From: Jani Nikula <jani.nikula@linux.intel.com>
To: Kees Cook <keescook@chromium.org>
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>,
Maxime Ripard <mripard@kernel.org>,
Thomas Zimmermann <tzimmermann@suse.de>,
David Airlie <airlied@linux.ie>, Daniel Vetter <daniel@ffwll.ch>,
dri-devel@lists.freedesktop.org,
Thierry Reding <thierry.reding@gmail.com>,
Jonathan Hunter <jonathanh@nvidia.com>,
Philipp Zabel <p.zabel@pengutronix.de>,
Lyude Paul <lyude@redhat.com>,
linux-kernel@vger.kernel.org, linux-tegra@vger.kernel.org,
linux-hardening@vger.kernel.org
Subject: Re: [PATCH] drm/dp: Remove common Post Cursor2 register handling
Date: Fri, 07 Jan 2022 12:58:32 +0200 [thread overview]
Message-ID: <87y23rlsmf.fsf@intel.com> (raw)
In-Reply-To: <202201051410.8F65E4E0@keescook>
On Wed, 05 Jan 2022, Kees Cook <keescook@chromium.org> wrote:
> On Wed, Jan 05, 2022 at 08:00:50PM +0200, Jani Nikula wrote:
>> On Wed, 05 Jan 2022, Kees Cook <keescook@chromium.org> wrote:
>> > The link_status array was not large enough to read the Adjust Request
>> > Post Cursor2 register, so remove the common helper function to avoid
>> > an OOB read, found with a -Warray-bounds build:
>> >
>> > drivers/gpu/drm/drm_dp_helper.c: In function 'drm_dp_get_adjust_request_post_cursor':
>> > drivers/gpu/drm/drm_dp_helper.c:59:27: error: array subscript 10 is outside array bounds of 'const u8[6]' {aka 'const unsigned char[6]'} [-Werror=array-bounds]
>> > 59 | return link_status[r - DP_LANE0_1_STATUS];
>> > | ~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~
>> > drivers/gpu/drm/drm_dp_helper.c:147:51: note: while referencing 'link_status'
>> > 147 | u8 drm_dp_get_adjust_request_post_cursor(const u8 link_status[DP_LINK_STATUS_SIZE],
>> > | ~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> >
>> > Replace the only user of the helper with an open-coded fetch and decode,
>> > similar to drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c.
>> >
>> > Fixes: 79465e0ffeb9 ("drm/dp: Add helper to get post-cursor adjustments")
>> > Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
>> > Cc: Maxime Ripard <mripard@kernel.org>
>> > Cc: Thomas Zimmermann <tzimmermann@suse.de>
>> > Cc: David Airlie <airlied@linux.ie>
>> > Cc: Daniel Vetter <daniel@ffwll.ch>
>> > Cc: dri-devel@lists.freedesktop.org
>> > Signed-off-by: Kees Cook <keescook@chromium.org>
>> > ---
>> > This is the alternative to:
>> > https://lore.kernel.org/lkml/20211203084354.3105253-1-keescook@chromium.org/
>> > ---
>> > drivers/gpu/drm/drm_dp_helper.c | 10 ----------
>> > drivers/gpu/drm/tegra/dp.c | 11 ++++++++++-
>> > include/drm/drm_dp_helper.h | 2 --
>> > 3 files changed, 10 insertions(+), 13 deletions(-)
>> >
>> > diff --git a/drivers/gpu/drm/drm_dp_helper.c b/drivers/gpu/drm/drm_dp_helper.c
>> > index 23f9073bc473..c9528aa62c9c 100644
>> > --- a/drivers/gpu/drm/drm_dp_helper.c
>> > +++ b/drivers/gpu/drm/drm_dp_helper.c
>> > @@ -144,16 +144,6 @@ u8 drm_dp_get_adjust_tx_ffe_preset(const u8 link_status[DP_LINK_STATUS_SIZE],
>> > }
>> > EXPORT_SYMBOL(drm_dp_get_adjust_tx_ffe_preset);
>> >
>> > -u8 drm_dp_get_adjust_request_post_cursor(const u8 link_status[DP_LINK_STATUS_SIZE],
>> > - unsigned int lane)
>> > -{
>> > - unsigned int offset = DP_ADJUST_REQUEST_POST_CURSOR2;
>> > - u8 value = dp_link_status(link_status, offset);
