From: Alex Hung <alex.hung@amd.com> mainline inclusion from mainline-v6.12-rc1 commit a15268787b79fd183dd526cc16bec9af4f4e49a1 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRBP CVE: CVE-2024-50016 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- [ Upstream commit a15268787b79fd183dd526cc16bec9af4f4e49a1 ] sampling_rate is an uint8_t but is assigned an unsigned int, and thus it can overflow. As a result, sampling_rate is changed to uint32_t. Similarly, LINK_QUAL_PATTERN_SET has a size of 2 bits, and it should only be assigned to a value less or equal than 4. This fixes 2 INTEGER_OVERFLOW issues reported by Coverity. Signed-off-by: Alex Hung <alex.hung@amd.com> Reviewed-by: Wenjing Liu <wenjing.liu@amd.com> Tested-by: Daniel Wheeler <daniel.wheeler@amd.com> Signed-off-by: Rodrigo Siqueira <rodrigo.siqueira@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> Signed-off-by: Sasha Levin <sashal@kernel.org> Conflicts: drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c [file changed] Signed-off-by: Yuntao Liu <liuyuntao12@huawei.com> --- drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c | 3 ++- drivers/gpu/drm/amd/display/dc/dc_dp_types.h | 2 +- drivers/gpu/drm/amd/display/include/dpcd_defs.h | 1 + 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c b/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c index 3f4403e77814..f60f07ce223d 100644 --- a/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c +++ b/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c @@ -4117,7 +4117,8 @@ bool dc_link_dp_set_test_pattern( core_link_read_dpcd(link, DP_TRAINING_PATTERN_SET, &training_pattern.raw, sizeof(training_pattern)); - training_pattern.v1_3.LINK_QUAL_PATTERN_SET = pattern; + if (pattern <= PHY_TEST_PATTERN_END_DP11) + training_pattern.v1_3.LINK_QUAL_PATTERN_SET = pattern; core_link_write_dpcd(link, DP_TRAINING_PATTERN_SET, &training_pattern.raw, sizeof(training_pattern)); diff --git a/drivers/gpu/drm/amd/display/dc/dc_dp_types.h b/drivers/gpu/drm/amd/display/dc/dc_dp_types.h index 80a2191a3115..ae12c574200e 100644 --- a/drivers/gpu/drm/amd/display/dc/dc_dp_types.h +++ b/drivers/gpu/drm/amd/display/dc/dc_dp_types.h @@ -611,7 +611,7 @@ struct dp_audio_test_data_flags { struct dp_audio_test_data { struct dp_audio_test_data_flags flags; - uint8_t sampling_rate; + uint32_t sampling_rate; uint8_t channel_count; uint8_t pattern_type; uint8_t pattern_period[8]; diff --git a/drivers/gpu/drm/amd/display/include/dpcd_defs.h b/drivers/gpu/drm/amd/display/include/dpcd_defs.h index 3d29646c7cb4..6a4f19c10aa5 100644 --- a/drivers/gpu/drm/amd/display/include/dpcd_defs.h +++ b/drivers/gpu/drm/amd/display/include/dpcd_defs.h @@ -76,6 +76,7 @@ enum dpcd_phy_test_patterns { PHY_TEST_PATTERN_D10_2, PHY_TEST_PATTERN_SYMBOL_ERROR, PHY_TEST_PATTERN_PRBS7, + PHY_TEST_PATTERN_END_DP11 = PHY_TEST_PATTERN_PRBS7, PHY_TEST_PATTERN_80BIT_CUSTOM,/* For DP1.2 only */ PHY_TEST_PATTERN_CP2520_1, PHY_TEST_PATTERN_CP2520_2, -- 2.34.1