Patch "drm/amd: Fix an out of bounds error in BIOS parser" has been added to the 6.3-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Fri, 19 May 2023 21:44:25 -0400

This is a note to let you know that I've just added the patch titled

    drm/amd: Fix an out of bounds error in BIOS parser

to the 6.3-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     drm-amd-fix-an-out-of-bounds-error-in-bios-parser.patch
and it can be found in the queue-6.3 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 1813bca030329210104ba1a22411d43051939181
Author: Mario Limonciello <mario.limonciello@xxxxxxx>
Date:   Thu Mar 23 14:07:06 2023 -0500

    drm/amd: Fix an out of bounds error in BIOS parser
    
    [ Upstream commit d116db180decec1b21bba31d2ff495ac4d8e1b83 ]
    
    The array is hardcoded to 8 in atomfirmware.h, but firmware provides
    a bigger one sometimes. Deferencing the larger array causes an out
    of bounds error.
    
    commit 4fc1ba4aa589 ("drm/amd/display: fix array index out of bound error
    in bios parser") fixed some of this, but there are two other cases
    not covered by it.  Fix those as well.
    
    Reported-by: erhard_f@xxxxxxxxxxx
    Link: https://bugzilla.kernel.org/show_bug.cgi?id=214853
    Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2473
    Signed-off-by: Mario Limonciello <mario.limonciello@xxxxxxx>
    Reviewed-by: Harry Wentland <harry.wentland@xxxxxxx>
    Signed-off-by: Alex Deucher <alexander.deucher@xxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c b/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
index e381de2429fa6..ae3783a7d7f45 100644
--- a/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
+++ b/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
@@ -515,11 +515,8 @@ static enum bp_result get_gpio_i2c_info(
 	info->i2c_slave_address = record->i2c_slave_addr;
 
 	/* TODO: check how to get register offset for en, Y, etc. */
-	info->gpio_info.clk_a_register_index =
-			le16_to_cpu(
-			header->gpio_pin[table_index].data_a_reg_index);
-	info->gpio_info.clk_a_shift =
-			header->gpio_pin[table_index].gpio_bitshift;
+	info->gpio_info.clk_a_register_index = le16_to_cpu(pin->data_a_reg_index);
+	info->gpio_info.clk_a_shift = pin->gpio_bitshift;
 
 	return BP_RESULT_OK;
 }






