--- /dev/null
+From fec4d42724a1bf3dcba52307e55375fdb967b852 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Sat, 8 May 2021 11:30:22 -0700
+Subject: drm/i915/display: fix compiler warning about array overrun
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit fec4d42724a1bf3dcba52307e55375fdb967b852 upstream.
+
+intel_dp_check_mst_status() uses a 14-byte array to read the DPRX Event
+Status Indicator data, but then passes that buffer at offset 10 off as
+an argument to drm_dp_channel_eq_ok().
+
+End result: there are only 4 bytes remaining of the buffer, yet
+drm_dp_channel_eq_ok() wants a 6-byte buffer. gcc-11 correctly warns
+about this case:
+
+ drivers/gpu/drm/i915/display/intel_dp.c: In function ‘intel_dp_check_mst_status’:
+ drivers/gpu/drm/i915/display/intel_dp.c:3491:22: warning: ‘drm_dp_channel_eq_ok’ reading 6 bytes from a region of size 4 [-Wstringop-overread]
+ 3491 | !drm_dp_channel_eq_ok(&esi[10], intel_dp->lane_count)) {
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ drivers/gpu/drm/i915/display/intel_dp.c:3491:22: note: referencing argument 1 of type ‘const u8 *’ {aka ‘const unsigned char *’}
+ In file included from drivers/gpu/drm/i915/display/intel_dp.c:38:
+ include/drm/drm_dp_helper.h:1466:6: note: in a call to function ‘drm_dp_channel_eq_ok’
+ 1466 | bool drm_dp_channel_eq_ok(const u8 link_status[DP_LINK_STATUS_SIZE],
+ | ^~~~~~~~~~~~~~~~~~~~
+ 6:14 elapsed
+
+This commit just extends the original array by 2 zero-initialized bytes,
+avoiding the warning.
+
+There may be some underlying bug in here that caused this confusion, but
+this is at least no worse than the existing situation that could use
+random data off the stack.
+
+Cc: Jani Nikula <jani.nikula@intel.com>
+Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/intel_dp.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/intel_dp.c
++++ b/drivers/gpu/drm/i915/intel_dp.c
+@@ -4116,7 +4116,18 @@ intel_dp_check_mst_status(struct intel_d
+ bool bret;
+
+ if (intel_dp->is_mst) {
+- u8 esi[DP_DPRX_ESI_LEN] = { 0 };
++ /*
++ * The +2 is because DP_DPRX_ESI_LEN is 14, but we then
++ * pass in "esi+10" to drm_dp_channel_eq_ok(), which
++ * takes a 6-byte array. So we actually need 16 bytes
++ * here.
++ *
++ * Somebody who knows what the limits actually are
++ * should check this, but for now this is at least
++ * harmless and avoids a valid compiler warning about
++ * using more of the array than we have allocated.
++ */
++ u8 esi[DP_DPRX_ESI_LEN+2] = { 0 };
+ int ret = 0;
+ int retry;
+ bool handled;
projects / thirdparty / kernel / stable-queue.git / commitdiff
