From: Jani Nikula <jani.nikula@linux.intel.com>
To: Ville Syrjala <ville.syrjala@linux.intel.com>,
intel-gfx@lists.freedesktop.org
Subject: Re: [Intel-gfx] [PATCH v2 04/22] drm/i915/bios: Validate LFP data table pointers
Date: Thu, 07 Apr 2022 19:07:06 +0300 [thread overview]
Message-ID: <871qy86fo5.fsf@intel.com> (raw)
In-Reply-To: <20220405173410.11436-5-ville.syrjala@linux.intel.com>
On Tue, 05 Apr 2022, Ville Syrjala <ville.syrjala@linux.intel.com> wrote:
> From: Ville Syrjälä <ville.syrjala@linux.intel.com>
>
> Make sure the LFP data table pointers sane. Sensible looking
> table entries, everything points correctly into the data block,
> etc.
>
> Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
I can't adequately describe my opinion about the design of the data
structures here. Sheesh.
Dunno why we keep struct lvds_lfp_data_entry and struct
bdb_lvds_lfp_data around, as they don't really reflect reality.
Reviewed-by: Jani Nikula <jani.nikula@intel.com>
> ---
> drivers/gpu/drm/i915/display/intel_bios.c | 82 ++++++++++++++++++++++-
> 1 file changed, 81 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/i915/display/intel_bios.c b/drivers/gpu/drm/i915/display/intel_bios.c
> index 000544280c35..cd82ea4de8e1 100644
> --- a/drivers/gpu/drm/i915/display/intel_bios.c
> +++ b/drivers/gpu/drm/i915/display/intel_bios.c
> @@ -133,6 +133,18 @@ static u32 block_offset(const void *bdb, enum bdb_block_id section_id)
> return block - bdb;
> }
>
> +/* size of the block excluding the header */
> +static u32 block_size(const void *bdb, enum bdb_block_id section_id)
> +{
> + const void *block;
> +
> + block = find_raw_section(bdb, section_id);
> + if (!block)
> + return 0;
> +
> + return get_blocksize(block);
> +}
> +
> struct bdb_block_entry {
> struct list_head node;
> enum bdb_block_id section_id;
> @@ -191,6 +203,74 @@ static const struct {
> .min_size = sizeof(struct bdb_generic_dtd), },
> };
>
> +static bool validate_lfp_data_ptrs(const void *bdb,
> + const struct bdb_lvds_lfp_data_ptrs *ptrs)
> +{
> + int fp_timing_size, dvo_timing_size, panel_pnp_id_size;
> + int data_block_size, lfp_data_size;
> + int i;
> +
> + data_block_size = block_size(bdb, BDB_LVDS_LFP_DATA);
> + if (data_block_size == 0)
> + return false;
> +
> + /* always 3 indicating the presence of fp_timing+dvo_timing+panel_pnp_id */
> + if (ptrs->lvds_entries != 3)
> + return false;
> +
> + fp_timing_size = ptrs->ptr[0].fp_timing.table_size;
> + dvo_timing_size = ptrs->ptr[0].dvo_timing.table_size;
> + panel_pnp_id_size = ptrs->ptr[0].panel_pnp_id.table_size;
> +
> + /* fp_timing has variable size */
> + if (fp_timing_size < 32 ||
> + dvo_timing_size != sizeof(struct lvds_dvo_timing) ||
> + panel_pnp_id_size != sizeof(struct lvds_pnp_id))
> + return false;
> +
> + lfp_data_size = ptrs->ptr[1].fp_timing.offset - ptrs->ptr[0].fp_timing.offset;
> + if (16 * lfp_data_size > data_block_size)
> + return false;
> +
> + /*
> + * Except for vlv/chv machines all real VBTs seem to have 6
> + * unaccounted bytes in the fp_timing table. And it doesn't
> + * appear to be a really intentional hole as the fp_timing
> + * 0xffff terminator is always within those 6 missing bytes.
