[PATCH] drm/displayid: fix Tiled Display Topology ID size

[PATCH] drm/displayid: fix Tiled Display Topology ID size

[Jani Nikula]

The Tiled Display Topology ID of a DisplayID Tiled Display Topology Data
Block consists of three fields:

- Tiled Display Manufacturer/Vendor ID Field (3 bytes)
- Tiled Display Product ID Code Field (2 bytes)
- Tiled Display Serial Number Field (4 bytes)

i.e. a total of 9 bytes, not 8.

The DisplayID Tiled Display Topology ID is used as the tile group
identifier.

Update both struct displayid_tiled_block topology_id member and struct
drm_tile_group group_data member to full 9 bytes.

The group data was missing the last byte of the serial number. I don't
know whether there are known bug reports that might be linked to this,
but it's plausible the last byte could be the differentiating part for
the tile groups, and fewer tile groups might have been created than
intended.

Fixes: b49b55bd4fba ("drm/displayid: add displayid defines and edid extension (v2)")
Fixes: 138f9ebb9755 ("drm: add tile_group support. (v3)")
Cc: Dave Airlie <airlied@redhat.com>
Cc: <stable@vger.kernel.org> # v3.19+
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
---
 drivers/gpu/drm/drm_connector.c          | 12 ++++++------
 drivers/gpu/drm/drm_displayid_internal.h |  2 +-
 include/drm/drm_connector.h              |  6 +++---
 3 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/drivers/gpu/drm/drm_connector.c b/drivers/gpu/drm/drm_connector.c
index cbb067d02cb9..95028483e0d1 100644
--- a/drivers/gpu/drm/drm_connector.c
+++ b/drivers/gpu/drm/drm_connector.c
@@ -3756,7 +3756,7 @@ EXPORT_SYMBOL(drm_mode_put_tile_group);
 /**
  * drm_mode_get_tile_group - get a reference to an existing tile group
  * @dev: DRM device
- * @topology: 8-bytes unique per monitor.
+ * @topology_id: 9-byte unique ID per monitor.
  *
  * Use the unique bytes to get a reference to an existing tile group.
  *
@@ -3764,14 +3764,14 @@ EXPORT_SYMBOL(drm_mode_put_tile_group);
  * tile group or NULL if not found.
  */
 struct drm_tile_group *drm_mode_get_tile_group(struct drm_device *dev,
-					       const char topology[8])
+					       const char topology_id[9])
 {
 	struct drm_tile_group *tg;
 	int id;
 
 	mutex_lock(&dev->mode_config.idr_mutex);
 	idr_for_each_entry(&dev->mode_config.tile_idr, tg, id) {
-		if (!memcmp(tg->group_data, topology, 8)) {
+		if (!memcmp(tg->group_data, topology_id, sizeof(tg->group_data))) {
 			if (!kref_get_unless_zero(&tg->refcount))
 				tg = NULL;
 			mutex_unlock(&dev->mode_config.idr_mutex);
@@ -3786,7 +3786,7 @@ EXPORT_SYMBOL(drm_mode_get_tile_group);
 /**
  * drm_mode_create_tile_group - create a tile group from a displayid description
  * @dev: DRM device
- * @topology: 8-bytes unique per monitor.
+ * @topology_id: 9-byte unique ID per monitor.
  *
  * Create a tile group for the unique monitor, and get a unique
  * identifier for the tile group.
@@ -3795,7 +3795,7 @@ EXPORT_SYMBOL(drm_mode_get_tile_group);
  * new tile group or NULL.
  */
 struct drm_tile_group *drm_mode_create_tile_group(struct drm_device *dev,
-						  const char topology[8])
+						  const char topology_id[9])
 {
 	struct drm_tile_group *tg;
 	int ret;
@@ -3805,7 +3805,7 @@ struct drm_tile_group *drm_mode_create_tile_group(struct drm_device *dev,
 		return NULL;
 
 	kref_init(&tg->refcount);
-	memcpy(tg->group_data, topology, 8);
+	memcpy(tg->group_data, topology_id, sizeof(tg->group_data));
 	tg->dev = dev;
 
 	mutex_lock(&dev->mode_config.idr_mutex);
diff --git a/drivers/gpu/drm/drm_displayid_internal.h b/drivers/gpu/drm/drm_displayid_internal.h
index 5b1b32f73516..4590d6a3d821 100644
--- a/drivers/gpu/drm/drm_displayid_internal.h
+++ b/drivers/gpu/drm/drm_displayid_internal.h
@@ -109,7 +109,7 @@ struct displayid_tiled_block {
 	u8 topo[3];
 	u8 tile_size[4];
 	u8 tile_pixel_bezel[5];
-	u8 topology_id[8];
+	u8 topology_id[9];
 } __packed;
 
