17 13:24:05 +01:00
gma500 drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes 2024-11-23 23:20:12 +01:00
hisilicon Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
i2c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
i810 Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
i915 drm/i915: Fix memory leak by correcting cache object name in error handler 2025-01-02 17:01:18 +01:00
imx drm/imx/ipuv3: Use IRQF_NO_AUTOEN flag in request_irq() 2024-12-17 13:24:03 +01:00
ingenic Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
lib Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
lima drm/lima: set gp bus_stop bit before hard reset 2024-11-23 23:20:45 +01:00
mcde drm/mcde: Enable module autoloading 2024-12-17 13:24:29 +01:00
mediatek drm/mediatek: Add 0 size check to mtk_drm_gem_obj 2024-11-19 12:26:57 +01:00
meson drm/meson: plane: Add error handling 2024-11-23 23:20:58 +01:00
mga Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
mgag200 drm/mgag200: Set DDC timeout in milliseconds 2024-11-23 23:20:30 +01:00
msm drm/msm/dpu: cast crtc_clk calculation to u64 in _dpu_core_perf_calc_clk() 2024-12-17 13:24:06 +01:00
mxsfb Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
nouveau Revert "nouveau/dmem: Fix vulnerability in migrate_to_ram upon copy error" 2024-11-24 00:22:55 +01:00
omapdrm drm/omap: Fix locking in omap_gem_new_dmabuf() 2024-12-17 13:24:03 +01:00
panel drm/panel: boe-tv101wum-nl6: Check for errors on the NOP in prepare() 2024-11-23 23:20:08 +01:00
panfrost drm/panfrost: Remove unused id_mask from struct panfrost_model 2024-12-17 13:24:05 +01:00
pl111 Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
qxl drm/qxl: Add check for drm_cvt_mode 2024-11-23 23:20:09 +01:00
r128 Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
radeon drm/radeon/r600_cs: Fix possible int overflow in r600_packet3_check() 2024-12-17 13:24:30 +01:00
rcar-du Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
rockchip Revert "drm/rockchip: vop: Allow 4096px width scaling" 2024-11-24 00:23:26 +01:00
samsung Revert "exynos_gpu: Don't allow userspace to control freqs" 2024-11-24 19:22:36 +01:00
savage Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
scheduler Revert "drm/sched: Add locking to drm_sched_entity_modify_sched" 2024-11-24 00:23:01 +01:00
selftests Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
shmobile Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
sis Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
sti drm/sti: Add __iomem for mixer_dbg_mxn's parameter 2024-12-17 13:24:27 +01:00
stm Revert "drm/stm: Fix an error handling path in stm_drm_platform_probe()" 2024-11-24 00:23:26 +01:00
sun4i Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
tdfx Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
tegra drm/tegra: put drm_gem_object ref on error in tegra_fb_create 2024-11-19 08:44:54 +01:00
tidss drm/tidss: Fix initial plane zpos values 2024-11-19 08:44:54 +01:00
tilcdc Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
tiny Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
ttm drm/vmwgfx: Fix some static checker warnings 2024-11-19 09:22:15 +01:00
tve200 Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
udl Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
v3d drm/v3d: Address race-condition in MMU flush 2024-12-17 13:24:04 +01:00
vboxvideo drm/vboxvideo: Replace fake VLA at end of vbva_mouse_pointer_shape with real VLA 2024-11-23 23:22:00 +01:00
vc4 drm/vc4: hvs: Set AXI panic modes for the HVS 2024-12-17 13:24:29 +01:00
vgem Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
via Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
virtio Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
vkms Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
vmwgfx Revert "drm/vmwgfx: Handle surface check failure correctly" 2024-11-24 00:22:52 +01:00
xen Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
xlnx Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
zte Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_agpsupport.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_atomic.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_atomic_helper.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_atomic_state_helper.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_atomic_uapi.c Revert "drm: Consistently use struct drm_mode_rect for FB_DAMAGE_CLIPS" 2024-11-24 00:23:04 +01:00
drm_auth.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_blend.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_bridge.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_bridge_connector.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_bufs.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_cache.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_client.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_client_modeset.c drm/client: fix null pointer dereference in drm_client_modeset_probe 2024-11-23 23:20:27 +01:00
drm_color_mgmt.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_connector.c drm/connector: Add support for out-of-band hotplug notification (v3) 2024-11-08 11:26:15 +01:00
drm_context.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_crtc.c Revert "drm/crtc: fix uninitialized variable use even harder" 2024-11-24 00:22:59 +01:00
drm_crtc_helper.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_crtc_helper_internal.h Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_crtc_internal.h drm/connector: Add drm_connector_find_by_fwnode() function (v3) 2024-11-08 11:26:15 +01:00
