From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 31 Oct 2022 06:39:03 +0000 (+0100)
Subject: 4.14-stable patches
X-Git-Tag: v4.19.263~59
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0da49caebd4b8770728c6b8f648b94004ad20046;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	drm-msm-hdmi-fix-memory-corruption-with-too-many-bridges.patch
---

diff --git a/queue-4.14/drm-msm-hdmi-fix-memory-corruption-with-too-many-bridges.patch b/queue-4.14/drm-msm-hdmi-fix-memory-corruption-with-too-many-bridges.patch
new file mode 100644
index 00000000000..0326c124306
--- /dev/null
+++ b/queue-4.14/drm-msm-hdmi-fix-memory-corruption-with-too-many-bridges.patch
@@ -0,0 +1,41 @@
+From 4c1294da6aed1f16d47a417dcfe6602833c3c95c Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Tue, 13 Sep 2022 10:53:14 +0200
+Subject: drm/msm/hdmi: fix memory corruption with too many bridges
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit 4c1294da6aed1f16d47a417dcfe6602833c3c95c upstream.
+
+Add the missing sanity check on the bridge counter to avoid corrupting
+data beyond the fixed-sized bridge array in case there are ever more
+than eight bridges.
+
+Fixes: a3376e3ec81c ("drm/msm: convert to drm_bridge")
+Cc: stable@vger.kernel.org	# 3.12
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Tested-by: Kuogee Hsieh <quic_khsieh@quicinc.com>
+Reviewed-by: Kuogee Hsieh <quic_khsieh@quicinc.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Patchwork: https://patchwork.freedesktop.org/patch/502670/
+Link: https://lore.kernel.org/r/20220913085320.8577-5-johan+linaro@kernel.org
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/hdmi/hdmi.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/gpu/drm/msm/hdmi/hdmi.c
++++ b/drivers/gpu/drm/msm/hdmi/hdmi.c
+@@ -291,6 +291,11 @@ int msm_hdmi_modeset_init(struct hdmi *h
+ 	struct platform_device *pdev = hdmi->pdev;
+ 	int ret;
+ 
++	if (priv->num_bridges == ARRAY_SIZE(priv->bridges)) {
++		DRM_DEV_ERROR(dev->dev, "too many bridges\n");
++		return -ENOSPC;
++	}
++
+ 	hdmi->dev = dev;
+ 	hdmi->encoder = encoder;
+ 
diff --git a/queue-4.14/series b/queue-4.14/series
index 00ca358f21a..ed6ef630a77 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -25,3 +25,4 @@ tools-iio-iio_utils-fix-digit-calculation.patch
 iio-light-tsl2583-fix-module-unloading.patch
 fbdev-smscufx-fix-several-use-after-free-bugs.patch
 mac802154-fix-lqi-recording.patch
+drm-msm-hdmi-fix-memory-corruption-with-too-many-bridges.patch