<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux.git/drivers/gpu/drm/display, branch v7.2-rc1</title>
<subtitle>Linux kernel source tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/'/>
<entry>
<title>drm/dp: Add DSC virtual DPCD quirk for Realtek MST branch device</title>
<updated>2026-05-27T13:36:58+00:00</updated>
<author>
<name>Imre Deak</name>
<email>imre.deak@intel.com</email>
</author>
<published>2026-05-25T12:55:16+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=bff2da7aa0020eb72e42d63868dc5adaa0fb85d3'/>
<id>bff2da7aa0020eb72e42d63868dc5adaa0fb85d3</id>
<content type='text'>
The ASUS DC301 USB-C dock containing a Realtek MST branch device
supports the DSC decompression functionality on each of the dock's
downstream connectors, even though there is no discoverable peer-to-peer
virtual device in the MST topology (which the DP Standard
requires/suggests to control the DSC functionality on a per-DFP basis).
Add the DP_DPCD_QUIRK_DSC_WITHOUT_VIRTUAL_DPCD quirk for this branch
device as well to enable the DSC decompression functionality on all DFP
connectors of the dock, similarly to how this is done for dock's
containing older Synaptics branch devices.

Cc: Lyude Paul &lt;lyude@redhat.com&gt;
Reported-and-tested-by: Shawn C Lee &lt;shawn.c.lee@intel.com&gt;
Reviewed-by: Mika Kahola &lt;mika.kahola@intel.com&gt;
Reviewed-by: Lyude Paul &lt;lyude@redhat.com&gt;
Signed-off-by: Imre Deak &lt;imre.deak@intel.com&gt;
Link: https://patch.msgid.link/20260525125516.2794636-1-imre.deak@intel.com
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The ASUS DC301 USB-C dock containing a Realtek MST branch device
supports the DSC decompression functionality on each of the dock's
downstream connectors, even though there is no discoverable peer-to-peer
virtual device in the MST topology (which the DP Standard
requires/suggests to control the DSC functionality on a per-DFP basis).
Add the DP_DPCD_QUIRK_DSC_WITHOUT_VIRTUAL_DPCD quirk for this branch
device as well to enable the DSC decompression functionality on all DFP
connectors of the dock, similarly to how this is done for dock's
containing older Synaptics branch devices.

Cc: Lyude Paul &lt;lyude@redhat.com&gt;
Reported-and-tested-by: Shawn C Lee &lt;shawn.c.lee@intel.com&gt;
Reviewed-by: Mika Kahola &lt;mika.kahola@intel.com&gt;
Reviewed-by: Lyude Paul &lt;lyude@redhat.com&gt;
Signed-off-by: Imre Deak &lt;imre.deak@intel.com&gt;
Link: https://patch.msgid.link/20260525125516.2794636-1-imre.deak@intel.com
</pre>
</div>
</content>
</entry>
<entry>
<title>drm/dp/mst: fix OOB reads on 2-byte fields in sideband reply parsers</title>
<updated>2026-05-18T18:01:45+00:00</updated>
<author>
<name>Ashutosh Desai</name>
<email>ashutoshdesai993@gmail.com</email>
</author>
<published>2026-05-10T20:31:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=6b89ba3dba2f583626fb693e47e951ffb8bf591f'/>
<id>6b89ba3dba2f583626fb693e47e951ffb8bf591f</id>
<content type='text'>
Three sideband reply parsers read 16-bit fields as:

  val = (raw-&gt;msg[idx] &lt;&lt; 8) | (raw-&gt;msg[idx+1]);

and check bounds only after the fact. When idx == raw-&gt;curlen,
raw-&gt;msg[idx+1] reads one byte past the received message data into
the following struct fields (curchunk_len, curchunk_idx, curlen).

Affected functions:
 - drm_dp_sideband_parse_enum_path_resources_ack()
   full_payload_bw_number and avail_payload_bw_number fields
 - drm_dp_sideband_parse_allocate_payload_ack()
   allocated_pbn field
 - drm_dp_sideband_parse_query_payload_ack()
   allocated_pbn field

Fix by using a single combined check (idx + 2 &gt; curlen) before each
2-byte read. Since the check is strictly tighter than idx &gt; curlen,
no separate step is needed.