drm_damage_helper.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_debugfs.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_debugfs_crc.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_dma.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_dp_aux_dev.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_dp_cec.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_dp_dual_mode_helper.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_dp_helper.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_dp_mst_topology.c drm/dp_mst: Fix MST sideband message body length check 2025-01-15 16:29:51 +01:00
drm_dp_mst_topology_internal.h Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_drv.c drm/drv: propagate errors from drm_modeset_register_all() 2024-11-18 12:12:40 +01:00
drm_dsc.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_dumb_buffers.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_edid.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_edid_load.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_encoder.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_encoder_slave.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_fb_cma_helper.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_fb_helper.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_file.c drm/drm_file: fix use of uninitialized variable 2024-11-18 12:13:17 +01:00
drm_flip_work.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_format_helper.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_fourcc.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_framebuffer.c drm/framebuffer: Fix use of uninitialized variable 2024-11-18 12:13:18 +01:00
drm_gem.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_gem_cma_helper.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_gem_framebuffer_helper.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_gem_shmem_helper.c drm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE) 2024-11-23 23:22:06 +01:00
drm_gem_ttm_helper.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_gem_vram_helper.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_hashtab.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_hdcp.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_internal.h Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_ioc32.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_ioctl.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_irq.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_kms_helper_common.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_lease.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_legacy.h Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_legacy_misc.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_lock.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_managed.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_memory.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_mipi_dbi.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_mipi_dsi.c Revert "drm/mipi-dsi: Set the fwnode for mipi_dsi_device" 2024-11-23 23:22:06 +01:00
drm_mm.c drm/mm: Mark drm_mm_interval_tree*() functions with __maybe_unused 2024-12-17 13:24:03 +01:00
drm_mode_config.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_mode_object.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_modes.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_modeset_helper.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_modeset_lock.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_of.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_panel.c drm/panel: do not return negative error codes from drm_panel_get_modes() 2024-11-19 09:22:36 +01:00
drm_panel_orientation_quirks.c drm: panel-orientation-quirks: Add quirk for AYA NEO 2 model 2024-12-17 13:24:29 +01:00
drm_pci.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_plane.c drm: Don't unref the same fb many times by mistake due to deadlock handling 2024-11-18 12:13:03 +01:00
drm_plane_helper.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_prime.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_print.c Revert "drm/printer: Allow NULL data in devcoredump printer" 2024-11-24 00:23:06 +01:00
drm_probe_helper.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_property.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_rect.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_scatter.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_scdc_helper.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_self_refresh_helper.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_simple_kms_helper.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_syncobj.c drm/syncobj: call drm_syncobj_fence_add_wait when WAIT_AVAILABLE flag is set 2024-11-18 22:25:42 +01:00
drm_sysfs.c drm/connector: Add a fwnode pointer to drm_connector and register with ACPI (v2) 2024-11-08 11:26:14 +01:00
drm_trace.h Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_trace_points.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_vblank.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_vblank_work.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_vm.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_vma_manager.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drm_writeback.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
Kconfig Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
Makefile Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00