>> > -
>> > - return (value >> (lane << 1)) & 0x3;
>> > -}
>> > -EXPORT_SYMBOL(drm_dp_get_adjust_request_post_cursor);
>> > -
>> > static int __8b10b_clock_recovery_delay_us(const struct drm_dp_aux *aux, u8 rd_interval)
>> > {
>> > if (rd_interval > 4)
>> > diff --git a/drivers/gpu/drm/tegra/dp.c b/drivers/gpu/drm/tegra/dp.c
>> > index 70dfb7d1dec5..f5535eb04c6b 100644
>> > --- a/drivers/gpu/drm/tegra/dp.c
>> > +++ b/drivers/gpu/drm/tegra/dp.c
>> > @@ -549,6 +549,15 @@ static void drm_dp_link_get_adjustments(struct drm_dp_link *link,
>> > {
>> > struct drm_dp_link_train_set *adjust = &link->train.adjust;
>> > unsigned int i;
>> > + u8 post_cursor;
>> > + int err;
>> > +
>> > + err = drm_dp_dpcd_read(link->aux, DP_ADJUST_REQUEST_POST_CURSOR2,
>> > + &post_cursor, sizeof(post_cursor));
>>
>> There's a drm_dp_dpcd_readb() for the common 1-byte reads. Other than
>> that,
>>
>> Reviewed-by: Jani Nikula <jani.nikula@intel.com>
>
> Thanks!
>
>>
>> Though obviously that's not enough to actually merge to tegra.
>
> As in, "a review by Jani isn't sufficient to land via the tegra tree"?
Yeah. Or, in this case, via any tree, really.
> What should next steps be?
Get an ack from tegra and/or drm-misc maintainers. All the relevant
folks and lists are in the recipients already.
BR,
Jani.
>
> -Kees
>
>>
>> > + if (err < 0) {
>> > + DRM_ERROR("failed to read post_cursor2: %d\n", err);
>> > + post_cursor = 0;
>> > + }
>> >
>> > for (i = 0; i < link->lanes; i++) {
>> > adjust->voltage_swing[i] =
>> > @@ -560,7 +569,7 @@ static void drm_dp_link_get_adjustments(struct drm_dp_link *link,
>> > DP_TRAIN_PRE_EMPHASIS_SHIFT;
>> >
>> > adjust->post_cursor[i] =
>> > - drm_dp_get_adjust_request_post_cursor(status, i);
>> > + (post_cursor >> (i << 1)) & 0x3;
>> > }
>> > }
>> >
>> > diff --git a/include/drm/drm_dp_helper.h b/include/drm/drm_dp_helper.h
>> > index 472dac376284..fdf3cf6ccc02 100644
>> > --- a/include/drm/drm_dp_helper.h
>> > +++ b/include/drm/drm_dp_helper.h
>> > @@ -1528,8 +1528,6 @@ u8 drm_dp_get_adjust_request_pre_emphasis(const u8 link_status[DP_LINK_STATUS_SI
>> > int lane);
>> > u8 drm_dp_get_adjust_tx_ffe_preset(const u8 link_status[DP_LINK_STATUS_SIZE],
>> > int lane);
>> > -u8 drm_dp_get_adjust_request_post_cursor(const u8 link_status[DP_LINK_STATUS_SIZE],
>> > - unsigned int lane);
>> >
>> > #define DP_BRANCH_OUI_HEADER_SIZE 0xc
>> > #define DP_RECEIVER_CAP_SIZE 0xf
>>
>> --
>> Jani Nikula, Intel Open Source Graphics Center
--
Jani Nikula, Intel Open Source Graphics Center
WARNING: multiple messages have this Message-ID (diff)
From: Jani Nikula <jani.nikula@linux.intel.com>
To: Kees Cook <keescook@chromium.org>
Cc: Thomas Zimmermann <tzimmermann@suse.de>,
David Airlie <airlied@linux.ie>,
linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org,
Jonathan Hunter <jonathanh@nvidia.com>,
Thierry Reding <thierry.reding@gmail.com>,
linux-tegra@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: Re: [PATCH] drm/dp: Remove common Post Cursor2 register handling
Date: Fri, 07 Jan 2022 12:58:32 +0200 [thread overview]
Message-ID: <87y23rlsmf.fsf@intel.com> (raw)
In-Reply-To: <202201051410.8F65E4E0@keescook>
On Wed, 05 Jan 2022, Kees Cook <keescook@chromium.org> wrote:
> On Wed, Jan 05, 2022 at 08:00:50PM +0200, Jani Nikula wrote:
>> On Wed, 05 Jan 2022, Kees Cook <keescook@chromium.org> wrote:
