From 98fac70f84450b5088b17d631dd1a5282722195f Mon Sep 17 00:00:00 2001 From: jsg Date: Tue, 2 Jun 2026 03:48:34 +0000 Subject: [PATCH] drm/amd/display: Validate payload length and link_index in dc_process_dmub_aux_transfer_async From Harry Wentland 1ecde19bfce6535bffddad1139ff466b6d401b8e in linux-6.18.y/6.18.34 6c92f6d9600efa3ef0d9e560a2b52776d9803c29 in mainline linux --- sys/dev/pci/drm/amd/display/dc/core/dc.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/sys/dev/pci/drm/amd/display/dc/core/dc.c b/sys/dev/pci/drm/amd/display/dc/core/dc.c index 5f2d5638c81..0347174173f 100644 --- a/sys/dev/pci/drm/amd/display/dc/core/dc.c +++ b/sys/dev/pci/drm/amd/display/dc/core/dc.c @@ -5884,7 +5884,11 @@ bool dc_process_dmub_aux_transfer_async(struct dc *dc, uint8_t action; union dmub_rb_cmd cmd = {0}; - ASSERT(payload->length <= 16); + if (link_index >= dc->link_count || !dc->links[link_index]) + return false; + + if (payload->length > sizeof(cmd.dp_aux_access.aux_control.dpaux.data)) + return false; cmd.dp_aux_access.header.type = DMUB_CMD__DP_AUX_ACCESS; cmd.dp_aux_access.header.payload_bytes = 0;