From: Greg Kroah-Hartman Date: Mon, 30 Jan 2023 13:25:30 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v5.10.166~10 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=38cf9cc211887cb468c0be3ab7359e2399a38083;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: drm-i915-display-fix-compiler-warning-about-array-overrun.patch --- diff --git a/queue-4.19/drm-i915-display-fix-compiler-warning-about-array-overrun.patch b/queue-4.19/drm-i915-display-fix-compiler-warning-about-array-overrun.patch new file mode 100644 index 00000000000..406406d58da --- /dev/null +++ b/queue-4.19/drm-i915-display-fix-compiler-warning-about-array-overrun.patch @@ -0,0 +1,72 @@ +From fec4d42724a1bf3dcba52307e55375fdb967b852 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Sat, 8 May 2021 11:30:22 -0700 +Subject: drm/i915/display: fix compiler warning about array overrun +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Torvalds + +commit fec4d42724a1bf3dcba52307e55375fdb967b852 upstream. + +intel_dp_check_mst_status() uses a 14-byte array to read the DPRX Event +Status Indicator data, but then passes that buffer at offset 10 off as +an argument to drm_dp_channel_eq_ok(). + +End result: there are only 4 bytes remaining of the buffer, yet +drm_dp_channel_eq_ok() wants a 6-byte buffer. gcc-11 correctly warns +about this case: + + drivers/gpu/drm/i915/display/intel_dp.c: In function ‘intel_dp_check_mst_status’: + drivers/gpu/drm/i915/display/intel_dp.c:3491:22: warning: ‘drm_dp_channel_eq_ok’ reading 6 bytes from a region of size 4 [-Wstringop-overread] + 3491 | !drm_dp_channel_eq_ok(&esi[10], intel_dp->lane_count)) { + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + drivers/gpu/drm/i915/display/intel_dp.c:3491:22: note: referencing argument 1 of type ‘const u8 *’ {aka ‘const unsigned char *’} + In file included from drivers/gpu/drm/i915/display/intel_dp.c:38: + include/drm/drm_dp_helper.h:1466:6: note: in a call to function ‘drm_dp_channel_eq_ok’ + 1466 | bool drm_dp_channel_eq_ok(const u8 link_status[DP_LINK_STATUS_SIZE], + | ^~~~~~~~~~~~~~~~~~~~ + 6:14 elapsed + +This commit just extends the original array by 2 zero-initialized bytes, +avoiding the warning. + +There may be some underlying bug in here that caused this confusion, but +this is at least no worse than the existing situation that could use +random data off the stack. + +Cc: Jani Nikula +Cc: Ville Syrjälä +Cc: Joonas Lahtinen +Cc: Rodrigo Vivi +Cc: Daniel Vetter +Cc: Dave Airlie +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/intel_dp.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/intel_dp.c ++++ b/drivers/gpu/drm/i915/intel_dp.c +@@ -4116,7 +4116,18 @@ intel_dp_check_mst_status(struct intel_d + bool bret; + + if (intel_dp->is_mst) { +- u8 esi[DP_DPRX_ESI_LEN] = { 0 }; ++ /* ++ * The +2 is because DP_DPRX_ESI_LEN is 14, but we then ++ * pass in "esi+10" to drm_dp_channel_eq_ok(), which ++ * takes a 6-byte array. So we actually need 16 bytes ++ * here. ++ * ++ * Somebody who knows what the limits actually are ++ * should check this, but for now this is at least ++ * harmless and avoids a valid compiler warning about ++ * using more of the array than we have allocated. ++ */ ++ u8 esi[DP_DPRX_ESI_LEN+2] = { 0 }; + int ret = 0; + int retry; + bool handled; diff --git a/queue-4.19/series b/queue-4.19/series index 9911ad0bc88..d924b56692f 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -62,3 +62,4 @@ net-ravb-fix-possible-hang-if-ris2_qff1-happen.patch net-tg3-resolve-deadlock-in-tg3_reset_task-during-ee.patch revert-input-synaptics-switch-touchpad-on-hp-laptop-15-da3001tu-to-rmi-mode.patch x86-i8259-mark-legacy-pic-interrupts-with-irq_level.patch +drm-i915-display-fix-compiler-warning-about-array-overrun.patch