max_payload is limited by the space we have in
drm_dp_mst_topology_mgr::vcpi_mask,payload_mask. We need to track
max_payloads+1 IDs in these masks, see drm_dp_mst_assign_payload_id().
Add a sanity check for this.
Caught by coverity.
Signed-off-by: Imre Deak <imre.deak at intel.com>
---
drivers/gpu/drm/drm_dp_mst_topology.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c
b/drivers/gpu/drm/drm_dp_mst_topology.c
index 8f749e6..05c2702 100644
--- a/drivers/gpu/drm/drm_dp_mst_topology.c
+++ b/drivers/gpu/drm/drm_dp_mst_topology.c
@@ -2847,6 +2847,9 @@ int drm_dp_mst_topology_mgr_init(struct
drm_dp_mst_topology_mgr *mgr,
mgr->max_dpcd_transaction_bytes = max_dpcd_transaction_bytes;
mgr->max_payloads = max_payloads;
mgr->conn_base_id = conn_base_id;
+ if (max_payloads + 1 > sizeof(mgr->payload_mask) * 8 ||
+ max_payloads + 1 > sizeof(mgr->vcpi_mask) * 8)
+ return -EINVAL;
mgr->payloads = kcalloc(max_payloads, sizeof(struct drm_dp_payload),
GFP_KERNEL);
if (!mgr->payloads)
return -ENOMEM;
--
2.5.0
