linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH v2] drm/dp: Actually read Adjust Request Post Cursor2 register
@ 2021-12-03  9:25 Kees Cook
  2021-12-03 15:28 ` Thierry Reding
  0 siblings, 1 reply; 3+ messages in thread
From: Kees Cook @ 2021-12-03  9:25 UTC (permalink / raw)
  To: Maarten Lankhorst
  Cc: Kees Cook, Maxime Ripard, Thomas Zimmermann, David Airlie,
	Daniel Vetter, Jani Nikula, Joonas Lahtinen, Rodrigo Vivi,
	Tvrtko Ursulin, Ville Syrjälä,
	Imre Deak, Uma Shankar, Manasi Navare, Ankit Nautiyal,
	José Roberto de Souza, Thierry Reding, Philipp Zabel,
	Lyude Paul, linux-kernel, dri-devel, intel-gfx, linux-hardening

The link_status array was not large enough to read the Adjust Request
Post Cursor2 register. Adjust the size to include it. Found with a
-Warray-bounds build:

drivers/gpu/drm/drm_dp_helper.c: In function 'drm_dp_get_adjust_request_post_cursor':
drivers/gpu/drm/drm_dp_helper.c:59:27: error: array subscript 10 is outside array bounds of 'const u8[6]' {aka 'const unsigned char[6]'} [-Werror=array-bounds]
   59 |         return link_status[r - DP_LANE0_1_STATUS];
      |                ~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/drm_dp_helper.c:147:51: note: while referencing 'link_status'
  147 | u8 drm_dp_get_adjust_request_post_cursor(const u8 link_status[DP_LINK_STATUS_SIZE],
      |                                          ~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Fixes: 79465e0ffeb9 ("drm/dp: Add helper to get post-cursor adjustments")
Signed-off-by: Kees Cook <keescook@chromium.org>
---
v2: Fix missed array size change in intel_dp_check_mst_status()
---
 drivers/gpu/drm/i915/display/intel_dp.c |  8 ++++----
 include/drm/drm_dp_helper.h             | 10 +++++++++-
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/drivers/gpu/drm/i915/display/intel_dp.c b/drivers/gpu/drm/i915/display/intel_dp.c
index 5a8206298691..97367afc7243 100644
--- a/drivers/gpu/drm/i915/display/intel_dp.c
+++ b/drivers/gpu/drm/i915/display/intel_dp.c
@@ -3647,17 +3647,17 @@ intel_dp_check_mst_status(struct intel_dp *intel_dp)
 
 	for (;;) {
 		/*
-		 * The +2 is because DP_DPRX_ESI_LEN is 14, but we then
+		 * The +10 is because while DP_DPRX_ESI_LEN is 14, we then
 		 * pass in "esi+10" to drm_dp_channel_eq_ok(), which
-		 * takes a 6-byte array. So we actually need 16 bytes
-		 * here.
+		 * takes a DP_LINK_STATUS_SIZE array. So we actually need
+		 * 10 bytes more than DP_LINK_STATUS_SIZE.
 		 *
 		 * Somebody who knows what the limits actually are
 		 * should check this, but for now this is at least
 		 * harmless and avoids a valid compiler warning about
 		 * using more of the array than we have allocated.
 		 */
-		u8 esi[DP_DPRX_ESI_LEN+2] = {};
+		u8 esi[DP_LINK_STATUS_SIZE + 10] = {};
 		bool handled;
 		int retry;
 
diff --git a/include/drm/drm_dp_helper.h b/include/drm/drm_dp_helper.h
index 472dac376284..277643d2fe2c 100644
--- a/include/drm/drm_dp_helper.h
+++ b/include/drm/drm_dp_helper.h
@@ -1517,7 +1517,15 @@ enum drm_dp_phy {
 #define DP_MST_LOGICAL_PORT_0 8
 
 #define DP_LINK_CONSTANT_N_VALUE 0x8000
-#define DP_LINK_STATUS_SIZE	   6
+/*
+ * DPCD registers in link_status:
+ * Link Status:		0x202 through 0x204
+ * Sink Status:		0x205
+ * Adjust Request:	0x206 through 0x207
+ * Training Score:	0x208 through 0x20b
+ * AR Post Cursor2:	0x20c
+ */
+#define DP_LINK_STATUS_SIZE	   11
 bool drm_dp_channel_eq_ok(const u8 link_status[DP_LINK_STATUS_SIZE],
 			  int lane_count);
 bool drm_dp_clock_recovery_ok(const u8 link_status[DP_LINK_STATUS_SIZE],
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH v2] drm/dp: Actually read Adjust Request Post Cursor2 register
  2021-12-03  9:25 [PATCH v2] drm/dp: Actually read Adjust Request Post Cursor2 register Kees Cook
@ 2021-12-03 15:28 ` Thierry Reding
  2021-12-04  0:30   ` Kees Cook
  0 siblings, 1 reply; 3+ messages in thread
From: Thierry Reding @ 2021-12-03 15:28 UTC (permalink / raw)
  To: Kees Cook
  Cc: Maarten Lankhorst, Maxime Ripard, Thomas Zimmermann,
	David Airlie, Daniel Vetter, Jani Nikula, Joonas Lahtinen,
	Rodrigo Vivi, Tvrtko Ursulin, Ville Syrjälä,
	Imre Deak, Uma Shankar, Manasi Navare, Ankit Nautiyal,
	José Roberto de Souza, Philipp Zabel, Lyude Paul,
	linux-kernel, dri-devel, intel-gfx, linux-hardening

