[v2,2/2] drm/bridge: ti-sn65dsi86: Never store more than msg->size bytes in AUX xfer
Message ID | 20231214123205.v2.2.I7b83c0f31aeedc6b1dc98c7c741d3e1f94f040f8@changeid |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel+bounces-71-ouuuleilei=gmail.com@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:7300:3b04:b0:fb:cd0c:d3e with SMTP id c4csp8830176dys; Thu, 14 Dec 2023 12:33:04 -0800 (PST) X-Google-Smtp-Source: AGHT+IHbg9iRVVS5Xdmz27pf0oV7NNNR1wb5704cUQpkMEbebxikxXKuewrVbqfVxNIdSY2rw213 X-Received: by 2002:a17:903:124c:b0:1d3:3a82:a836 with SMTP id u12-20020a170903124c00b001d33a82a836mr5410871plh.51.1702585983852; Thu, 14 Dec 2023 12:33:03 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702585983; cv=none; d=google.com; s=arc-20160816; b=QDW3VO0qhCRa/RKbFu0cp9QFUQtjW7xVf47Kp6tRjEXlVA8Ry1xMSTtAxDbVy2M5f4 dSMLKfPUrWG+/twje2O8bct0nB8dNOjCA3077gSvi+tubcdhvcOaFd84zKr2wQw5ci5T XCpYWjg3rCuBIdmuV99+wmFm1yfflcSj6tUaBUfKSEb4l2rVNMLVxwygB8nsVmz9xsZW 1qNRbTmWLjcgeLh9GKEK9Wma5IDNMlWEA3lBTtuqLhVCH92lgsX0dLz1ztp17aW0RZ5e ximgZEJJjE04AP3MGKQNPi2KlO9z8BzgtWoVk3ezm+xKZ+KTnyJaSyTBuAmujpH9KWGf 5g8g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=a2YE6Q1lspxSdRvHtWt0D327Ubgh2oADnGrrLN11Egc=; fh=2/whrSurlCvVh9Z/Qmn+h5dkhtzQzhlyNw5IH9iNECA=; b=A/DmALbQEr+b1l+e1YPsrzak98K3a3Pom2ZdVjP1FkSO+4o1dRV7+2CBCL2EdYstiY 5mSW0rEig03f/Yr0GmnKJS5WqMHEk6YaIlR56VbSrmT0sQZ11b24HrypzVvM45Zao8u4 vMcXlfubuhGj/cz12+PNe6hGT/4SipRiQtKxGr9HrTEjnWlZYkxbfnsnjgS2TXmb2IN9 iUX+x3wAHDNKPFPcdAgbr4GiTdy09xe3vKcOWwbPFcEHYUlsqOchIFpUQ5aBbZEVoMCh hwZNDsOHfSo0RS+X90+gh5CPZmzMkDV8zDPTx+PnpMdxuhY6I+P6wqXKZJtvODaaEQ3c zSow== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=hPwhZdft; spf=pass (google.com: domain of linux-kernel+bounces-71-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-71-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id t18-20020a170902e85200b001cfff65b7d7si12116138plg.256.2023.12.14.12.33.03 for <ouuuleilei@gmail.com> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 Dec 2023 12:33:03 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-71-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=hPwhZdft; spf=pass (google.com: domain of linux-kernel+bounces-71-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-71-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 9E4A3283632 for <ouuuleilei@gmail.com>; Thu, 14 Dec 2023 20:33:03 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 9D3316ABA8; Thu, 14 Dec 2023 20:32:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="hPwhZdft" X-Original-To: linux-kernel@vger.kernel.org Received: from mail-pg1-f172.google.com (mail-pg1-f172.google.com [209.85.215.