From: John Keeping <john@metanate.com>
To: Mark Yao <mark.yao@rock-chips.com>
Cc: Chris Zhong <zyw@rock-chips.com>,
dri-devel@lists.freedesktop.org,
linux-arm-kernel@lists.infradead.org,
linux-rockchip@lists.infradead.org, linux-kernel@vger.kernel.org,
Sean Paul <seanpaul@chromium.org>,
John Keeping <john@metanate.com>
Subject: [PATCH v4 06/23] drm/rockchip: dw-mipi-dsi: avoid out-of-bounds read on tx_buf
Date: Fri, 24 Feb 2017 12:54:49 +0000 [thread overview]
Message-ID: <20170224125506.21533-7-john@metanate.com> (raw)
In-Reply-To: <20170224125506.21533-1-john@metanate.com>
As a side-effect of this, encode the endianness explicitly rather than
casting a u16.
Signed-off-by: John Keeping <john@metanate.com>
---
v4:
- Introduce "data" variable to avoid confusion around the masking in
GEN_HDATA()
v3:
- Add Chris' Reviewed-by
Unchanged in v2
---
drivers/gpu/drm/rockchip/dw-mipi-dsi.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/rockchip/dw-mipi-dsi.c b/drivers/gpu/drm/rockchip/dw-mipi-dsi.c
index 4be1ff3a42bb..f55010312f25 100644
--- a/drivers/gpu/drm/rockchip/dw-mipi-dsi.c
+++ b/drivers/gpu/drm/rockchip/dw-mipi-dsi.c
@@ -572,8 +572,14 @@ static int dw_mipi_dsi_gen_pkt_hdr_write(struct dw_mipi_dsi *dsi, u32 hdr_val)
static int dw_mipi_dsi_dcs_short_write(struct dw_mipi_dsi *dsi,
const struct mipi_dsi_msg *msg)
{
- const u16 *tx_buf = msg->tx_buf;
- u32 val = GEN_HDATA(*tx_buf) | GEN_HTYPE(msg->type);
+ const u8 *tx_buf = msg->tx_buf;
+ u16 data = 0;
+ u32 val;
+
+ if (msg->tx_len > 0)
+ data |= tx_buf[0];
+ if (msg->tx_len > 1)
+ data |= tx_buf[1] << 8;
if (msg->tx_len > 2) {
dev_err(dsi->dev, "too long tx buf length %zu for short write\n",
@@ -581,6 +587,7 @@ static int dw_mipi_dsi_dcs_short_write(struct dw_mipi_dsi *dsi,
return -EINVAL;
}
+ val = GEN_HDATA(data) | GEN_HTYPE(msg->type);
return dw_mipi_dsi_gen_pkt_hdr_write(dsi, val);
}
--
2.12.0.rc0.230.gf625d4cdb9.dirty
WARNING: multiple messages have this Message-ID (diff)
From: John Keeping <john@metanate.com>
To: Mark Yao <mark.yao@rock-chips.com>
Cc: linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org,
linux-rockchip@lists.infradead.org,
Chris Zhong <zyw@rock-chips.com>,
linux-arm-kernel@lists.infradead.org
Subject: [PATCH v4 06/23] drm/rockchip: dw-mipi-dsi: avoid out-of-bounds read on tx_buf
Date: Fri, 24 Feb 2017 12:54:49 +0000 [thread overview]
Message-ID: <20170224125506.21533-7-john@metanate.com> (raw)
In-Reply-To: <20170224125506.21533-1-john@metanate.com>
As a side-effect of this, encode the endianness explicitly rather than
casting a u16.
