From: Jani Nikula <jani.nikula@linux.intel.com>
To: Kees Cook <keescook@chromium.org>,
Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: David Airlie <airlied@linux.ie>,
linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org,
dri-devel@lists.freedesktop.org,
Thomas Zimmermann <tzimmermann@suse.de>,
Thierry Reding <treding@nvidia.com>,
Kees Cook <keescook@chromium.org>
Subject: Re: [PATCH] drm/dp: Actually read Adjust Request Post Cursor2 register
Date: Wed, 08 Dec 2021 13:19:28 +0200 [thread overview]
Message-ID: <87o85r4a4f.fsf@intel.com> (raw)
In-Reply-To: <20211203084354.3105253-1-keescook@chromium.org>
On Fri, 03 Dec 2021, Kees Cook <keescook@chromium.org> wrote:
> The link_status array was not large enough to read the Adjust Request
> Post Cursor2 register. Adjust the size to include it. Found with a
> -Warray-bounds build:
>
> drivers/gpu/drm/drm_dp_helper.c: In function 'drm_dp_get_adjust_request_post_cursor':
> drivers/gpu/drm/drm_dp_helper.c:59:27: error: array subscript 10 is outside array bounds of 'const u8[6]' {aka 'const unsigned char[6]'} [-Werror=array-bounds]
> 59 | return link_status[r - DP_LANE0_1_STATUS];
> | ~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~
> drivers/gpu/drm/drm_dp_helper.c:147:51: note: while referencing 'link_status'
> 147 | u8 drm_dp_get_adjust_request_post_cursor(const u8 link_status[DP_LINK_STATUS_SIZE],
> | ~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Fixes: 79465e0ffeb9 ("drm/dp: Add helper to get post-cursor adjustments")
> Signed-off-by: Kees Cook <keescook@chromium.org>
Using DP_ADJUST_REQUEST_POST_CURSOR2 has been deprecated since DP 1.3
published in 2014, and Tegra is the only user of
drm_dp_get_adjust_request_post_cursor().
Instead of bumping the link status read size from 6 to 11 for all
drivers I'd much rather see some other (maybe Tegra specific) solution
to this.
BR,
Jani.
> ---
> include/drm/drm_dp_helper.h | 10 +++++++++-
> 1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/include/drm/drm_dp_helper.h b/include/drm/drm_dp_helper.h
> index 472dac376284..277643d2fe2c 100644
> --- a/include/drm/drm_dp_helper.h
> +++ b/include/drm/drm_dp_helper.h
> @@ -1517,7 +1517,15 @@ enum drm_dp_phy {
> #define DP_MST_LOGICAL_PORT_0 8
>
> #define DP_LINK_CONSTANT_N_VALUE 0x8000
> -#define DP_LINK_STATUS_SIZE 6
> +/*
> + * DPCD registers in link_status:
> + * Link Status: 0x202 through 0x204
> + * Sink Status: 0x205
> + * Adjust Request: 0x206 through 0x207
> + * Training Score: 0x208 through 0x20b
> + * AR Post Cursor2: 0x20c
> + */
> +#define DP_LINK_STATUS_SIZE 11
> bool drm_dp_channel_eq_ok(const u8 link_status[DP_LINK_STATUS_SIZE],
> int lane_count);
> bool drm_dp_clock_recovery_ok(const u8 link_status[DP_LINK_STATUS_SIZE],
--
Jani Nikula, Intel Open Source Graphics Center
WARNING: multiple messages have this Message-ID (diff)
From: Jani Nikula <jani.nikula@linux.intel.com>
To: Kees Cook <keescook@chromium.org>,
Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: Kees Cook <keescook@chromium.org>,
David Airlie <airlied@linux.ie>,
linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org,
linux-hardening@vger.kernel.org,
Thomas Zimmermann <tzimmermann@suse.de>,
Thierry Reding <treding@nvidia.com>
Subject: Re: [PATCH] drm/dp: Actually read Adjust Request Post Cursor2 register
Date: Wed, 08 Dec 2021 13:19:28 +0200 [thread overview]
