From aa38691ed94b525fa3b13319bc64931212c834ee Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: May 25 2023 06:19:09 +0000 Subject: drm/amd: Fix an out of bounds error in BIOS parser (git-fixes). --- diff --git a/patches.suse/drm-amd-Fix-an-out-of-bounds-error-in-BIOS-parser.patch b/patches.suse/drm-amd-Fix-an-out-of-bounds-error-in-BIOS-parser.patch new file mode 100644 index 0000000..ee51866 --- /dev/null +++ b/patches.suse/drm-amd-Fix-an-out-of-bounds-error-in-BIOS-parser.patch @@ -0,0 +1,49 @@ +From d116db180decec1b21bba31d2ff495ac4d8e1b83 Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Thu, 23 Mar 2023 14:07:06 -0500 +Subject: [PATCH] drm/amd: Fix an out of bounds error in BIOS parser +Git-commit: d116db180decec1b21bba31d2ff495ac4d8e1b83 +Patch-mainline: v6.4-rc1 +References: git-fixes + +The array is hardcoded to 8 in atomfirmware.h, but firmware provides +a bigger one sometimes. Deferencing the larger array causes an out +of bounds error. + +commit 4fc1ba4aa589 ("drm/amd/display: fix array index out of bound error +in bios parser") fixed some of this, but there are two other cases +not covered by it. Fix those as well. + +Reported-by: erhard_f@mailbox.org +Link: https://bugzilla.kernel.org/show_bug.cgi?id=214853 +Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2473 +Signed-off-by: Mario Limonciello +Reviewed-by: Harry Wentland +Signed-off-by: Alex Deucher +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c b/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c +index f0f948501e9a..cce47d3f1a13 100644 +--- a/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c ++++ b/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c +@@ -515,11 +515,8 @@ static enum bp_result get_gpio_i2c_info( + info->i2c_slave_address = record->i2c_slave_addr; + + /* TODO: check how to get register offset for en, Y, etc. */ +- info->gpio_info.clk_a_register_index = +- le16_to_cpu( +- header->gpio_pin[table_index].data_a_reg_index); +- info->gpio_info.clk_a_shift = +- header->gpio_pin[table_index].gpio_bitshift; ++ info->gpio_info.clk_a_register_index = le16_to_cpu(pin->data_a_reg_index); ++ info->gpio_info.clk_a_shift = pin->gpio_bitshift; + + return BP_RESULT_OK; + } +-- +2.35.3 + diff --git a/series.conf b/series.conf index dc30321..44791f8 100644 --- a/series.conf +++ b/series.conf @@ -19841,6 +19841,7 @@ patches.suse/drm-msm-adreno-Disable-preemption-on-Adreno-510.patch patches.suse/drm-msm-fix-NULL-deref-on-snapshot-tear-down.patch patches.suse/drm-msm-dp-Clean-up-handling-of-DP-AUX-interrupts.patch + patches.suse/drm-amd-Fix-an-out-of-bounds-error-in-BIOS-parser.patch patches.suse/drm-amd-display-Fix-potential-null-dereference.patch patches.suse/drm-i915-Make-intel_get_crtc_new_encoder-less-oopsy.patch patches.suse/media-av7110-prevent-underflow-in-write_ts_to_decode.patch