> + */
> + if (fp_timing_size + dvo_timing_size + panel_pnp_id_size != lfp_data_size &&
> + fp_timing_size + 6 + dvo_timing_size + panel_pnp_id_size != lfp_data_size)
> + return false;
> +
> + if (ptrs->ptr[0].fp_timing.offset + fp_timing_size > ptrs->ptr[0].dvo_timing.offset ||
> + ptrs->ptr[0].dvo_timing.offset + dvo_timing_size != ptrs->ptr[0].panel_pnp_id.offset ||
> + ptrs->ptr[0].panel_pnp_id.offset + panel_pnp_id_size != lfp_data_size)
> + return false;
> +
> + /* make sure the table entries have uniform size */
> + for (i = 1; i < 16; i++) {
> + if (ptrs->ptr[i].fp_timing.table_size != fp_timing_size ||
> + ptrs->ptr[i].dvo_timing.table_size != dvo_timing_size ||
> + ptrs->ptr[i].panel_pnp_id.table_size != panel_pnp_id_size)
> + return false;
> +
> + if (ptrs->ptr[i].fp_timing.offset - ptrs->ptr[i-1].fp_timing.offset != lfp_data_size ||
> + ptrs->ptr[i].dvo_timing.offset - ptrs->ptr[i-1].dvo_timing.offset != lfp_data_size ||
> + ptrs->ptr[i].panel_pnp_id.offset - ptrs->ptr[i-1].panel_pnp_id.offset != lfp_data_size)
> + return false;
> + }
> +
> + /* make sure the tables fit inside the data block */
> + for (i = 0; i < 16; i++) {
> + if (ptrs->ptr[i].fp_timing.offset + fp_timing_size > data_block_size ||
> + ptrs->ptr[i].dvo_timing.offset + dvo_timing_size > data_block_size ||
> + ptrs->ptr[i].panel_pnp_id.offset + panel_pnp_id_size > data_block_size)
> + return false;
> + }
> +
> + return true;
> +}
> +
> /* make the data table offsets relative to the data block */
> static bool fixup_lfp_data_ptrs(const void *bdb, void *ptrs_block)
> {
> @@ -211,7 +291,7 @@ static bool fixup_lfp_data_ptrs(const void *bdb, void *ptrs_block)
> ptrs->ptr[i].panel_pnp_id.offset -= offset;
> }
>
> - return true;
> + return validate_lfp_data_ptrs(bdb, ptrs);
> }
>
> static void
--
Jani Nikula, Intel Open Source Graphics Center
next prev parent reply other threads:[~2022-04-07 16:07 UTC|newest]
Thread overview: 72+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-05 17:33 [Intel-gfx] [PATCH v2 00/22] drm/i915/bios: Rework BDB block handling and PNPID->panel_type matching Ville Syrjala
2022-04-05 17:33 ` [Intel-gfx] [PATCH v2 01/22] drm/i915/bios: Use the cached BDB version Ville Syrjala
2022-04-07 10:10 ` Jani Nikula
2022-04-05 17:33 ` [Intel-gfx] [PATCH v2 02/22] drm/i915/bios: Make copies of VBT data blocks Ville Syrjala
2022-04-06 13:38 ` [Intel-gfx] [PATCH v3 " Ville Syrjala
2022-04-07 10:23 ` Jani Nikula
2022-04-07 11:18 ` Ville Syrjälä
2022-04-07 12:06 ` Jani Nikula
2022-04-07 12:23 ` Ville Syrjälä
2022-04-05 17:33 ` [Intel-gfx] [PATCH v2 03/22] drm/i915/bios: Use the copy of the LFP data table always Ville Syrjala
2022-04-07 10:36 ` Jani Nikula
2022-04-05 17:33 ` [Intel-gfx] [PATCH v2 04/22] drm/i915/bios: Validate LFP data table pointers Ville Syrjala
2022-04-07 16:07 ` Jani Nikula [this message]
2022-04-05 17:33 ` [Intel-gfx] [PATCH v2 05/22] drm/i915/bios: Trust the LFP data pointers Ville Syrjala
2022-04-07 16:12 ` Jani Nikula
2022-04-05 17:33 ` [Intel-gfx] [PATCH v2 06/22] drm/i915/bios: Validate the panel_name table Ville Syrjala
2022-04-07 16:14 ` Jani Nikula
2022-04-05 17:33 ` [Intel-gfx] [PATCH v2 07/22] drm/i915/bios: Reorder panel DTD parsing Ville Syrjala
2022-04-07 16:21 ` Jani Nikula
2022-04-08 13:59 ` Ville Syrjälä
2022-04-05 17:33 ` [Intel-gfx] [PATCH v2 08/22] drm/i915/bios: Generate LFP data table pointers if the VBT lacks them Ville Syrjala
2022-04-06 13:39 ` [Intel-gfx] [PATCH v3 " Ville Syrjala
2022-04-07 12:24 ` Jani Nikula
2022-04-07 12:29 ` Ville Syrjälä