Fixes: ad7f8a1f9ced ("drm/helper: add Displayport multi-stream helper (v0.6)")
Cc: &lt;stable@vger.kernel.org&gt; # v3.17+
Signed-off-by: Ashutosh Desai &lt;ashutoshdesai993@gmail.com&gt;
Reviewed-by: Lyude Paul &lt;lyude@redhat.com&gt;
[added fixes tag]
Signed-off-by: Lyude Paul &lt;lyude@redhat.com&gt;
Link: https://patch.msgid.link/20260510203128.2884846-1-ashutoshdesai993@gmail.com
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Three sideband reply parsers read 16-bit fields as:

  val = (raw-&gt;msg[idx] &lt;&lt; 8) | (raw-&gt;msg[idx+1]);

and check bounds only after the fact. When idx == raw-&gt;curlen,
raw-&gt;msg[idx+1] reads one byte past the received message data into
the following struct fields (curchunk_len, curchunk_idx, curlen).

Affected functions:
 - drm_dp_sideband_parse_enum_path_resources_ack()
   full_payload_bw_number and avail_payload_bw_number fields
 - drm_dp_sideband_parse_allocate_payload_ack()
   allocated_pbn field
 - drm_dp_sideband_parse_query_payload_ack()
   allocated_pbn field

Fix by using a single combined check (idx + 2 &gt; curlen) before each
2-byte read. Since the check is strictly tighter than idx &gt; curlen,
no separate step is needed.

Fixes: ad7f8a1f9ced ("drm/helper: add Displayport multi-stream helper (v0.6)")
Cc: &lt;stable@vger.kernel.org&gt; # v3.17+
Signed-off-by: Ashutosh Desai &lt;ashutoshdesai993@gmail.com&gt;
Reviewed-by: Lyude Paul &lt;lyude@redhat.com&gt;
[added fixes tag]
Signed-off-by: Lyude Paul &lt;lyude@redhat.com&gt;
Link: https://patch.msgid.link/20260510203128.2884846-1-ashutoshdesai993@gmail.com
</pre>
</div>
</content>
</entry>
<entry>
<title>drm/dp/mst: fix OOB reads in remote DPCD/I2C sideband reply parsers</title>
<updated>2026-05-18T17:55:38+00:00</updated>
<author>
<name>Ashutosh Desai</name>
<email>ashutoshdesai993@gmail.com</email>
</author>
<published>2026-05-10T20:17:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=1a8f537f5a1eeac941f262fe73078d6b08ba83c0'/>
<id>1a8f537f5a1eeac941f262fe73078d6b08ba83c0</id>
<content type='text'>
drm_dp_sideband_parse_remote_dpcd_read() reads num_bytes from the raw
message and then unconditionally does:

  memcpy(bytes, &amp;raw-&gt;msg[idx], num_bytes);

without checking that idx + num_bytes &lt;= raw-&gt;curlen. raw-&gt;msg[] is
256 bytes; if a malicious or misbehaving MST hub sets num_bytes larger
than the remaining payload, the memcpy reads past the received data
into whatever follows in raw-&gt;msg[].

drm_dp_sideband_parse_remote_i2c_read_ack() has the same flaw (noted
with a /* TODO check */ comment since the code was introduced).

Fix both functions by using a single combined check
(idx + num_bytes &gt; curlen) before each memcpy. Since num_bytes is u8,
it is always &gt;= 0, so this strictly subsumes the simpler idx &gt; curlen
form and no separate step is needed.