Signed-off-by: John Keeping <john@metanate.com>
---
v4:
- Introduce "data" variable to avoid confusion around the masking in
GEN_HDATA()
v3:
- Add Chris' Reviewed-by
Unchanged in v2
---
drivers/gpu/drm/rockchip/dw-mipi-dsi.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/rockchip/dw-mipi-dsi.c b/drivers/gpu/drm/rockchip/dw-mipi-dsi.c
index 4be1ff3a42bb..f55010312f25 100644
--- a/drivers/gpu/drm/rockchip/dw-mipi-dsi.c
+++ b/drivers/gpu/drm/rockchip/dw-mipi-dsi.c
@@ -572,8 +572,14 @@ static int dw_mipi_dsi_gen_pkt_hdr_write(struct dw_mipi_dsi *dsi, u32 hdr_val)
static int dw_mipi_dsi_dcs_short_write(struct dw_mipi_dsi *dsi,
const struct mipi_dsi_msg *msg)
{
- const u16 *tx_buf = msg->tx_buf;
- u32 val = GEN_HDATA(*tx_buf) | GEN_HTYPE(msg->type);
+ const u8 *tx_buf = msg->tx_buf;
+ u16 data = 0;
+ u32 val;
+
+ if (msg->tx_len > 0)
+ data |= tx_buf[0];
+ if (msg->tx_len > 1)
+ data |= tx_buf[1] << 8;
if (msg->tx_len > 2) {
dev_err(dsi->dev, "too long tx buf length %zu for short write\n",
@@ -581,6 +587,7 @@ static int dw_mipi_dsi_dcs_short_write(struct dw_mipi_dsi *dsi,
return -EINVAL;
}
+ val = GEN_HDATA(data) | GEN_HTYPE(msg->type);
return dw_mipi_dsi_gen_pkt_hdr_write(dsi, val);
}
--
2.12.0.rc0.230.gf625d4cdb9.dirty
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
WARNING: multiple messages have this Message-ID (diff)
From: john@metanate.com (John Keeping)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH v4 06/23] drm/rockchip: dw-mipi-dsi: avoid out-of-bounds read on tx_buf
Date: Fri, 24 Feb 2017 12:54:49 +0000 [thread overview]
Message-ID: <20170224125506.21533-7-john@metanate.com> (raw)
In-Reply-To: <20170224125506.21533-1-john@metanate.com>
As a side-effect of this, encode the endianness explicitly rather than
casting a u16.
Signed-off-by: John Keeping <john@metanate.com>
---
v4:
- Introduce "data" variable to avoid confusion around the masking in
GEN_HDATA()
v3:
- Add Chris' Reviewed-by
Unchanged in v2
---
drivers/gpu/drm/rockchip/dw-mipi-dsi.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/rockchip/dw-mipi-dsi.c b/drivers/gpu/drm/rockchip/dw-mipi-dsi.c
index 4be1ff3a42bb..f55010312f25 100644
--- a/drivers/gpu/drm/rockchip/dw-mipi-dsi.c
+++ b/drivers/gpu/drm/rockchip/dw-mipi-dsi.c
@@ -572,8 +572,14 @@ static int dw_mipi_dsi_gen_pkt_hdr_write(struct dw_mipi_dsi *dsi, u32 hdr_val)
static int dw_mipi_dsi_dcs_short_write(struct dw_mipi_dsi *dsi,
const struct mipi_dsi_msg *msg)
{
- const u16 *tx_buf = msg->tx_buf;
- u32 val = GEN_HDATA(*tx_buf) | GEN_HTYPE(msg->type);
+ const u8 *tx_buf = msg->tx_buf;
+ u16 data = 0;
+ u32 val;
+
+ if (msg->tx_len > 0)
+ data |= tx_buf[0];
+ if (msg->tx_len > 1)
+ data |= tx_buf[1] << 8;
if (msg->tx_len > 2) {
dev_err(dsi->dev, "too long tx buf length %zu for short write\n",
@@ -581,6 +587,7 @@ static int dw_mipi_dsi_dcs_short_write(struct dw_mipi_dsi *dsi,
return -EINVAL;
