6.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Jason-JH.Lin <jason-jh.lin@xxxxxxxxxxxx> [ Upstream commit d761b9450e31e5abd212f0085d424ed32760de5a ] CERT-C Characters and Strings (CERT STR31-C) all_drm_priv[cnt] evaluates to an address that could be at negative offset of an array. In mtk_drm_get_all_drm_priv(): Guarantee that storage for strings has sufficient space for character data and the null terminator. So change cnt to unsigned int and check its max value. Fixes: 1ef7ed48356c ("drm/mediatek: Modify mediatek-drm for mt8195 multi mmsys support") Signed-off-by: Jason-JH.Lin <jason-jh.lin@xxxxxxxxxxxx> Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@xxxxxxxxxxxxx> Reviewed-by: CK Hu <ck.hu@xxxxxxxxxxxx> Reviewed-by: Alexandre Mergnat <amergnat@xxxxxxxxxxxx> Link: https://patchwork.kernel.org/project/dri-devel/patch/20230714094908.13087-3-jason-jh.lin@xxxxxxxxxxxx/ Signed-off-by: Chun-Kuang Hu <chunkuang.hu@xxxxxxxxxx> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> --- drivers/gpu/drm/mediatek/mtk_drm_drv.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c index 6dcb4ba2466c0..fc217e0acd45d 100644 --- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c +++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c @@ -354,7 +354,7 @@ static bool mtk_drm_get_all_drm_priv(struct device *dev) const struct of_device_id *of_id; struct device_node *node; struct device *drm_dev; - int cnt = 0; + unsigned int cnt = 0; int i, j; for_each_child_of_node(phandle->parent, node) { @@ -375,6 +375,9 @@ static bool mtk_drm_get_all_drm_priv(struct device *dev) all_drm_priv[cnt] = dev_get_drvdata(drm_dev); if (all_drm_priv[cnt] && all_drm_priv[cnt]->mtk_drm_bound) cnt++; + + if (cnt == MAX_CRTC) + break; } if (drm_priv->data->mmsys_dev_num == cnt) { -- 2.40.1