Fixes: ad7f8a1f9ced ("drm/helper: add Displayport multi-stream helper (v0.6)")
Cc: &lt;stable@vger.kernel.org&gt; # v3.17+
Signed-off-by: Ashutosh Desai &lt;ashutoshdesai993@gmail.com&gt;
Reviewed-by: Lyude Paul &lt;lyude@redhat.com&gt;
[added missing fixes tag]
Signed-off-by: Lyude Paul &lt;lyude@redhat.com&gt;
Link: https://patch.msgid.link/20260510201733.2882224-1-ashutoshdesai993@gmail.com
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
drm_dp_sideband_parse_remote_dpcd_read() reads num_bytes from the raw
message and then unconditionally does:

  memcpy(bytes, &amp;raw-&gt;msg[idx], num_bytes);

without checking that idx + num_bytes &lt;= raw-&gt;curlen. raw-&gt;msg[] is
256 bytes; if a malicious or misbehaving MST hub sets num_bytes larger
than the remaining payload, the memcpy reads past the received data
into whatever follows in raw-&gt;msg[].

drm_dp_sideband_parse_remote_i2c_read_ack() has the same flaw (noted
with a /* TODO check */ comment since the code was introduced).

Fix both functions by using a single combined check
(idx + num_bytes &gt; curlen) before each memcpy. Since num_bytes is u8,
it is always &gt;= 0, so this strictly subsumes the simpler idx &gt; curlen
form and no separate step is needed.

Fixes: ad7f8a1f9ced ("drm/helper: add Displayport multi-stream helper (v0.6)")
Cc: &lt;stable@vger.kernel.org&gt; # v3.17+
Signed-off-by: Ashutosh Desai &lt;ashutoshdesai993@gmail.com&gt;
Reviewed-by: Lyude Paul &lt;lyude@redhat.com&gt;
[added missing fixes tag]
Signed-off-by: Lyude Paul &lt;lyude@redhat.com&gt;
Link: https://patch.msgid.link/20260510201733.2882224-1-ashutoshdesai993@gmail.com
</pre>
</div>
</content>
</entry>
<entry>
<title>drm/dp: Use drm_printf_indent for DP SDP logging</title>
<updated>2026-05-11T08:58:50+00:00</updated>
<author>
<name>Ankit Nautiyal</name>
<email>ankit.k.nautiyal@intel.com</email>
</author>
<published>2026-04-28T07:44:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=ddfbe68a14260aabce25322fac81f2d02501369a'/>
<id>ddfbe68a14260aabce25322fac81f2d02501369a</id>
<content type='text'>
Currently the DP SDP log helpers use spaces for indentation. Switch to
tabs for indentation and use drm_printf_indent to keep the format
strings readable.

Signed-off-by: Ankit Nautiyal &lt;ankit.k.nautiyal@intel.com&gt;
Reviewed-by: Jani Nikula &lt;jani.nikula@intel.com&gt;
Signed-off-by: Suraj Kandpal &lt;suraj.kandpal@intel.com&gt;
Link: https://patch.msgid.link/20260428074457.3566918-10-ankit.k.nautiyal@intel.com
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Currently the DP SDP log helpers use spaces for indentation. Switch to
tabs for indentation and use drm_printf_indent to keep the format
strings readable.

Signed-off-by: Ankit Nautiyal &lt;ankit.k.nautiyal@intel.com&gt;
Reviewed-by: Jani Nikula &lt;jani.nikula@intel.com&gt;
Signed-off-by: Suraj Kandpal &lt;suraj.kandpal@intel.com&gt;
Link: https://patch.msgid.link/20260428074457.3566918-10-ankit.k.nautiyal@intel.com
</pre>
</div>
</content>
</entry>
<entry>
<title>drm/dp: Add target_rr_divider field in AS SDP logging</title>
<updated>2026-05-11T08:58:49+00:00</updated>
<author>
<name>Ankit Nautiyal</name>
<email>ankit.k.nautiyal@intel.com</email>
</author>
<published>2026-04-28T07:44:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=936420e685ebe9b7b71cfa75a5465f2560dcb07c'/>
<id>936420e685ebe9b7b71cfa75a5465f2560dcb07c</id>
<content type='text'>
The field target_rr_divider is missing from the AS SDP logging.
Add it and print the divider value (1.001 or 1.000) as per the DP 2.1 spec.