[-- Attachment #1: Type: text/plain, Size: 1733 bytes --]

On Fri, Dec 03, 2021 at 01:25:17AM -0800, Kees Cook wrote:
> The link_status array was not large enough to read the Adjust Request
> Post Cursor2 register. Adjust the size to include it. Found with a
> -Warray-bounds build:
> 
> drivers/gpu/drm/drm_dp_helper.c: In function 'drm_dp_get_adjust_request_post_cursor':
> drivers/gpu/drm/drm_dp_helper.c:59:27: error: array subscript 10 is outside array bounds of 'const u8[6]' {aka 'const unsigned char[6]'} [-Werror=array-bounds]
>    59 |         return link_status[r - DP_LANE0_1_STATUS];
>       |                ~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~
> drivers/gpu/drm/drm_dp_helper.c:147:51: note: while referencing 'link_status'
>   147 | u8 drm_dp_get_adjust_request_post_cursor(const u8 link_status[DP_LINK_STATUS_SIZE],
>       |                                          ~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> Fixes: 79465e0ffeb9 ("drm/dp: Add helper to get post-cursor adjustments")
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> v2: Fix missed array size change in intel_dp_check_mst_status()
> ---
>  drivers/gpu/drm/i915/display/intel_dp.c |  8 ++++----
>  include/drm/drm_dp_helper.h             | 10 +++++++++-
>  2 files changed, 13 insertions(+), 5 deletions(-)

This sounds very familiar and I vaguely recall typing up a patch like
that a long time ago. But I obviously failed because that never seems
to have made it upstream.

Or perhaps I'm misremembering and was thinking about this instead:

	https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/338590/

Bonus points for adding that comment with background information on why
we need this.

Reviewed-by: Thierry Reding <treding@nvidia.com>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH v2] drm/dp: Actually read Adjust Request Post Cursor2 register
  2021-12-03 15:28 ` Thierry Reding
@ 2021-12-04  0:30   ` Kees Cook
  0 siblings, 0 replies; 3+ messages in thread
From: Kees Cook @ 2021-12-04  0:30 UTC (permalink / raw)
  To: Thierry Reding
  Cc: Maarten Lankhorst, Maxime Ripard, Thomas Zimmermann,
	David Airlie, Daniel Vetter, Jani Nikula, Joonas Lahtinen,
	Rodrigo Vivi, Tvrtko Ursulin, Ville Syrjälä,
	Imre Deak, Uma Shankar, Manasi Navare, Ankit Nautiyal,
	José Roberto de Souza, Philipp Zabel, Lyude Paul,
	linux-kernel, dri-devel, intel-gfx, linux-hardening

On Fri, Dec 03, 2021 at 04:28:56PM +0100, Thierry Reding wrote:
> On Fri, Dec 03, 2021 at 01:25:17AM -0800, Kees Cook wrote:
> > The link_status array was not large enough to read the Adjust Request
> > Post Cursor2 register. Adjust the size to include it. Found with a
> > -Warray-bounds build:
> > 
> > drivers/gpu/drm/drm_dp_helper.c: In function 'drm_dp_get_adjust_request_post_cursor':
> > drivers/gpu/drm/drm_dp_helper.c:59:27: error: array subscript 10 is outside array bounds of 'const u8[6]' {aka 'const unsigned char[6]'} [-Werror=array-bounds]
> >    59 |         return link_status[r - DP_LANE0_1_STATUS];
> >       |                ~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~
> > drivers/gpu/drm/drm_dp_helper.c:147:51: note: while referencing 'link_status'
> >   147 | u8 drm_dp_get_adjust_request_post_cursor(const u8 link_status[DP_LINK_STATUS_SIZE],
> >       |                                          ~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > 
> > Fixes: 79465e0ffeb9 ("drm/dp: Add helper to get post-cursor adjustments")
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> > ---
> > v2: Fix missed array size change in intel_dp_check_mst_status()
> > ---
> >  drivers/gpu/drm/i915/display/intel_dp.c |  8 ++++----
> >  include/drm/drm_dp_helper.h             | 10 +++++++++-
> >  2 files changed, 13 insertions(+), 5 deletions(-)
> 
> This sounds very familiar and I vaguely recall typing up a patch like
> that a long time ago. But I obviously failed because that never seems
> to have made it upstream.
> 
> Or perhaps I'm misremembering and was thinking about this instead:
> 
> 	https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/338590/

Oh! Yeah, that's the same thing. Looks like that never made its way
upstream. :(

> 
> Bonus points for adding that comment with background information on why
> we need this.

Thanks! Yeah, I needed to really convince myself everything added up and
made sense, and figured I should try to capture that research. ;)

> Reviewed-by: Thierry Reding <treding@nvidia.com>

Thanks!

-Kees

-- 
Kees Cook

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-12-04  0:30 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-03  9:25 [PATCH v2] drm/dp: Actually read Adjust Request Post Cursor2 register Kees Cook
2021-12-03 15:28 ` Thierry Reding
2021-12-04  0:30   ` Kees Cook

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).