 struct displayid_detailed_timings_1 {
diff --git a/include/drm/drm_connector.h b/include/drm/drm_connector.h
index 4317166562cf..d75deba31d93 100644
--- a/include/drm/drm_connector.h
+++ b/include/drm/drm_connector.h
@@ -2717,13 +2717,13 @@ struct drm_tile_group {
 	struct kref refcount;
 	struct drm_device *dev;
 	int id;
-	u8 group_data[8];
+	u8 group_data[9];
 };
 
 struct drm_tile_group *drm_mode_create_tile_group(struct drm_device *dev,
-						  const char topology[8]);
+						  const char topology_id[9]);
 struct drm_tile_group *drm_mode_get_tile_group(struct drm_device *dev,
-					       const char topology[8]);
+					       const char topology_id[9]);
 void drm_mode_put_tile_group(struct drm_device *dev,
 			     struct drm_tile_group *tg);
 
-- 
2.47.3

Re: [PATCH] drm/displayid: fix Tiled Display Topology ID size

[sashiko-bot]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Missing payload size validation in `drm_parse_tiled_block` allows an out-of-bounds read of the EDID buffer when parsing malformed DisplayID tiled display blocks.
--

commit 3a0b5d7c7c564335f99c7d692448de9241f67bbd
Author: Jani Nikula <jani.nikula@intel.com>

drm/displayid: fix Tiled Display Topology ID size

This commit updates the Tiled Display Topology ID size from 8 to 9 bytes
in the DRM subsystem structures.

> diff --git a/drivers/gpu/drm/drm_connector.c b/drivers/gpu/drm/drm_connector.c
> index 3fa4d2082cd72..11646453aaac9 100644
> --- a/drivers/gpu/drm/drm_connector.c
> +++ b/drivers/gpu/drm/drm_connector.c
[ ... ]
> @@ -3579,14 +3579,14 @@ EXPORT_SYMBOL(drm_mode_put_tile_group);
>   * tile group or NULL if not found.
>   */
>  struct drm_tile_group *drm_mode_get_tile_group(struct drm_device *dev,
> -					       const char topology[8])
> +					       const char topology_id[9])
>  {
>  	struct drm_tile_group *tg;
>  	int id;
>  
>  	mutex_lock(&dev->mode_config.idr_mutex);
>  	idr_for_each_entry(&dev->mode_config.tile_idr, tg, id) {
> -		if (!memcmp(tg->group_data, topology, 8)) {
> +		if (!memcmp(tg->group_data, topology_id, sizeof(tg->group_data))) {

[Severity: High]
This isn't a bug introduced by this patch, but could this lead to an
out-of-bounds read of the EDID buffer when parsing malformed DisplayID tiled
display blocks?

Looking at drm_parse_tiled_block() in drivers/gpu/drm/drm_edid.c, the generic
block is cast to a displayid_tiled_block without validating that the payload
size (block->num_bytes) is large enough:

drivers/gpu/drm/drm_edid.c:drm_parse_tiled_block() {
    ...
    const struct displayid_tiled_block *tile =
        (struct displayid_tiled_block *)block;
    ...
    tg = drm_mode_get_tile_group(connector->dev, tile->topology_id);
}

If a malformed EDID provides a tiled block with a short length near the end
of the allocated EDID buffer, comparing 9 bytes here (or copying them down in
drm_mode_create_tile_group()) might read past the bounds of the EDID buffer.

[ ... ]

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260610141549.555605-1-jani.nikula@intel.com?part=1

Re: [PATCH] drm/displayid: fix Tiled Display Topology ID size

[Jani Nikula]