}
+ val = GEN_HDATA(data) | GEN_HTYPE(msg->type);
return dw_mipi_dsi_gen_pkt_hdr_write(dsi, val);
}
--
2.12.0.rc0.230.gf625d4cdb9.dirty
next prev parent reply other threads:[~2017-02-24 12:56 UTC|newest]
Thread overview: 100+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-24 12:54 [PATCH v4 00/23] drm/rockchip: MIPI fixes & improvements John Keeping
2017-02-24 12:54 ` John Keeping
2017-02-24 12:54 ` John Keeping
2017-02-24 12:54 ` [PATCH v4 01/23] drm/rockchip: dw-mipi-dsi: don't configure hardware in mode_set for MIPI John Keeping
2017-02-24 12:54 ` John Keeping
2017-02-24 12:54 ` John Keeping
2017-02-24 12:54 ` [PATCH v4 02/23] drm/rockchip: dw-mipi-dsi: pass mode in where needed John Keeping
2017-02-24 12:54 ` John Keeping
2017-02-24 12:54 ` [PATCH v4 03/23] drm/rockchip: dw-mipi-dsi: remove mode_set hook John Keeping
2017-02-24 12:54 ` John Keeping
2017-02-24 12:54 ` John Keeping
2017-02-24 12:54 ` [PATCH v4 04/23] drm/rockchip: dw-mipi-dsi: fix command header writes John Keeping
2017-02-24 12:54 ` John Keeping
2017-02-24 12:54 ` John Keeping
2017-02-24 12:54 ` [PATCH v4 05/23] drm/rockchip: dw-mipi-dsi: fix generic packet status check John Keeping
2017-02-24 12:54 ` John Keeping
2017-02-24 12:54 ` John Keeping
2017-02-24 12:54 ` John Keeping [this message]
2017-02-24 12:54 ` [PATCH v4 06/23] drm/rockchip: dw-mipi-dsi: avoid out-of-bounds read on tx_buf John Keeping
2017-02-24 12:54 ` John Keeping
2017-02-24 12:54 ` [PATCH v4 07/23] drm/rockchip: dw-mipi-dsi: include bad value in error message John Keeping
2017-02-24 12:54 ` John Keeping
2017-02-24 12:54 ` [PATCH v4 08/23] drm/rockchip: dw-mipi-dsi: respect message flags John Keeping
2017-02-24 12:54 ` John Keeping
2017-02-24 12:54 ` John Keeping
2017-02-24 12:54 ` [PATCH v4 09/23] drm/rockchip: dw-mipi-dsi: only request HS clock when required John Keeping
2017-02-24 12:54 ` John Keeping
2017-02-24 12:54 ` [PATCH v4 10/23] drm/rockchip: dw-mipi-dsi: don't assume buffer is aligned John Keeping
2017-02-24 12:54 ` John Keeping
2017-02-24 12:54 ` John Keeping
2017-02-24 12:54 ` [PATCH v4 11/23] drm/rockchip: dw-mipi-dsi: prepare panel after phy init John Keeping
2017-02-24 12:54 ` John Keeping
2017-02-24 12:54 ` [PATCH v4 12/23] drm/rockchip: dw-mipi-dsi: allow commands in panel_disable John Keeping
2017-02-24 12:54 ` John Keeping
2017-02-24 12:54 ` John Keeping
2017-02-24 12:54 ` [PATCH v4 13/23] drm/rockchip: dw-mipi-dsi: fix escape clock rate John Keeping
2017-02-24 12:54 ` John Keeping
2017-02-24 12:54 ` John Keeping
2017-02-24 12:54 ` [PATCH v4 14/23] drm/rockchip: dw-mipi-dsi: ensure PHY is reset John Keeping
2017-02-24 12:54 ` John Keeping
2017-02-24 12:54 ` John Keeping
2017-02-24 12:54 ` [PATCH v4 15/23] drm/rockchip: dw-mipi-dsi: configure PHY before enabling John Keeping
2017-02-24 12:54 ` John Keeping
2017-02-24 12:54 ` John Keeping