Signed-off-by: Ankit Nautiyal &lt;ankit.k.nautiyal@intel.com&gt;
Reviewed-by: Ville Syrjälä &lt;ville.syrjala@linux.intel.com&gt;
Signed-off-by: Suraj Kandpal &lt;suraj.kandpal@intel.com&gt;
Link: https://patch.msgid.link/20260428074457.3566918-9-ankit.k.nautiyal@intel.com
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The field target_rr_divider is missing from the AS SDP logging.
Add it and print the divider value (1.001 or 1.000) as per the DP 2.1 spec.

Signed-off-by: Ankit Nautiyal &lt;ankit.k.nautiyal@intel.com&gt;
Reviewed-by: Ville Syrjälä &lt;ville.syrjala@linux.intel.com&gt;
Signed-off-by: Suraj Kandpal &lt;suraj.kandpal@intel.com&gt;
Link: https://patch.msgid.link/20260428074457.3566918-9-ankit.k.nautiyal@intel.com
</pre>
</div>
</content>
</entry>
<entry>
<title>drm/dp: Add a helper to get the SDP type as a string</title>
<updated>2026-05-11T08:58:47+00:00</updated>
<author>
<name>Ankit Nautiyal</name>
<email>ankit.k.nautiyal@intel.com</email>
</author>
<published>2026-04-28T07:44:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=899f7991ea409e57aaa4c4c0a76810a32da3f051'/>
<id>899f7991ea409e57aaa4c4c0a76810a32da3f051</id>
<content type='text'>
Introduce dp_sdp_type_get_name() to get the SDP type as a string.
Use this to log the SDP type based on the sdp_type fields of the
VSC and AS SDPs instead of the hardcoded strings.

v2: Modify the SDP names to match the DisplayPort Spec. (Ville)

Signed-off-by: Ankit Nautiyal &lt;ankit.k.nautiyal@intel.com&gt;
Reviewed-by: Ville Syrjälä &lt;ville.syrjala@linux.intel.com&gt;
Signed-off-by: Suraj Kandpal &lt;suraj.kandpal@intel.com&gt;
Link: https://patch.msgid.link/20260428074457.3566918-8-ankit.k.nautiyal@intel.com
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Introduce dp_sdp_type_get_name() to get the SDP type as a string.
Use this to log the SDP type based on the sdp_type fields of the
VSC and AS SDPs instead of the hardcoded strings.

v2: Modify the SDP names to match the DisplayPort Spec. (Ville)

Signed-off-by: Ankit Nautiyal &lt;ankit.k.nautiyal@intel.com&gt;
Reviewed-by: Ville Syrjälä &lt;ville.syrjala@linux.intel.com&gt;
Signed-off-by: Suraj Kandpal &lt;suraj.kandpal@intel.com&gt;
Link: https://patch.msgid.link/20260428074457.3566918-8-ankit.k.nautiyal@intel.com
</pre>
</div>
</content>
</entry>
<entry>
<title>drm/dp: Store coasting vtotal in struct drm_dp_as_sdp</title>
<updated>2026-05-11T08:58:46+00:00</updated>
<author>
<name>Ankit Nautiyal</name>
<email>ankit.k.nautiyal@intel.com</email>
</author>
<published>2026-04-28T07:44:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=e878adca8477b4f6d51dee257c2ef3d2ad0086a5'/>
<id>e878adca8477b4f6d51dee257c2ef3d2ad0086a5</id>
<content type='text'>
Add new field in struct drm_dp_as_sdp to store coasting vtotal.
This is used by the sinks that support Panel Replay and Asynchronous
timing during PR Active to derive refresh rate, when AS SDP transmission
is stopped by the source.

Signed-off-by: Ankit Nautiyal &lt;ankit.k.nautiyal@intel.com&gt;
Reviewed-by: Ville Syrjälä &lt;ville.syrjala@linux.intel.com&gt;
Signed-off-by: Suraj Kandpal &lt;suraj.kandpal@intel.com&gt;
Link: https://patch.msgid.link/20260428074457.3566918-7-ankit.k.nautiyal@intel.com
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Add new field in struct drm_dp_as_sdp to store coasting vtotal.
This is used by the sinks that support Panel Replay and Asynchronous
timing during PR Active to derive refresh rate, when AS SDP transmission
is stopped by the source.

