From: Kees Cook <keescook@chromium.org>
To: Thierry Reding <treding@nvidia.com>
Cc: dri-devel@lists.freedesktop.org,
Thomas Zimmermann <tzimmermann@suse.de>,
David Airlie <airlied@linux.ie>,
linux-kernel@vger.kernel.org, Maxime Ripard <mripard@kernel.org>,
Philipp Zabel <p.zabel@pengutronix.de>,
intel-gfx@lists.freedesktop.org, linux-hardening@vger.kernel.org
Subject: Re: [Intel-gfx] [PATCH v2] drm/dp: Actually read Adjust Request Post Cursor2 register
Date: Fri, 3 Dec 2021 16:30:12 -0800 [thread overview]
Message-ID: <202112031627.C312CCDD0@keescook> (raw)
In-Reply-To: <Yao3uMmXM+IvrVrF@orome.fritz.box>
On Fri, Dec 03, 2021 at 04:28:56PM +0100, Thierry Reding wrote:
> On Fri, Dec 03, 2021 at 01:25:17AM -0800, Kees Cook wrote:
> > The link_status array was not large enough to read the Adjust Request
> > Post Cursor2 register. Adjust the size to include it. Found with a
> > -Warray-bounds build:
> >
> > drivers/gpu/drm/drm_dp_helper.c: In function 'drm_dp_get_adjust_request_post_cursor':
> > drivers/gpu/drm/drm_dp_helper.c:59:27: error: array subscript 10 is outside array bounds of 'const u8[6]' {aka 'const unsigned char[6]'} [-Werror=array-bounds]
> > 59 | return link_status[r - DP_LANE0_1_STATUS];
> > | ~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~
> > drivers/gpu/drm/drm_dp_helper.c:147:51: note: while referencing 'link_status'
> > 147 | u8 drm_dp_get_adjust_request_post_cursor(const u8 link_status[DP_LINK_STATUS_SIZE],
> > | ~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> > Fixes: 79465e0ffeb9 ("drm/dp: Add helper to get post-cursor adjustments")
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> > ---
> > v2: Fix missed array size change in intel_dp_check_mst_status()
> > ---
> > drivers/gpu/drm/i915/display/intel_dp.c | 8 ++++----
> > include/drm/drm_dp_helper.h | 10 +++++++++-
> > 2 files changed, 13 insertions(+), 5 deletions(-)
>
> This sounds very familiar and I vaguely recall typing up a patch like
> that a long time ago. But I obviously failed because that never seems
> to have made it upstream.
>
> Or perhaps I'm misremembering and was thinking about this instead:
>
> https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/338590/
Oh! Yeah, that's the same thing. Looks like that never made its way
upstream. :(
>
> Bonus points for adding that comment with background information on why
> we need this.
Thanks! Yeah, I needed to really convince myself everything added up and
made sense, and figured I should try to capture that research. ;)
> Reviewed-by: Thierry Reding <treding@nvidia.com>
Thanks!
-Kees
--
Kees Cook
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org>
To: Thierry Reding <treding@nvidia.com>
Cc: "Maarten Lankhorst" <maarten.lankhorst@linux.intel.com>,
"Maxime Ripard" <mripard@kernel.org>,
"Thomas Zimmermann" <tzimmermann@suse.de>,
"David Airlie" <airlied@linux.ie>,
"Daniel Vetter" <daniel@ffwll.ch>,
"Jani Nikula" <jani.nikula@linux.intel.com>,
"Joonas Lahtinen" <joonas.lahtinen@linux.intel.com>,
"Rodrigo Vivi" <rodrigo.vivi@intel.com>,
"Tvrtko Ursulin" <tvrtko.ursulin@linux.intel.com>,
"Ville Syrjälä" <ville.syrjala@linux.intel.com>,
"Imre Deak" <imre.deak@intel.com>,
"Uma Shankar" <uma.shankar@intel.com>,
"Manasi Navare" <manasi.d.navare@intel.com>,
"Ankit Nautiyal" <ankit.k.nautiyal@intel.com>,
"José Roberto de Souza" <jose.souza@intel.com>,
"Philipp Zabel" <p.zabel@pengutronix.de>,
"Lyude Paul" <lyude@redhat.com>,
linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org,
intel-gfx@lists.freedesktop.org, linux-hardening@vger.kernel.org
Subject: Re: [PATCH v2] drm/dp: Actually read Adjust Request Post Cursor2 register
Date: Fri, 3 Dec 2021 16:30:12 -0800 [thread overview]
Message-ID: <202112031627.C312CCDD0@keescook> (raw)
In-Reply-To: <Yao3uMmXM+IvrVrF@orome.fritz.box>
On Fri, Dec 03, 2021 at 04:28:56PM +0100, Thierry Reding wrote:
> On Fri, Dec 03, 2021 at 01:25:17AM -0800, Kees Cook wrote:
> > The link_status array was not large enough to read the Adjust Request
> > Post Cursor2 register. Adjust the size to include it. Found with a
> > -Warray-bounds build:
> >
> > drivers/gpu/drm/drm_dp_helper.c: In function 'drm_dp_get_adjust_request_post_cursor':
> > drivers/gpu/drm/drm_dp_helper.c:59:27: error: array subscript 10 is outside array bounds of 'const u8[6]' {aka 'const unsigned char[6]'} [-Werror=array-bounds]
> > 59 | return link_status[r - DP_LANE0_1_STATUS];
> > | ~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~
> > drivers/gpu/drm/drm_dp_helper.c:147:51: note: while referencing 'link_status'
> > 147 | u8 drm_dp_get_adjust_request_post_cursor(const u8 link_status[DP_LINK_STATUS_SIZE],
> > | ~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> > Fixes: 79465e0ffeb9 ("drm/dp: Add helper to get post-cursor adjustments")
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> > ---
> > v2: Fix missed array size change in intel_dp_check_mst_status()
> > ---
> > drivers/gpu/drm/i915/display/intel_dp.c | 8 ++++----
> > include/drm/drm_dp_helper.h | 10 +++++++++-
> > 2 files changed, 13 insertions(+), 5 deletions(-)
>
> This sounds very familiar and I vaguely recall typing up a patch like
> that a long time ago. But I obviously failed because that never seems
> to have made it upstream.