>> > The link_status array was not large enough to read the Adjust Request
>> > Post Cursor2 register, so remove the common helper function to avoid
>> > an OOB read, found with a -Warray-bounds build:
>> >
>> > drivers/gpu/drm/drm_dp_helper.c: In function 'drm_dp_get_adjust_request_post_cursor':
>> > drivers/gpu/drm/drm_dp_helper.c:59:27: error: array subscript 10 is outside array bounds of 'const u8[6]' {aka 'const unsigned char[6]'} [-Werror=array-bounds]
>> > 59 | return link_status[r - DP_LANE0_1_STATUS];
>> > | ~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~
>> > drivers/gpu/drm/drm_dp_helper.c:147:51: note: while referencing 'link_status'
>> > 147 | u8 drm_dp_get_adjust_request_post_cursor(const u8 link_status[DP_LINK_STATUS_SIZE],
>> > | ~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> >
>> > Replace the only user of the helper with an open-coded fetch and decode,
>> > similar to drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c.
>> >
>> > Fixes: 79465e0ffeb9 ("drm/dp: Add helper to get post-cursor adjustments")
>> > Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
>> > Cc: Maxime Ripard <mripard@kernel.org>
>> > Cc: Thomas Zimmermann <tzimmermann@suse.de>
>> > Cc: David Airlie <airlied@linux.ie>
>> > Cc: Daniel Vetter <daniel@ffwll.ch>
>> > Cc: dri-devel@lists.freedesktop.org
>> > Signed-off-by: Kees Cook <keescook@chromium.org>
>> > ---
>> > This is the alternative to:
>> > https://lore.kernel.org/lkml/20211203084354.3105253-1-keescook@chromium.org/
>> > ---
>> > drivers/gpu/drm/drm_dp_helper.c | 10 ----------
>> > drivers/gpu/drm/tegra/dp.c | 11 ++++++++++-
>> > include/drm/drm_dp_helper.h | 2 --
>> > 3 files changed, 10 insertions(+), 13 deletions(-)
>> >
>> > diff --git a/drivers/gpu/drm/drm_dp_helper.c b/drivers/gpu/drm/drm_dp_helper.c
>> > index 23f9073bc473..c9528aa62c9c 100644
>> > --- a/drivers/gpu/drm/drm_dp_helper.c
>> > +++ b/drivers/gpu/drm/drm_dp_helper.c
>> > @@ -144,16 +144,6 @@ u8 drm_dp_get_adjust_tx_ffe_preset(const u8 link_status[DP_LINK_STATUS_SIZE],
>> > }
>> > EXPORT_SYMBOL(drm_dp_get_adjust_tx_ffe_preset);
>> >
>> > -u8 drm_dp_get_adjust_request_post_cursor(const u8 link_status[DP_LINK_STATUS_SIZE],
>> > - unsigned int lane)
>> > -{
>> > - unsigned int offset = DP_ADJUST_REQUEST_POST_CURSOR2;
>> > - u8 value = dp_link_status(link_status, offset);
>> > -
>> > - return (value >> (lane << 1)) & 0x3;
>> > -}
>> > -EXPORT_SYMBOL(drm_dp_get_adjust_request_post_cursor);
>> > -
>> > static int __8b10b_clock_recovery_delay_us(const struct drm_dp_aux *aux, u8 rd_interval)
>> > {
>> > if (rd_interval > 4)
>> > diff --git a/drivers/gpu/drm/tegra/dp.c b/drivers/gpu/drm/tegra/dp.c
>> > index 70dfb7d1dec5..f5535eb04c6b 100644
>> > --- a/drivers/gpu/drm/tegra/dp.c
>> > +++ b/drivers/gpu/drm/tegra/dp.c
>> > @@ -549,6 +549,15 @@ static void drm_dp_link_get_adjustments(struct drm_dp_link *link,
>> > {
>> > struct drm_dp_link_train_set *adjust = &link->train.adjust;
>> > unsigned int i;
>> > + u8 post_cursor;
>> > + int err;
>> > +
>> > + err = drm_dp_dpcd_read(link->aux, DP_ADJUST_REQUEST_POST_CURSOR2,
>> > + &post_cursor, sizeof(post_cursor));
>>
>> There's a drm_dp_dpcd_readb() for the common 1-byte reads. Other than
>> that,
>>
>> Reviewed-by: Jani Nikula <jani.nikula@intel.com>
>
> Thanks!