2017-02-24 12:54 ` [PATCH v4 16/23] drm/rockchip: dw-mipi-dsi: properly configure PHY timing John Keeping
2017-02-24 12:54 ` John Keeping
2017-02-24 12:54 ` John Keeping
2017-02-24 12:55 ` [PATCH v4 17/23] drm/rockchip: dw-mipi-dsi: improve PLL configuration John Keeping
2017-02-24 12:55 ` John Keeping
2017-02-24 12:55 ` John Keeping
2017-02-24 12:55 ` [PATCH v4 18/23] drm/rockchip: dw-mipi-dsi: use specific poll helper John Keeping
2017-02-24 12:55 ` John Keeping
2017-02-24 12:55 ` John Keeping
2017-02-24 12:55 ` [PATCH v4 19/23] drm/rockchip: dw-mipi-dsi: use positive check for N{H,V}SYNC John Keeping
2017-02-24 12:55 ` [PATCH v4 19/23] drm/rockchip: dw-mipi-dsi: use positive check for N{H, V}SYNC John Keeping
2017-02-24 12:55 ` John Keeping
2017-02-24 12:55 ` [PATCH v4 20/23] drm/rockchip: vop: test for P{H,V}SYNC John Keeping
2017-02-24 12:55 ` John Keeping
2017-02-24 12:55 ` John Keeping
2017-02-24 12:55 ` [PATCH v4 21/23] drm/rockchip: dw-mipi-dsi: defer probe if panel is not loaded John Keeping
2017-02-24 12:55 ` John Keeping
2017-02-24 12:55 ` John Keeping
2017-02-24 12:55 ` [PATCH v4 22/23] drm/rockchip: dw-mipi-dsi: support non-burst modes John Keeping
2017-02-24 12:55 ` John Keeping
2017-02-24 12:55 ` John Keeping
2017-02-24 12:55 ` [PATCH v4 23/23] drm/rockchip: dw-mipi-dsi: add reset control John Keeping
2017-02-24 12:55 ` John Keeping
2017-02-24 12:55 ` John Keeping
2017-03-02 21:56 ` Brian Norris
2017-03-02 21:56 ` Brian Norris
2017-03-02 21:56 ` Brian Norris
2017-03-03 11:39 ` [PATCH] dt-bindings: display: rk3288-mipi-dsi: add reset property John Keeping
2017-03-03 11:39 ` John Keeping
2017-03-03 11:39 ` John Keeping
2017-03-03 20:41 ` Brian Norris
2017-03-03 20:41 ` Brian Norris
2017-03-03 20:41 ` Brian Norris
2017-03-06 16:52 ` Sean Paul
2017-03-06 16:52 ` Sean Paul
2017-03-06 16:52 ` Sean Paul
2017-03-12 12:06 ` Rob Herring
2017-03-12 12:06 ` Rob Herring
2017-03-12 12:06 ` Rob Herring
2017-04-04 13:15 ` John Keeping
2017-04-04 13:15 ` John Keeping
2017-04-04 13:15 ` John Keeping
2017-04-04 18:30 ` Sean Paul
2017-04-04 18:30 ` Sean Paul
2017-04-04 18:30 ` Sean Paul
2017-03-02 21:59 ` [PATCH v4 23/23] drm/rockchip: dw-mipi-dsi: add reset control Brian Norris
2017-03-02 21:59 ` Brian Norris
2017-03-02 21:59 ` Brian Norris
2017-02-27 1:41 ` [PATCH v4 00/23] drm/rockchip: MIPI fixes & improvements Mark yao
2017-02-27 1:41 ` Mark yao
2017-02-27 3:34 ` Chris Zhong
2017-02-27 3:34 ` Chris Zhong
2017-02-27 3:34 ` Chris Zhong
2017-03-01 20:03 ` Sean Paul
2017-03-01 20:03 ` Sean Paul
2017-03-01 20:03 ` Sean Paul
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170224125506.21533-7-john@metanate.com \
--to=john@metanate.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rockchip@lists.infradead.org \
--cc=mark.yao@rock-chips.com \
--cc=seanpaul@chromium.org \
--cc=zyw@rock-chips.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.