Patch "drm/bridge: ti-sn65dsi86: Never store more than msg->size bytes in AUX xfer" has been added to the 6.1-stable tree

[Sasha Levin <sashal@xxxxxxxxxx>]

This is a note to let you know that I've just added the patch titled

    drm/bridge: ti-sn65dsi86: Never store more than msg->size bytes in AUX xfer

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     drm-bridge-ti-sn65dsi86-never-store-more-than-msg-si.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 57568971e8ca978db98bde4b8e417daebc3ba871
Author: Douglas Anderson <dianders@xxxxxxxxxxxx>
Date:   Thu Dec 14 12:37:52 2023 -0800

    drm/bridge: ti-sn65dsi86: Never store more than msg->size bytes in AUX xfer
    
    [ Upstream commit aca58eac52b88138ab98c814afb389a381725cd7 ]
    
    For aux reads, the value `msg->size` indicates the size of the buffer
    provided by `msg->buffer`. We should never in any circumstances write
    more bytes to the buffer since it may overflow the buffer.
    
    In the ti-sn65dsi86 driver there is one code path that reads the
    transfer length from hardware. Even though it's never been seen to be
    a problem, we should make extra sure that the hardware isn't
    increasing the length since doing so would cause us to overrun the
    buffer.
    
    Fixes: 982f589bde7a ("drm/bridge: ti-sn65dsi86: Update reply on aux failures")
    Reviewed-by: Stephen Boyd <swboyd@xxxxxxxxxxxx>
    Reviewed-by: Guenter Roeck <groeck@xxxxxxxxxxxx>
    Signed-off-by: Douglas Anderson <dianders@xxxxxxxxxxxx>
    Link: https://patchwork.freedesktop.org/patch/msgid/20231214123752.v3.2.I7b83c0f31aeedc6b1dc98c7c741d3e1f94f040f8@changeid
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/gpu/drm/bridge/ti-sn65dsi86.c b/drivers/gpu/drm/bridge/ti-sn65dsi86.c
index 1b5c27ed27370..ff4d0564122a3 100644
--- a/drivers/gpu/drm/bridge/ti-sn65dsi86.c
+++ b/drivers/gpu/drm/bridge/ti-sn65dsi86.c
@@ -527,6 +527,7 @@ static ssize_t ti_sn_aux_transfer(struct drm_dp_aux *aux,
 	u32 request_val = AUX_CMD_REQ(msg->request);
 	u8 *buf = msg->buffer;
 	unsigned int len = msg->size;
+	unsigned int short_len;
 	unsigned int val;
 	int ret;
 	u8 addr_len[SN_AUX_LENGTH_REG + 1 - SN_AUX_ADDR_19_16_REG];
@@ -600,7 +601,8 @@ static ssize_t ti_sn_aux_transfer(struct drm_dp_aux *aux,
 	}
 
 	if (val & AUX_IRQ_STATUS_AUX_SHORT) {
-		ret = regmap_read(pdata->regmap, SN_AUX_LENGTH_REG, &len);
+		ret = regmap_read(pdata->regmap, SN_AUX_LENGTH_REG, &short_len);
+		len = min(len, short_len);
 		if (ret)
 			goto exit;
 	} else if (val & AUX_IRQ_STATUS_NAT_I2C_FAIL) {