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8BF522112 for <linux-kernel@vger.kernel.org>; Thu, 14 Dec 2023 20:32:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Received: by mail-pg1-f172.google.com with SMTP id 41be03b00d2f7-5c21e185df5so7391298a12.1 for <linux-kernel@vger.kernel.org>; Thu, 14 Dec 2023 12:32:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1702585952; x=1703190752; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=a2YE6Q1lspxSdRvHtWt0D327Ubgh2oADnGrrLN11Egc=; b=hPwhZdftjNU3SNIOMs6IftKYeO622z1vPKalwUeFat7VAalObdzZPaPTjCHSOO5hER sggmImn/KDuq5NIYLf+Nj/afKBSOJQFXKJoMwcCrDT+rwIeswCoXR6RArwlfhdQn+pzV q4KL/BV6kOBbjUlFtq4yGehl7H+Kcq2Accb7U= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702585952; x=1703190752; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=a2YE6Q1lspxSdRvHtWt0D327Ubgh2oADnGrrLN11Egc=; b=MaJTUfWyE7MCasu5OPwq+fcQzKN+mMueybERvVPJaH4RYvaWmBNMuxetfb6lgew2WG PTFli0SjVP2M42egF3nd9Snn4EZ07r6CsJFjxtmgAlxkZ2MgLDv/2bBOcEJyg3mr8uHR RzT+dXEtmN7j2yuuHIQjDApxBZ/57TE/VDh4kJDX6WsPOteEYvPpjr+ZLjA3YkYGhmP3 6rV/tRrIMBFjVzz3z37g74nGsUk/1qpjKcOYD4vyWzGWsnGl+yWQkksdPuCrQY1zQmVz J9PlDnxExJDeMlcMLbROVe86gmJRqYEqnBIwsTIZhHC0F+Jbhg2uHCp9UsqxVPabE8Ih mocA== X-Gm-Message-State: AOJu0Yzebi7XmRPpbDlaOpMoMIo3CCwqVMf8uOrsrL/NYegCDAFDHMak axYhmDUM3yVWfP0d5arEyiROFQ== X-Received: by 2002:a17:90a:8543:b0:28a:ce23:af33 with SMTP id a3-20020a17090a854300b0028ace23af33mr3823080pjw.42.1702585951955; Thu, 14 Dec 2023 12:32:31 -0800 (PST) Received: from tictac2.mtv.corp.google.com ([2620:15c:9d:2:9d0c:9bd0:17f6:8236]) by smtp.gmail.com with ESMTPSA id 5-20020a17090a018500b0028658657e9csm14636228pjc.46.2023.12.14.12.32.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 Dec 2023 12:32:31 -0800 (PST) From: Douglas Anderson <dianders@chromium.org> To: dri-devel@lists.freedesktop.org Cc: Guenter Roeck <groeck@chromium.org>, Douglas Anderson <dianders@chromium.org>, Andrzej Hajda <andrzej.hajda@intel.com>, Daniel Vetter <daniel@ffwll.ch>, David Airlie <airlied@gmail.com>, Jernej Skrabec <jernej.skrabec@gmail.com>, Jonas Karlman <jonas@kwiboo.se>, Laurent Pinchart <Laurent.pinchart@ideasonboard.com>, Maarten Lankhorst <maarten.lankhorst@linux.intel.com>, Maxime Ripard <mripard@kernel.org>, Neil Armstrong <neil.armstrong@linaro.org>, Robert Foss <rfoss@kernel.org>, Sam Ravnborg <sam@ravnborg.org>, Stephen Boyd <swboyd@chromium.org>, Thomas Zimmermann <tzimmermann@suse.de>, linux-kernel@vger.kernel.org Subject: [PATCH v2 2/2] drm/bridge: ti-sn65dsi86: Never store more than msg->size bytes in AUX xfer Date: Thu, 14 Dec 2023 12:32:06 -0800 Message-ID: <20231214123205.v2.2.I7b83c0f31aeedc6b1dc98c7c741d3e1f94f040f8@changeid> X-Mailer: git-send-email 2.43.0.472.g3155946c3a-goog In-Reply-To: <20231214123205.v2.1.I9d1afcaad76a3e2c0ca046dc4adbc2b632c22eda@changeid> References: <20231214123205.v2.1.I9d1afcaad76a3e2c0ca046dc4adbc2b632c22eda@changeid> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: <linux-kernel.vger.kernel.org> List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org> List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1785290800336400497 X-GMAIL-MSGID: 1785290800336400497 |
Series |
[v2,1/2] drm/bridge: parade-ps8640: Never store more than msg->size bytes in AUX xfer
|
|
Commit Message
Doug Anderson
Dec. 14, 2023, 8:32 p.m. UTC
For aux reads, the value `msg->size` indicates the size of the buffer
provided by `msg->buffer`. We should never in any circumstances write
more bytes to the buffer since it may overflow the buffer.