Signed-off-by: Ankit Nautiyal &lt;ankit.k.nautiyal@intel.com&gt;
Reviewed-by: Ville Syrjälä &lt;ville.syrjala@linux.intel.com&gt;
Signed-off-by: Suraj Kandpal &lt;suraj.kandpal@intel.com&gt;
Link: https://patch.msgid.link/20260428074457.3566918-7-ankit.k.nautiyal@intel.com
</pre>
</div>
</content>
</entry>
<entry>
<title>drm/dp: Refactor AS SDP logging to use space-separated field names</title>
<updated>2026-05-11T08:58:44+00:00</updated>
<author>
<name>Ankit Nautiyal</name>
<email>ankit.k.nautiyal@intel.com</email>
</author>
<published>2026-04-28T07:44:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=24b960b83375aa79829e75ab7327fcbcb2a72de0'/>
<id>24b960b83375aa79829e75ab7327fcbcb2a72de0</id>
<content type='text'>
Replace underscores with spaces in AS SDP log field labels to be
consistent with the VSC SDP logging style.

Signed-off-by: Ankit Nautiyal &lt;ankit.k.nautiyal@intel.com&gt;
Reviewed-by: Ville Syrjälä &lt;ville.syrjala@linux.intel.com&gt;
Signed-off-by: Suraj Kandpal &lt;suraj.kandpal@intel.com&gt;
Link: https://patch.msgid.link/20260428074457.3566918-6-ankit.k.nautiyal@intel.com
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Replace underscores with spaces in AS SDP log field labels to be
consistent with the VSC SDP logging style.

Signed-off-by: Ankit Nautiyal &lt;ankit.k.nautiyal@intel.com&gt;
Reviewed-by: Ville Syrjälä &lt;ville.syrjala@linux.intel.com&gt;
Signed-off-by: Suraj Kandpal &lt;suraj.kandpal@intel.com&gt;
Link: https://patch.msgid.link/20260428074457.3566918-6-ankit.k.nautiyal@intel.com
</pre>
</div>
</content>
</entry>
<entry>
<title>drm/panel: Make drm_panel_init() static</title>
<updated>2026-05-11T07:14:21+00:00</updated>
<author>
<name>Albert Esteve</name>
<email>aesteve@redhat.com</email>
</author>
<published>2026-05-08T07:04:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=fe417df954a923937c0ace237e37ce750c16a99f'/>
<id>fe417df954a923937c0ace237e37ce750c16a99f</id>
<content type='text'>
Now that all panel drivers use devm_drm_panel_alloc(),
there are no external callers of drm_panel_init().
Make it static to prevent new users from bypassing the
refcounted allocation path.

Remove stale references to drm_panel_init() in kdocs.

Reviewed-by: Maxime Ripard &lt;mripard@kernel.org&gt;
Signed-off-by: Albert Esteve &lt;aesteve@redhat.com&gt;
Reviewed-by: Dmitry Baryshkov &lt;dmitry.baryshkov@oss.qualcomm.com&gt;
Reviewed-by: Thomas Zimmermann &lt;tzimmermann@suse.de&gt;
Link: https://patch.msgid.link/20260508-drm_panel_init_rm-v2-10-0bd4ac429971@redhat.com
Signed-off-by: Maxime Ripard &lt;mripard@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Now that all panel drivers use devm_drm_panel_alloc(),
there are no external callers of drm_panel_init().
Make it static to prevent new users from bypassing the
refcounted allocation path.

Remove stale references to drm_panel_init() in kdocs.