>
>>
>> Though obviously that's not enough to actually merge to tegra.
>
> As in, "a review by Jani isn't sufficient to land via the tegra tree"?
Yeah. Or, in this case, via any tree, really.
> What should next steps be?
Get an ack from tegra and/or drm-misc maintainers. All the relevant
folks and lists are in the recipients already.
BR,
Jani.
>
> -Kees
>
>>
>> > + if (err < 0) {
>> > + DRM_ERROR("failed to read post_cursor2: %d\n", err);
>> > + post_cursor = 0;
>> > + }
>> >
>> > for (i = 0; i < link->lanes; i++) {
>> > adjust->voltage_swing[i] =
>> > @@ -560,7 +569,7 @@ static void drm_dp_link_get_adjustments(struct drm_dp_link *link,
>> > DP_TRAIN_PRE_EMPHASIS_SHIFT;
>> >
>> > adjust->post_cursor[i] =
>> > - drm_dp_get_adjust_request_post_cursor(status, i);
>> > + (post_cursor >> (i << 1)) & 0x3;
>> > }
>> > }
>> >
>> > diff --git a/include/drm/drm_dp_helper.h b/include/drm/drm_dp_helper.h
>> > index 472dac376284..fdf3cf6ccc02 100644
>> > --- a/include/drm/drm_dp_helper.h
>> > +++ b/include/drm/drm_dp_helper.h
>> > @@ -1528,8 +1528,6 @@ u8 drm_dp_get_adjust_request_pre_emphasis(const u8 link_status[DP_LINK_STATUS_SI
>> > int lane);
>> > u8 drm_dp_get_adjust_tx_ffe_preset(const u8 link_status[DP_LINK_STATUS_SIZE],
>> > int lane);
>> > -u8 drm_dp_get_adjust_request_post_cursor(const u8 link_status[DP_LINK_STATUS_SIZE],
>> > - unsigned int lane);
>> >
>> > #define DP_BRANCH_OUI_HEADER_SIZE 0xc
>> > #define DP_RECEIVER_CAP_SIZE 0xf
>>
>> --
>> Jani Nikula, Intel Open Source Graphics Center
--
Jani Nikula, Intel Open Source Graphics Center
next prev parent reply other threads:[~2022-01-07 10:58 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-05 17:35 [PATCH] drm/dp: Remove common Post Cursor2 register handling Kees Cook
2022-01-05 17:35 ` Kees Cook
2022-01-05 18:00 ` Jani Nikula
2022-01-05 18:00 ` Jani Nikula
2022-01-05 22:11 ` Kees Cook
2022-01-05 22:11 ` Kees Cook
2022-01-07 10:58 ` Jani Nikula [this message]
2022-01-07 10:58 ` Jani Nikula
2022-01-18 19:11 ` Gustavo A. R. Silva
2022-01-18 19:11 ` Gustavo A. R. Silva
2022-01-18 21:37 ` Kees Cook
2022-01-18 21:37 ` Kees Cook
2022-02-05 1:41 ` Kees Cook
2022-02-05 1:41 ` Kees Cook
2022-02-07 11:04 ` Jani Nikula
2022-02-07 11:04 ` Jani Nikula
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87y23rlsmf.fsf@intel.com \
--to=jani.nikula@linux.intel.com \
--cc=airlied@linux.ie \
--cc=daniel@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=jonathanh@nvidia.com \
--cc=keescook@chromium.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-tegra@vger.kernel.org \
--cc=lyude@redhat.com \
--cc=maarten.lankhorst@linux.intel.com \
--cc=mripard@kernel.org \
--cc=p.zabel@pengutronix.de \
--cc=thierry.reding@gmail.com \
--cc=tzimmermann@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.