In the ti-sn65dsi86 driver there is one code path that reads the
transfer length from hardware. Even though it's never been seen to be
a problem, we should make extra sure that the hardware isn't
increasing the length since doing so would cause us to overrun the
buffer.
Fixes: 982f589bde7a ("drm/bridge: ti-sn65dsi86: Update reply on aux failures")
Signed-off-by: Douglas Anderson <dianders@chromium.org>
---
Changes in v2:
- Updated patch subject to match ps8640 patch.
drivers/gpu/drm/bridge/ti-sn65dsi86.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
Comments
On Thu, Dec 14, 2023 at 9:32 PM Douglas Anderson <dianders@chromiumorg> wrote: > > For aux reads, the value `msg->size` indicates the size of the buffer > provided by `msg->buffer`. We should never in any circumstances write > more bytes to the buffer since it may overflow the buffer. > > In the ti-sn65dsi86 driver there is one code path that reads the > transfer length from hardware. Even though it's never been seen to be > a problem, we should make extra sure that the hardware isn't > increasing the length since doing so would cause us to overrun the > buffer. > > Fixes: 982f589bde7a ("drm/bridge: ti-sn65dsi86: Update reply on aux failures") > Signed-off-by: Douglas Anderson <dianders@chromium.org> > --- > > Changes in v2: > - Updated patch subject to match ps8640 patch. > > drivers/gpu/drm/bridge/ti-sn65dsi86.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/bridge/ti-sn65dsi86.c b/drivers/gpu/drm/bridge/ti-sn65dsi86.c > index 9095d1453710..62cc3893dca5 100644 > --- a/drivers/gpu/drm/bridge/ti-sn65dsi86.c > +++ b/drivers/gpu/drm/bridge/ti-sn65dsi86.c > @@ -527,6 +527,7 @@ static ssize_t ti_sn_aux_transfer(struct drm_dp_aux *aux, > u32 request_val = AUX_CMD_REQ(msg->request); > u8 *buf = msg->buffer; > unsigned int len = msg->size; > + unsigned int short_len; > unsigned int val; > int ret; > u8 addr_len[SN_AUX_LENGTH_REG + 1 - SN_AUX_ADDR_19_16_REG]; > @@ -600,7 +601,8 @@ static ssize_t ti_sn_aux_transfer(struct drm_dp_aux *aux, > } > > if (val & AUX_IRQ_STATUS_AUX_SHORT) { > - ret = regmap_read(pdata->regmap, SN_AUX_LENGTH_REG, &len); > + ret = regmap_read(pdata->regmap, SN_AUX_LENGTH_REG, &short_len); > + len = min(len, short_len); > if (ret) > goto exit; > } else if (val & AUX_IRQ_STATUS_NAT_I2C_FAIL) { > -- > 2.43.0.472.g3155946c3a-goog > > Reviewed-by: Robert Foss <rfoss@kernel.org>
diff --git a/drivers/gpu/drm/bridge/ti-sn65dsi86.c b/drivers/gpu/drm/bridge/ti-sn65dsi86.c index 9095d1453710..62cc3893dca5 100644 --- a/drivers/gpu/drm/bridge/ti-sn65dsi86.c +++ b/drivers/gpu/drm/bridge/ti-sn65dsi86.c @@ -527,6 +527,7 @@ static ssize_t ti_sn_aux_transfer(struct drm_dp_aux *aux, u32 request_val = AUX_CMD_REQ(msg->request); u8 *buf = msg->buffer; unsigned int len = msg->size; + unsigned int short_len; unsigned int val; int ret; u8 addr_len[SN_AUX_LENGTH_REG + 1 - SN_AUX_ADDR_19_16_REG]; @@ -600,7 +601,8 @@ static ssize_t ti_sn_aux_transfer(struct drm_dp_aux *aux, } if (val & AUX_IRQ_STATUS_AUX_SHORT) { - ret = regmap_read(pdata->regmap, SN_AUX_LENGTH_REG, &len); + ret = regmap_read(pdata->regmap, SN_AUX_LENGTH_REG, &short_len); + len = min(len, short_len); if (ret) goto exit; } else if (val & AUX_IRQ_STATUS_NAT_I2C_FAIL) {