From 02e66df89052cd226f65b37711da6deeaec4a6db Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 22 Apr 2025 08:18:45 +0200
Subject: [PATCH] 5.4-stable patches

added patches:
	drm-repaper-fix-integer-overflows-in-repeat-functions.patch
---
 ...nteger-overflows-in-repeat-functions.patch | 53 +++++++++++++++++++
 queue-5.4/series                              |  1 +
 2 files changed, 54 insertions(+)
 create mode 100644 queue-5.4/drm-repaper-fix-integer-overflows-in-repeat-functions.patch

diff --git a/queue-5.4/drm-repaper-fix-integer-overflows-in-repeat-functions.patch b/queue-5.4/drm-repaper-fix-integer-overflows-in-repeat-functions.patch
new file mode 100644
index 0000000000..600d27e760
--- /dev/null
+++ b/queue-5.4/drm-repaper-fix-integer-overflows-in-repeat-functions.patch
@@ -0,0 +1,53 @@
+From 4d098000ac193f359e6b8ca4801dbdbd6a27b41f Mon Sep 17 00:00:00 2001
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Date: Thu, 16 Jan 2025 05:48:01 -0800
+Subject: drm/repaper: fix integer overflows in repeat functions
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+commit 4d098000ac193f359e6b8ca4801dbdbd6a27b41f upstream.
+
+There are conditions, albeit somewhat unlikely, under which right hand
+expressions, calculating the end of time period in functions like
+repaper_frame_fixed_repeat(), may overflow.
+
+For instance, if 'factor10x' in repaper_get_temperature() is high
+enough (170), as is 'epd->stage_time' in repaper_probe(), then the
+resulting value of 'end' will not fit in unsigned int expression.
+
+Mitigate this by casting 'epd->factored_stage_time' to wider type before
+any multiplication is done.
+
+Found by Linux Verification Center (linuxtesting.org) with static
+analysis tool SVACE.
+
+Fixes: 3589211e9b03 ("drm/tinydrm: Add RePaper e-ink driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Signed-off-by: Alex Lanzano <lanzano.alex@gmail.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20250116134801.22067-1-n.zhandarovich@fintech.ru
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/tiny/repaper.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/tiny/repaper.c
++++ b/drivers/gpu/drm/tiny/repaper.c
+@@ -454,7 +454,7 @@ static void repaper_frame_fixed_repeat(s
+ 				       enum repaper_stage stage)
+ {
+ 	u64 start = local_clock();
+-	u64 end = start + (epd->factored_stage_time * 1000 * 1000);
++	u64 end = start + ((u64)epd->factored_stage_time * 1000 * 1000);
+ 
+ 	do {
+ 		repaper_frame_fixed(epd, fixed_value, stage);
+@@ -465,7 +465,7 @@ static void repaper_frame_data_repeat(st
+ 				      const u8 *mask, enum repaper_stage stage)
+ {
+ 	u64 start = local_clock();
+-	u64 end = start + (epd->factored_stage_time * 1000 * 1000);
++	u64 end = start + ((u64)epd->factored_stage_time * 1000 * 1000);
+ 
+ 	do {
+ 		repaper_frame_data(epd, image, mask, stage);
diff --git a/queue-5.4/series b/queue-5.4/series
index aba11f3bf3..d732f337c6 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -104,3 +104,4 @@ riscv-avoid-fortify-warning-in-syscall_get_arguments.patch
 virtiofs-add-filesystem-context-source-name-check.patch
 perf-x86-intel-allow-to-update-user-space-gprs-from-pebs-records.patch
 perf-x86-intel-uncore-fix-the-scale-of-iio-free-running-counters-on-snr.patch
+drm-repaper-fix-integer-overflows-in-repeat-functions.patch
-- 
2.47.3