From markov.gi at npc-ksb.ru  Thu Dec 11 14:10:28 2025
From: markov.gi at npc-ksb.ru (Markov Gleb)
Date: Thu, 11 Dec 2025 14:10:28 +0300
Subject: [ldv-project] [PATCH] dcn20/dc321: Added explicit type conversion
	when performing
Message-ID: <20251211111031.954-1-markov.gi@npc-ksb.ru>

Variables of type int and uint are used in integer division operations,
and later the result is assigned to a variable
of type double with an implicit conversion.

Added an explicit conversion to the double type to avoid
loss of accuracy and incorrect calculations.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Markov Gleb <markov.gi at npc-ksb.ru>
---
 .../drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20.c  | 7 ++++---
 .../amd/display/dc/dml/dcn20/display_rq_dlg_calc_20v2.c    | 7 ++++---
 drivers/gpu/drm/amd/display/dc/dml/dcn321/dcn321_fpu.c     | 4 ++--
 3 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20.c b/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20.c
index 9c58ff1069d6..f8c910def6e3 100644
--- a/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20.c
+++ b/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20.c
@@ -600,10 +600,11 @@ static void get_meta_and_pte_attr(struct display_mode_lib *mode_lib,
 	if (surf_linear) {
 		unsigned int dpte_row_height;
 
-		log2_dpte_row_height_linear = dml_floor(dml_log2(dml_min(64 * 1024 * pde_buf_entries
+		log2_dpte_row_height_linear = dml_floor(dml_log2(dml_min((double)(64 * 1024
+										* pde_buf_entries)
 										/ bytes_per_element,
-								dpte_buf_in_pte_reqs
-										* dpte_req_width)
+								(double)(dpte_buf_in_pte_reqs
+										* dpte_req_width))
 								/ data_pitch),
 				1);
 
diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20v2.c b/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20v2.c
index 570e6e39eb45..60c3d357ee15 100644
--- a/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20v2.c
+++ b/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20v2.c
@@ -600,10 +600,11 @@ static void get_meta_and_pte_attr(struct display_mode_lib *mode_lib,
 	if (surf_linear) {
 		unsigned int dpte_row_height;
 
-		log2_dpte_row_height_linear = dml_floor(dml_log2(dml_min(64 * 1024 * pde_buf_entries
+		log2_dpte_row_height_linear = dml_floor(dml_log2(dml_min((double)(64 * 1024
+										* pde_buf_entries)
 										/ bytes_per_element,
-								dpte_buf_in_pte_reqs
-										* dpte_req_width)
+								(double)(dpte_buf_in_pte_reqs
+										* dpte_req_width))
 								/ data_pitch),
 				1);
 
diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn321/dcn321_fpu.c b/drivers/gpu/drm/amd/display/dc/dml/dcn321/dcn321_fpu.c
index e0a1dc89ce43..6667bf9e225d 100644
--- a/drivers/gpu/drm/amd/display/dc/dml/dcn321/dcn321_fpu.c
+++ b/drivers/gpu/drm/amd/display/dc/dml/dcn321/dcn321_fpu.c
@@ -423,7 +423,7 @@ static int build_synthetic_soc_states(bool disable_dc_mode_overwrite, struct clk
 
 	*num_entries = 0;
 	entry.dispclk_mhz = max_clk_data.dispclk_mhz;
-	entry.dscclk_mhz = max_clk_data.dispclk_mhz / 3;
+	entry.dscclk_mhz = max_clk_data.dispclk_mhz / 3.0;
 	entry.dppclk_mhz = max_clk_data.dppclk_mhz;
 	entry.dtbclk_mhz = max_clk_data.dtbclk_mhz;
 	entry.phyclk_mhz = max_clk_data.phyclk_mhz;
@@ -823,7 +823,7 @@ void dcn321_update_bw_bounding_box_fpu(struct dc *dc, struct clk_bw_params *bw_p
 			dcn3_21_soc.clock_limits[i].dispclk_mhz = max_dispclk_mhz;
 			dcn3_21_soc.clock_limits[i].dppclk_mhz  = max_dppclk_mhz;
 			dcn3_21_soc.clock_limits[i].phyclk_mhz  = max_phyclk_mhz;
-			dcn3_21_soc.clock_limits[i].dscclk_mhz  = max_dispclk_mhz / 3;
+			dcn3_21_soc.clock_limits[i].dscclk_mhz  = max_dispclk_mhz / 3.0;
 
 			/* Populate from bw_params for DTBCLK, SOCCLK */
 			if (i > 0) {
-- 
2.43.0



From markov.gi at npc-ksb.ru  Thu Dec 11 15:27:24 2025
From: markov.gi at npc-ksb.ru (Markov Gleb)
Date: Thu, 11 Dec 2025 15:27:24 +0300
Subject: [ldv-project] [PATCH] exstore.c/exoparg.c: Add null-check on
	return_desc->pointer use.
Message-ID: <20251211122725.987-1-markov.gi@npc-ksb.ru>

If the requested length is == 0,
then the length variable will be set to == 0.

Call of acpi_ex_opcode_3A_1T_1R in exoparg3.c
with length == 0 may lead a skip of code block
with buffer initialization so usage of any
buffer fields will lead to dereference of null.

The problem occurs when calling acpi_ex_store
with return_desc as the first parameter.

Added null check to exstore.c to avoid
dereferencing.
Make status change on uninitialized buffer.
If the solution is trivial, this section can be omitted.
Not tried to initialize the buffer again.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Markov Gleb <markov.gi at npc-ksb.ru>
---
 drivers/acpi/acpica/exstore.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/acpi/acpica/exstore.c b/drivers/acpi/acpica/exstore.c
index cbc42207496d..791ecf89d71c 100644
--- a/drivers/acpi/acpica/exstore.c
+++ b/drivers/acpi/acpica/exstore.c
@@ -299,6 +299,12 @@ acpi_ex_store_object_to_index(union acpi_operand_object *source_desc,
 
 			/* Note: Takes advantage of common string/buffer fields */
 
+			if (source_desc->buffer.pointer == NULL ||
+			    source_desc->buffer.length == 0) {
+				status = AE_BAD_PARAMETER;
+				break;
+			}
+
 			value = source_desc->buffer.pointer[0];
 			break;
 
-- 
2.43.0