Message-ID: <87o85r4a4f.fsf@intel.com> (raw)
In-Reply-To: <20211203084354.3105253-1-keescook@chromium.org>
On Fri, 03 Dec 2021, Kees Cook <keescook@chromium.org> wrote:
> The link_status array was not large enough to read the Adjust Request
> Post Cursor2 register. Adjust the size to include it. Found with a
> -Warray-bounds build:
>
> drivers/gpu/drm/drm_dp_helper.c: In function 'drm_dp_get_adjust_request_post_cursor':
> drivers/gpu/drm/drm_dp_helper.c:59:27: error: array subscript 10 is outside array bounds of 'const u8[6]' {aka 'const unsigned char[6]'} [-Werror=array-bounds]
> 59 | return link_status[r - DP_LANE0_1_STATUS];
> | ~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~
> drivers/gpu/drm/drm_dp_helper.c:147:51: note: while referencing 'link_status'
> 147 | u8 drm_dp_get_adjust_request_post_cursor(const u8 link_status[DP_LINK_STATUS_SIZE],
> | ~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Fixes: 79465e0ffeb9 ("drm/dp: Add helper to get post-cursor adjustments")
> Signed-off-by: Kees Cook <keescook@chromium.org>
Using DP_ADJUST_REQUEST_POST_CURSOR2 has been deprecated since DP 1.3
published in 2014, and Tegra is the only user of
drm_dp_get_adjust_request_post_cursor().
Instead of bumping the link status read size from 6 to 11 for all
drivers I'd much rather see some other (maybe Tegra specific) solution
to this.
BR,
Jani.
> ---
> include/drm/drm_dp_helper.h | 10 +++++++++-
> 1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/include/drm/drm_dp_helper.h b/include/drm/drm_dp_helper.h
> index 472dac376284..277643d2fe2c 100644
> --- a/include/drm/drm_dp_helper.h
> +++ b/include/drm/drm_dp_helper.h
> @@ -1517,7 +1517,15 @@ enum drm_dp_phy {
> #define DP_MST_LOGICAL_PORT_0 8
>
> #define DP_LINK_CONSTANT_N_VALUE 0x8000
> -#define DP_LINK_STATUS_SIZE 6
> +/*
> + * DPCD registers in link_status:
> + * Link Status: 0x202 through 0x204
> + * Sink Status: 0x205
> + * Adjust Request: 0x206 through 0x207
> + * Training Score: 0x208 through 0x20b
> + * AR Post Cursor2: 0x20c
> + */
> +#define DP_LINK_STATUS_SIZE 11
> bool drm_dp_channel_eq_ok(const u8 link_status[DP_LINK_STATUS_SIZE],
> int lane_count);
> bool drm_dp_clock_recovery_ok(const u8 link_status[DP_LINK_STATUS_SIZE],
--
Jani Nikula, Intel Open Source Graphics Center
next prev parent reply other threads:[~2021-12-08 11:19 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-03 8:43 [PATCH] drm/dp: Actually read Adjust Request Post Cursor2 register Kees Cook
2021-12-03 8:43 ` Kees Cook
2021-12-08 11:19 ` Jani Nikula [this message]
2021-12-08 11:19 ` Jani Nikula
2021-12-09 5:54 ` Kees Cook
2021-12-09 5:54 ` Kees Cook
2021-12-09 6:23 ` Kees Cook
2021-12-09 6:23 ` Kees Cook
2021-12-09 22:20 ` Harry Wentland
2021-12-09 23:41 ` Kees Cook
2021-12-09 23:41 ` Kees Cook
2021-12-10 10:06 ` Jani Nikula
2021-12-10 16:53 ` Kees Cook
2021-12-10 16:53 ` Kees Cook
2021-12-13 9:34 ` Jani Nikula
2021-12-13 9:34 ` Jani Nikula
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87o85r4a4f.fsf@intel.com \
--to=jani.nikula@linux.intel.com \
--cc=airlied@linux.ie \
--cc=dri-devel@lists.freedesktop.org \
--cc=keescook@chromium.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maarten.lankhorst@linux.intel.com \
--cc=treding@nvidia.com \
--cc=tzimmermann@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.