2022-04-07 16:53 ` Jani Nikula
2022-04-07 18:18 ` Jani Nikula
2022-04-12 8:19 ` Ville Syrjälä
2022-04-05 17:33 ` [Intel-gfx] [PATCH v2 09/22] drm/i915/bios: Get access to the tail end of the LFP data block Ville Syrjala
2022-04-06 13:40 ` [Intel-gfx] [PATCH v3 " Ville Syrjala
2022-04-07 17:07 ` Jani Nikula
2022-04-08 14:04 ` Ville Syrjälä
2022-04-05 17:33 ` [Intel-gfx] [PATCH v2 10/22] drm/i915/bios: Assume panel_type==0 if the VBT has bogus data Ville Syrjala
2022-04-07 17:11 ` Jani Nikula
2022-04-05 17:33 ` [Intel-gfx] [PATCH v2 11/22] drm/i915/bios: Split parse_driver_features() into two parts Ville Syrjala
2022-04-07 17:13 ` Jani Nikula
2022-04-05 17:34 ` [Intel-gfx] [PATCH v2 12/22] drm/i915/bios: Split VBT parsing to global vs. panel specific parts Ville Syrjala
2022-04-07 17:23 ` Jani Nikula
2022-04-08 14:09 ` Ville Syrjälä
2022-04-05 17:34 ` [Intel-gfx] [PATCH v2 13/22] drm/i915/pps: Split PPS init+sanitize in two Ville Syrjala
2022-04-05 17:34 ` [Intel-gfx] [PATCH v2 14/22] drm/i915/pps: Reinit PPS delays after VBT has been fully parsed Ville Syrjala
2022-04-05 17:34 ` [Intel-gfx] [PATCH v2 15/22] drm/i915/bios: Do panel specific VBT parsing later Ville Syrjala
2022-04-06 19:05 ` [Intel-gfx] [PATCH v4 " Ville Syrjala
2022-04-05 17:34 ` [Intel-gfx] [PATCH v2 16/22] drm/i915/bios: Extract get_panel_type() Ville Syrjala
2022-04-07 17:26 ` Jani Nikula
2022-04-05 17:34 ` [Intel-gfx] [PATCH v2 17/22] drm/i915/bios: Refactor panel_type code Ville Syrjala
2022-04-07 17:49 ` Jani Nikula
2022-04-08 14:13 ` Ville Syrjälä
2022-04-05 17:34 ` [Intel-gfx] [PATCH v2 18/22] drm/i915/bios: Determine panel type via PNPID match Ville Syrjala
2022-04-06 19:09 ` [Intel-gfx] [PATCH v4 " Ville Syrjala
2022-04-07 17:55 ` Jani Nikula
2022-04-08 14:51 ` Ville Syrjälä
2022-04-05 17:34 ` [Intel-gfx] [PATCH v2 19/22] drm/i915/bios: Parse the seamless DRRS min refresh rate Ville Syrjala
2022-04-07 17:56 ` Jani Nikula
2022-04-05 17:34 ` [Intel-gfx] [PATCH v2 20/22] drm/i915: Respect VBT " Ville Syrjala
2022-04-07 18:01 ` Jani Nikula
2022-04-05 17:34 ` [PATCH v2 21/22] drm/edid: Extract drm_edid_decode_mfg_id() Ville Syrjala
2022-04-05 17:34 ` [Intel-gfx] " Ville Syrjala
2022-04-07 18:02 ` Jani Nikula
2022-04-05 17:34 ` [Intel-gfx] [PATCH v2 22/22] drm/i915/bios: Dump PNPID and panel name Ville Syrjala
2022-04-07 18:07 ` Jani Nikula
2022-04-08 14:52 ` Ville Syrjälä
2022-04-05 22:55 ` [Intel-gfx] ✗ Fi.CI.CHECKPATCH: warning for drm/i915/bios: Rework BDB block handling and PNPID->panel_type matching Patchwork
2022-04-05 22:57 ` [Intel-gfx] ✗ Fi.CI.SPARSE: " Patchwork
2022-04-05 23:02 ` [Intel-gfx] ✗ Fi.CI.DOCS: " Patchwork
2022-04-05 23:27 ` [Intel-gfx] ✗ Fi.CI.BAT: failure " Patchwork
2022-04-06 18:17 ` [Intel-gfx] ✗ Fi.CI.CHECKPATCH: warning for drm/i915/bios: Rework BDB block handling and PNPID->panel_type matching (rev4) Patchwork
2022-04-06 18:19 ` [Intel-gfx] ✗ Fi.CI.SPARSE: " Patchwork
2022-04-06 18:50 ` [Intel-gfx] ✓ Fi.CI.BAT: success " Patchwork
2022-04-07 0:11 ` [Intel-gfx] ✗ Fi.CI.CHECKPATCH: warning for drm/i915/bios: Rework BDB block handling and PNPID->panel_type matching (rev6) Patchwork
2022-04-07 0:14 ` [Intel-gfx] ✗ Fi.CI.SPARSE: " Patchwork
2022-04-07 0:44 ` [Intel-gfx] ✓ Fi.CI.BAT: success " Patchwork
2022-04-07 8:37 ` [Intel-gfx] ✓ Fi.CI.IGT: " Patchwork
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=871qy86fo5.fsf@intel.com \
--to=jani.nikula@linux.intel.com \
--cc=intel-gfx@lists.freedesktop.org \
--cc=ville.syrjala@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.