From: Hamza Mahfooz <[email protected]> Sent: Monday, May 25, 2026 4:36 AM > > On Sat, May 23, 2026 at 03:27:54PM +0200, Berkant Koc wrote: > > Two independent issues in the synthetic video driver that both stem > > from trusting unvalidated host data. > > > > 1/2 bounds resolution_count from SYNTHVID_RESOLUTION_RESPONSE against > > the supported_resolution[] array, and populates WIN8 defaults for > > hv->screen_*_max / hv->preferred_* in both the WIN10-probe-failure > > path and the pre-WIN10 path, so a failed or pre-WIN10 probe yields a > > usable display instead of having drm_internal_framebuffer_create() > > reject every userspace framebuffer with -EINVAL. > > > > 2/2 forwards bytes_recvd from vmbus_recvpacket() into the sub-handler, > > rejects packets that do not cover the synthvid header, and requires > > the type-specific payload size before memcpy/complete or before > > reading the feature-change byte. Rejected packets are logged via > > drm_err_ratelimited() instead of being silently dropped, matching the > > CoCo-hardened pattern in hv_kvp_onchannelcallback(). > > > > 1/2 is unchanged from v3/v4 and carries Michael Kelley's Reviewed-by. > >
[snip] > > > > Berkant Koc (2): > > drm/hyperv: validate resolution_count and fix WIN8 fallback > > drm/hyperv: validate VMBus packet size in receive callback > > > > drivers/gpu/drm/hyperv/hyperv_drm_proto.c | 113 +++++++++++++++++++--- > > 1 file changed, 97 insertions(+), 16 deletions(-) > > > > > > Applied, thanks! Hamza -- which tree was this applied to? Michael