On Wed, 10 Jun 2026, sashiko-bot@kernel.org wrote:
> Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
>
> Pre-existing issues:
> - [High] Missing payload size validation in `drm_parse_tiled_block` allows an out-of-bounds read of the EDID buffer when parsing malformed DisplayID tiled display blocks.
> --
>
> commit 3a0b5d7c7c564335f99c7d692448de9241f67bbd
> Author: Jani Nikula <jani.nikula@intel.com>
>
> drm/displayid: fix Tiled Display Topology ID size
>
> This commit updates the Tiled Display Topology ID size from 8 to 9 bytes
> in the DRM subsystem structures.
>
>> diff --git a/drivers/gpu/drm/drm_connector.c b/drivers/gpu/drm/drm_connector.c
>> index 3fa4d2082cd72..11646453aaac9 100644
>> --- a/drivers/gpu/drm/drm_connector.c
>> +++ b/drivers/gpu/drm/drm_connector.c
> [ ... ]
>> @@ -3579,14 +3579,14 @@ EXPORT_SYMBOL(drm_mode_put_tile_group);
>>   * tile group or NULL if not found.
>>   */
>>  struct drm_tile_group *drm_mode_get_tile_group(struct drm_device *dev,
>> -					       const char topology[8])
>> +					       const char topology_id[9])
>>  {
>>  	struct drm_tile_group *tg;
>>  	int id;
>>  
>>  	mutex_lock(&dev->mode_config.idr_mutex);
>>  	idr_for_each_entry(&dev->mode_config.tile_idr, tg, id) {
>> -		if (!memcmp(tg->group_data, topology, 8)) {
>> +		if (!memcmp(tg->group_data, topology_id, sizeof(tg->group_data))) {
>
> [Severity: High]
> This isn't a bug introduced by this patch, but could this lead to an
> out-of-bounds read of the EDID buffer when parsing malformed DisplayID tiled
> display blocks?
>
> Looking at drm_parse_tiled_block() in drivers/gpu/drm/drm_edid.c, the generic
> block is cast to a displayid_tiled_block without validating that the payload
> size (block->num_bytes) is large enough:
>
> drivers/gpu/drm/drm_edid.c:drm_parse_tiled_block() {
>     ...
>     const struct displayid_tiled_block *tile =
>         (struct displayid_tiled_block *)block;
>     ...
>     tg = drm_mode_get_tile_group(connector->dev, tile->topology_id);
> }
>
> If a malformed EDID provides a tiled block with a short length near the end
> of the allocated EDID buffer, comparing 9 bytes here (or copying them down in
> drm_mode_create_tile_group()) might read past the bounds of the EDID buffer.

Yeah, maybe you should start reading the mailing list [1]. This patch is
in response to the fix for that very issue.

BR,
Jani.


[1] https://lore.kernel.org/r/4e784cad86c91595b6d5da64ca854dab38357658@intel.com



-- 
Jani Nikula, Intel

Re: [PATCH] drm/displayid: fix Tiled Display Topology ID size

[David Airlie]

On Thu, Jun 11, 2026 at 12:16 AM Jani Nikula <jani.nikula@intel.com> wrote:
>
> The Tiled Display Topology ID of a DisplayID Tiled Display Topology Data
> Block consists of three fields:
>
> - Tiled Display Manufacturer/Vendor ID Field (3 bytes)
> - Tiled Display Product ID Code Field (2 bytes)
> - Tiled Display Serial Number Field (4 bytes)
>
> i.e. a total of 9 bytes, not 8.
>
> The DisplayID Tiled Display Topology ID is used as the tile group
> identifier.
>
> Update both struct displayid_tiled_block topology_id member and struct
> drm_tile_group group_data member to full 9 bytes.
>
> The group data was missing the last byte of the serial number. I don't
> know whether there are known bug reports that might be linked to this,
> but it's plausible the last byte could be the differentiating part for
> the tile groups, and fewer tile groups might have been created than
> intended.

I pulled out my spec, and indeed I can confirm this is the correct reading!

Reviewed-by: Dave Airlie <airlied@redhat.com>

Re: [PATCH] drm/displayid: fix Tiled Display Topology ID size

[Jani Nikula]

On Thu, 11 Jun 2026, David Airlie <airlied@redhat.com> wrote:
> On Thu, Jun 11, 2026 at 12:16 AM Jani Nikula <jani.nikula@intel.com> wrote:
>>
>> The Tiled Display Topology ID of a DisplayID Tiled Display Topology Data
>> Block consists of three fields:
>>
>> - Tiled Display Manufacturer/Vendor ID Field (3 bytes)
>> - Tiled Display Product ID Code Field (2 bytes)
>> - Tiled Display Serial Number Field (4 bytes)
>>
>> i.e. a total of 9 bytes, not 8.
>>
>> The DisplayID Tiled Display Topology ID is used as the tile group
>> identifier.
>>
>> Update both struct displayid_tiled_block topology_id member and struct
>> drm_tile_group group_data member to full 9 bytes.
>>
>> The group data was missing the last byte of the serial number. I don't
>> know whether there are known bug reports that might be linked to this,
>> but it's plausible the last byte could be the differentiating part for
>> the tile groups, and fewer tile groups might have been created than
>> intended.
>
> I pulled out my spec, and indeed I can confirm this is the correct reading!
>
> Reviewed-by: Dave Airlie <airlied@redhat.com>

Thanks for the review, pushed to drm-misc-fixes.

BR,
Jani.


-- 
Jani Nikula, Intel