From: Benjamin Nwankwo Date: Fri, 6 Mar 2026 17:49:44 +0000 (-0500) Subject: drm/amd/display: Clamp dc_cursor_position x_hotspot to prevent integer overflow X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a2aa7987de1169548c465f6cc1019d2112e0e8b5;p=thirdparty%2Flinux.git drm/amd/display: Clamp dc_cursor_position x_hotspot to prevent integer overflow why: Workaround for duplicate cursor. Cursor offsetting via x_hotspot attempts to write a 32 bit unsigned integer to the 8 bit field CURSOR_HOT_SPOT_X. This wraps cursor position back into focus if x_hotspot exceeds 8 bits, making duplicate cursors visible how: Clamp x_hotspot before writing to hardware Reviewed-by: Charlene Liu Reviewed-by: Nevenko Stupar Signed-off-by: Benjamin Nwankwo Signed-off-by: Chuanyu Tseng Tested-by: Dan Wheeler Signed-off-by: Alex Deucher --- diff --git a/drivers/gpu/drm/amd/display/dc/hubp/dcn401/dcn401_hubp.c b/drivers/gpu/drm/amd/display/dc/hubp/dcn401/dcn401_hubp.c index 4985e885952d9..263e0c4d34f66 100644 --- a/drivers/gpu/drm/amd/display/dc/hubp/dcn401/dcn401_hubp.c +++ b/drivers/gpu/drm/amd/display/dc/hubp/dcn401/dcn401_hubp.c @@ -812,9 +812,8 @@ void hubp401_cursor_set_position( int x_pos_viewport = 0; int x_hot_viewport = 0; uint32_t cur_en = pos->enable ? 1 : 0; - + uint32_t x_hotspot_clamped = pos->x_hotspot; hubp->curs_pos = *pos; - /* Recout is zero for pipes if the entire dst_rect is contained * within preceeding ODM slices. */ @@ -845,6 +844,8 @@ void hubp401_cursor_set_position( ASSERT(param->h_scale_ratio.value); + if (x_hotspot_clamped > 0xFF) + x_hotspot_clamped = 0xFF; if (param->h_scale_ratio.value) dst_x_offset = dc_fixpt_floor(dc_fixpt_div( dc_fixpt_from_int(dst_x_offset), @@ -865,7 +866,7 @@ void hubp401_cursor_set_position( CURSOR_Y_POSITION, pos->y); REG_SET_2(CURSOR_HOT_SPOT, 0, - CURSOR_HOT_SPOT_X, pos->x_hotspot, + CURSOR_HOT_SPOT_X, x_hotspot_clamped, CURSOR_HOT_SPOT_Y, pos->y_hotspot); REG_SET(CURSOR_DST_OFFSET, 0,