Reviewed-by: Maxime Ripard &lt;mripard@kernel.org&gt;
Signed-off-by: Albert Esteve &lt;aesteve@redhat.com&gt;
Reviewed-by: Dmitry Baryshkov &lt;dmitry.baryshkov@oss.qualcomm.com&gt;
Reviewed-by: Thomas Zimmermann &lt;tzimmermann@suse.de&gt;
Link: https://patch.msgid.link/20260508-drm_panel_init_rm-v2-10-0bd4ac429971@redhat.com
Signed-off-by: Maxime Ripard &lt;mripard@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>drm/dp/mst: fix buffer overflows in sideband chunk accumulation</title>
<updated>2026-05-07T18:20:59+00:00</updated>
<author>
<name>Ashutosh Desai</name>
<email>ashutoshdesai993@gmail.com</email>
</author>
<published>2026-04-10T04:19:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=55bd5e685bda455b9b50c835f8c8442d52a344a3'/>
<id>55bd5e685bda455b9b50c835f8c8442d52a344a3</id>
<content type='text'>
drm_dp_sideband_append_payload() has three related bugs when processing
device-provided sideband reply data:

1. Zero-length curchunk_len underflow: msg_len is a 6-bit field taken
   directly from the DP sideband header. If a device sends msg_len=0,
   curchunk_len is set to zero. The condition (curchunk_idx &gt;= curchunk_len)
   is immediately true, and curchunk_len-1 wraps to 255 (u8 underflow).
   drm_dp_msg_data_crc4() reads 255 bytes from chunk[48], then memcpy()
   writes 255 bytes into msg[], both far out of bounds.

2. chunk[48] overflow: curchunk_len can reach 63 (6-bit field). chunk[] is
   only 48 bytes. Multi-iteration payload assembly appends 16-byte blocks
   until curchunk_idx reaches curchunk_len, writing up to 15 bytes past
   the end of chunk[] into msg[].

3. msg[256] overflow: each chunk contributes (curchunk_len-1) bytes to
   msg[]. No check ensures curlen + (curchunk_len-1) stays within msg[256],
   so the memcpy can spill into adjacent struct fields.

All three are reachable from any DP MST device that can forge sideband
reply messages on a physical connection.

Fixes: ad7f8a1f9ced ("drm/helper: add Displayport multi-stream helper (v0.6)")
Cc: &lt;stable@vger.kernel.org&gt; # v3.17+
Signed-off-by: Ashutosh Desai &lt;ashutoshdesai993@gmail.com&gt;
Reviewed-by: Lyude Paul &lt;lyude@redhat.com&gt;
Signed-off-by: Lyude Paul &lt;lyude@redhat.com&gt;
Link: https://patch.msgid.link/20260410041901.2438960-1-ashutoshdesai993@gmail.com
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
drm_dp_sideband_append_payload() has three related bugs when processing
device-provided sideband reply data:

1. Zero-length curchunk_len underflow: msg_len is a 6-bit field taken
   directly from the DP sideband header. If a device sends msg_len=0,
   curchunk_len is set to zero. The condition (curchunk_idx &gt;= curchunk_len)
   is immediately true, and curchunk_len-1 wraps to 255 (u8 underflow).
   drm_dp_msg_data_crc4() reads 255 bytes from chunk[48], then memcpy()
   writes 255 bytes into msg[], both far out of bounds.

2. chunk[48] overflow: curchunk_len can reach 63 (6-bit field). chunk[] is
   only 48 bytes. Multi-iteration payload assembly appends 16-byte blocks
   until curchunk_idx reaches curchunk_len, writing up to 15 bytes past
   the end of chunk[] into msg[].

3. msg[256] overflow: each chunk contributes (curchunk_len-1) bytes to
   msg[]. No check ensures curlen + (curchunk_len-1) stays within msg[256],
   so the memcpy can spill into adjacent struct fields.

All three are reachable from any DP MST device that can forge sideband
reply messages on a physical connection.

Fixes: ad7f8a1f9ced ("drm/helper: add Displayport multi-stream helper (v0.6)")
Cc: &lt;stable@vger.kernel.org&gt; # v3.17+
Signed-off-by: Ashutosh Desai &lt;ashutoshdesai993@gmail.com&gt;
Reviewed-by: Lyude Paul &lt;lyude@redhat.com&gt;
Signed-off-by: Lyude Paul &lt;lyude@redhat.com&gt;
Link: https://patch.msgid.link/20260410041901.2438960-1-ashutoshdesai993@gmail.com
</pre>
</div>
</content>
</entry>
</feed>
