5.4-stable patches

added patches:
	drm-repaper-fix-integer-overflows-in-repeat-functions.patch

diff --git a/queue-5.4/drm-repaper-fix-integer-overflows-in-repeat-functions.patch b/queue-5.4/drm-repaper-fix-integer-overflows-in-repeat-functions.patch
new file mode 100644 (file)
index 0000000..600d27e
--- /dev/null
+++ b/queue-5.4/drm-repaper-fix-integer-overflows-in-repeat-functions.patch
@@ -0,0 +1,53 @@
+From 4d098000ac193f359e6b8ca4801dbdbd6a27b41f Mon Sep 17 00:00:00 2001
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Date: Thu, 16 Jan 2025 05:48:01 -0800
+Subject: drm/repaper: fix integer overflows in repeat functions
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+commit 4d098000ac193f359e6b8ca4801dbdbd6a27b41f upstream.
+
+There are conditions, albeit somewhat unlikely, under which right hand
+expressions, calculating the end of time period in functions like
+repaper_frame_fixed_repeat(), may overflow.
+
+For instance, if 'factor10x' in repaper_get_temperature() is high
+enough (170), as is 'epd->stage_time' in repaper_probe(), then the
+resulting value of 'end' will not fit in unsigned int expression.
+
+Mitigate this by casting 'epd->factored_stage_time' to wider type before
+any multiplication is done.
+
+Found by Linux Verification Center (linuxtesting.org) with static
+analysis tool SVACE.
+
+Fixes: 3589211e9b03 ("drm/tinydrm: Add RePaper e-ink driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Signed-off-by: Alex Lanzano <lanzano.alex@gmail.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20250116134801.22067-1-n.zhandarovich@fintech.ru
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/tiny/repaper.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/tiny/repaper.c
++++ b/drivers/gpu/drm/tiny/repaper.c
+@@ -454,7 +454,7 @@ static void repaper_frame_fixed_repeat(s
+                                      enum repaper_stage stage)
+ {
+       u64 start = local_clock();
+-      u64 end = start + (epd->factored_stage_time * 1000 * 1000);
++      u64 end = start + ((u64)epd->factored_stage_time * 1000 * 1000);
+ 
+       do {
+               repaper_frame_fixed(epd, fixed_value, stage);
+@@ -465,7 +465,7 @@ static void repaper_frame_data_repeat(st
+                                     const u8 *mask, enum repaper_stage stage)
+ {
+       u64 start = local_clock();
+-      u64 end = start + (epd->factored_stage_time * 1000 * 1000);
++      u64 end = start + ((u64)epd->factored_stage_time * 1000 * 1000);
+ 
+       do {
+               repaper_frame_data(epd, image, mask, stage);

diff --git a/queue-5.4/series b/queue-5.4/series
index aba11f3bf332d813c9863a17b1cb425419dae737..d732f337c671feb1bce6808139a389308dbfec6d 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -104,3 +104,4 @@ riscv-avoid-fortify-warning-in-syscall_get_arguments.patch
 virtiofs-add-filesystem-context-source-name-check.patch
 perf-x86-intel-allow-to-update-user-space-gprs-from-pebs-records.patch
 perf-x86-intel-uncore-fix-the-scale-of-iio-free-running-counters-on-snr.patch
+drm-repaper-fix-integer-overflows-in-repeat-functions.patch