>
> Or perhaps I'm misremembering and was thinking about this instead:
>
> https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/338590/
Oh! Yeah, that's the same thing. Looks like that never made its way
upstream. :(
>
> Bonus points for adding that comment with background information on why
> we need this.
Thanks! Yeah, I needed to really convince myself everything added up and
made sense, and figured I should try to capture that research. ;)
> Reviewed-by: Thierry Reding <treding@nvidia.com>
Thanks!
-Kees
--
Kees Cook
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org>
To: Thierry Reding <treding@nvidia.com>
Cc: dri-devel@lists.freedesktop.org,
"Tvrtko Ursulin" <tvrtko.ursulin@linux.intel.com>,
"Thomas Zimmermann" <tzimmermann@suse.de>,
"David Airlie" <airlied@linux.ie>,
linux-kernel@vger.kernel.org,
"Manasi Navare" <manasi.d.navare@intel.com>,
"Uma Shankar" <uma.shankar@intel.com>,
"Rodrigo Vivi" <rodrigo.vivi@intel.com>,
"José Roberto de Souza" <jose.souza@intel.com>,
"Ankit Nautiyal" <ankit.k.nautiyal@intel.com>,
intel-gfx@lists.freedesktop.org, linux-hardening@vger.kernel.org
Subject: Re: [PATCH v2] drm/dp: Actually read Adjust Request Post Cursor2 register
Date: Fri, 3 Dec 2021 16:30:12 -0800 [thread overview]
Message-ID: <202112031627.C312CCDD0@keescook> (raw)
In-Reply-To: <Yao3uMmXM+IvrVrF@orome.fritz.box>
On Fri, Dec 03, 2021 at 04:28:56PM +0100, Thierry Reding wrote:
> On Fri, Dec 03, 2021 at 01:25:17AM -0800, Kees Cook wrote:
> > The link_status array was not large enough to read the Adjust Request
> > Post Cursor2 register. Adjust the size to include it. Found with a
> > -Warray-bounds build:
> >
> > drivers/gpu/drm/drm_dp_helper.c: In function 'drm_dp_get_adjust_request_post_cursor':
> > drivers/gpu/drm/drm_dp_helper.c:59:27: error: array subscript 10 is outside array bounds of 'const u8[6]' {aka 'const unsigned char[6]'} [-Werror=array-bounds]
> > 59 | return link_status[r - DP_LANE0_1_STATUS];
> > | ~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~
> > drivers/gpu/drm/drm_dp_helper.c:147:51: note: while referencing 'link_status'
> > 147 | u8 drm_dp_get_adjust_request_post_cursor(const u8 link_status[DP_LINK_STATUS_SIZE],
> > | ~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> > Fixes: 79465e0ffeb9 ("drm/dp: Add helper to get post-cursor adjustments")
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> > ---
> > v2: Fix missed array size change in intel_dp_check_mst_status()
> > ---
> > drivers/gpu/drm/i915/display/intel_dp.c | 8 ++++----
> > include/drm/drm_dp_helper.h | 10 +++++++++-
> > 2 files changed, 13 insertions(+), 5 deletions(-)
>
> This sounds very familiar and I vaguely recall typing up a patch like
> that a long time ago. But I obviously failed because that never seems
> to have made it upstream.
>
> Or perhaps I'm misremembering and was thinking about this instead:
>
> https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/338590/
Oh! Yeah, that's the same thing. Looks like that never made its way
upstream. :(
>
> Bonus points for adding that comment with background information on why
> we need this.
Thanks! Yeah, I needed to really convince myself everything added up and
made sense, and figured I should try to capture that research. ;)
> Reviewed-by: Thierry Reding <treding@nvidia.com>
Thanks!
-Kees
--
Kees Cook
next prev parent reply other threads:[~2021-12-04 0:30 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-03 9:25 [PATCH v2] drm/dp: Actually read Adjust Request Post Cursor2 register Kees Cook
2021-12-03 9:25 ` [Intel-gfx] " Kees Cook
2021-12-03 9:25 ` Kees Cook
2021-12-03 11:47 ` [Intel-gfx] ✗ Fi.CI.CHECKPATCH: warning for " Patchwork
2021-12-03 11:50 ` [Intel-gfx] ✗ Fi.CI.SPARSE: " Patchwork
2021-12-03 12:12 ` [Intel-gfx] ✓ Fi.CI.BAT: success " Patchwork
2021-12-03 15:28 ` [PATCH v2] " Thierry Reding
2021-12-03 15:28 ` [Intel-gfx] " Thierry Reding
2021-12-03 15:28 ` Thierry Reding
2021-12-04 0:30 ` Kees Cook [this message]
2021-12-04 0:30 ` Kees Cook
2021-12-04 0:30 ` Kees Cook
2021-12-03 16:16 ` [Intel-gfx] ✗ Fi.CI.IGT: failure for " Patchwork
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202112031627.C312CCDD0@keescook \
--to=keescook@chromium.org \
--cc=airlied@linux.ie \
--cc=dri-devel@lists.freedesktop.org \
--cc=intel-gfx@lists.freedesktop.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mripard@kernel.org \
--cc=p.zabel@pengutronix.de \
--cc=treding@nvidia.com \
--cc=tzimmermann@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.