From: Luca Coelho <luciano.coelho@intel.com>
Date: Tue, 9 Sep 2025 08:30:11 +0000 (+0300)
Subject: drm/i915/dmc: explicitly sanitize num_entries from package_header
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=db7944458f4e5cdc11402e18ccbbc7aac4286f4b;p=thirdparty%2Fkernel%2Flinux.git

drm/i915/dmc: explicitly sanitize num_entries from package_header

num_entries comes from package_header, which is read from an external
firmware blob and thus untrusted.  In parse_dmc_fw_package() we assign
package_header->num_entries to a local variable, but the range check
still uses the struct field directly.

Switch the check to use the local copy instead.  This makes the
sanitization explicit and avoids a redundant dereference.

Reviewed-by: Mitul Golani <mitulkumar.ajitkumar.golani@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Link: https://lore.kernel.org/r/20250909083042.1292672-1-luciano.coelho@intel.com
---

diff --git a/drivers/gpu/drm/i915/display/intel_dmc.c b/drivers/gpu/drm/i915/display/intel_dmc.c
index 77a0199f9ea5f..517bebb0b4aac 100644
--- a/drivers/gpu/drm/i915/display/intel_dmc.c
+++ b/drivers/gpu/drm/i915/display/intel_dmc.c
@@ -1141,7 +1141,7 @@ parse_dmc_fw_package(struct intel_dmc *dmc,
 	}
 
 	num_entries = package_header->num_entries;
-	if (WARN_ON(package_header->num_entries > max_entries))
+	if (WARN_ON(num_entries > max_entries))
 		num_entries = max_entries;
 
 	fw_info = (const struct intel_fw_info *)