5.10-stable patches

added patches:
	drm-amd-display-clamp-hdmi-hdcp2-rx_id_list-read-to-buffer-size.patch
	drm-amd-display-fix-null-deref-and-buffer-over-read-in-sdp-debugfs.patch

diff --git a/queue-5.10/drm-amd-display-clamp-hdmi-hdcp2-rx_id_list-read-to-buffer-size.patch b/queue-5.10/drm-amd-display-clamp-hdmi-hdcp2-rx_id_list-read-to-buffer-size.patch
new file mode 100644 (file)
index 0000000..4ba247d
--- /dev/null
+++ b/queue-5.10/drm-amd-display-clamp-hdmi-hdcp2-rx_id_list-read-to-buffer-size.patch
@@ -0,0 +1,47 @@
+From f0f3981c43b32cadfe373d636d9e9ca522bb3702 Mon Sep 17 00:00:00 2001
+From: Harry Wentland <harry.wentland@amd.com>
+Date: Thu, 7 May 2026 15:38:37 -0400
+Subject: drm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size
+
+From: Harry Wentland <harry.wentland@amd.com>
+
+commit f0f3981c43b32cadfe373d636d9e9ca522bb3702 upstream.
+
+[Why & How]
+During HDCP 2.x repeater authentication over HDMI, the driver reads the
+sink's RxStatus register and extracts a 10-bit message size field (max
+value 1023). This value is used as the read length for the ReceiverID
+list without being clamped to the size of the destination buffer
+rx_id_list[177]. A malicious HDMI repeater could advertise a message
+size larger than the buffer, causing an out-of-bounds write during the
+I2C read.
+
+Clamp the read length in mod_hdcp_read_rx_id_list() to the size of the
+rx_id_list buffer, matching the approach already used in the DP branch.
+
+Fixes: eff682f83c9c ("drm/amd/display: Add DDC handles for HDCP2.2")
+Assisted-by: Copilot:claude-opus-4.6
+Reviewed-by: Alex Hung <alex.hung@amd.com>
+Signed-off-by: Harry Wentland <harry.wentland@amd.com>
+Signed-off-by: Ray Wu <ray.wu@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 229212219e4247d9486f8ba41ef087358490be09)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c
++++ b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c
+@@ -533,7 +533,8 @@ enum mod_hdcp_status mod_hdcp_read_rx_id
+       } else {
+               status = read(hdcp, MOD_HDCP_MESSAGE_ID_READ_REPEATER_AUTH_SEND_RECEIVERID_LIST,
+                               hdcp->auth.msg.hdcp2.rx_id_list,
+-                              hdcp->auth.msg.hdcp2.rx_id_list_size);
++                              MIN(hdcp->auth.msg.hdcp2.rx_id_list_size,
++                                  sizeof(hdcp->auth.msg.hdcp2.rx_id_list)));
+       }
+       return status;
+ }

diff --git a/queue-5.10/drm-amd-display-fix-null-deref-and-buffer-over-read-in-sdp-debugfs.patch b/queue-5.10/drm-amd-display-fix-null-deref-and-buffer-over-read-in-sdp-debugfs.patch
new file mode 100644 (file)
index 0000000..c31edd6
--- /dev/null
+++ b/queue-5.10/drm-amd-display-fix-null-deref-and-buffer-over-read-in-sdp-debugfs.patch
@@ -0,0 +1,53 @@
+From adf67034b1f61f7119295208085bfd43f85f56af Mon Sep 17 00:00:00 2001
+From: Harry Wentland <harry.wentland@amd.com>
+Date: Mon, 11 May 2026 16:46:25 -0400
+Subject: drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs
+
+From: Harry Wentland <harry.wentland@amd.com>
+
+commit adf67034b1f61f7119295208085bfd43f85f56af upstream.
+
+[Why & How]
+dp_sdp_message_debugfs_write() dereferences connector->base.state->crtc
+without checking for NULL. A connector can be connected but not bound to
+any CRTC (e.g. after hot-plug before the next atomic commit), causing a
+kernel crash when writing to the sdp_message debugfs node.
+
+The function also ignores the user-provided size argument and always
+passes 36 bytes to copy_from_user(), reading past the user buffer when
+size < 36.
+
+Fix both issues by:
+- Returning -ENODEV when connector->base.state or state->crtc is NULL
+- Clamping write_size to min(size, sizeof(data))
+
+Fixes: c7ba3653e977 ("drm/amd/display: Generic SDP message access in amdgpu")
+Assisted-by: Copilot:claude-opus-4.6
+Reviewed-by: Alex Hung <alex.hung@amd.com>
+Signed-off-by: Harry Wentland <harry.wentland@amd.com>
+Signed-off-by: Ray Wu <ray.wu@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 6ab4c36a522842ff70474a1c0af2e40e50fc8300)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
+@@ -895,8 +895,13 @@ static ssize_t dp_sdp_message_debugfs_wr
+       if (size == 0)
+               return 0;
+ 
++      if (!connector->base.state || !connector->base.state->crtc)
++              return -ENODEV;
++
+       acrtc_state = to_dm_crtc_state(connector->base.state->crtc->state);
+ 
++      write_size = min_t(size_t, size, sizeof(data));
++
+       r = copy_from_user(data, buf, write_size);
+ 
+       write_size -= r;

diff --git a/queue-5.10/series b/queue-5.10/series
index 702120dc9068481fe8aba5fd38c22ab23889727f..d086829c0fc7df2347ccac1db02201e257ac6248 100644 (file)
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -208,3 +208,5 @@ thunderbolt-reject-zero-length-property-entries-in-validator.patch
 thunderbolt-bound-root-directory-content-to-block-size.patch
 thunderbolt-clamp-xdomain-response-data-copy-to-allocation-size.patch
 thunderbolt-limit-xdomain-response-copy-to-actual-frame-size.patch
+drm-amd-display-clamp-hdmi-hdcp2-rx_id_list-read-to-buffer-size.patch
+drm-amd-display-fix-null-deref-and-buffer-over-read-in-sdp-debugfs.patch