lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon,  1 Nov 2021 10:16:59 +0100
From:   Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To:     linux-kernel@...r.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        stable@...r.kernel.org, Mat Jonczyk <mat.jonczyk@...pl>,
        José Roberto de Souza <jose.souza@...el.com>,
        Jani Nikula <jani.nikula@...el.com>,
        Ville Syrjälä 
        <ville.syrjala@...ux.intel.com>, Imre Deak <imre.deak@...el.com>
Subject: [PATCH 5.14 046/125] drm/i915/dp: Skip the HW readout of DPCD on disabled encoders

From: Imre Deak <imre.deak@...el.com>

commit 6e6f96630805874fa80b0067e1a57aafc06225f6 upstream.

Reading out the DP encoders' DPCD during booting or resume is only
required for enabled encoders: such encoders may be modesetted during
the initial commit and the link training this involves depends on an
initialized DPCD. For DDI encoders reading out the DPCD is skipped, do
the same on pre-DDI platforms.

Atm, the first DPCD readout without a sink connected - which is a likely
scneario if the encoder is disabled - leaves intel_dp->num_common_rates
at 0, which resulted in

intel_dp_sync_state()->intel_dp_max_common_rate()

in a

intel_dp->common_rates[-1]

access. This by definition results in an undefined behaviour, though to
my best knowledge in all HW/compiler configurations it actually results
in accessing the array item type value preceding the array. In this
case the preceding value happens to be intel_dp->num_common_rates,
which is 0, so this issue - by luck - didn't cause a user visible
problem.

Nevertheless it's still an undefined behaviour and in CONFIG_UBSAN
builds leads to a kernel BUG() (which revealed this problem for us),
hence CC:stable.

A related problem in case the encoder is enabled but the sink is not
connected or the DPCD readout fails is fixed by the next patch.

v2: Amend the commit message describing the root cause of the
    CONFIG_UBSAN BUG().

Fixes: a532cde31de3 ("drm/i915/tc: Fix TypeC port init/resume time sanitization")
Reported-and-tested-by: Mat Jonczyk <mat.jonczyk@...pl>
Cc: Mat Jonczyk <mat.jonczyk@...pl>
Cc: José Roberto de Souza <jose.souza@...el.com>
Cc: Jani Nikula <jani.nikula@...el.com>
Cc: Ville Syrjälä <ville.syrjala@...ux.intel.com>
Cc: <stable@...r.kernel.org>
Signed-off-by: Imre Deak <imre.deak@...el.com>
Reviewed-by: Ville Syrjälä <ville.syrjala@...ux.intel.com>
Acked-by: Jani Nikula <jani.nikula@...el.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20211018094154.1407705-2-imre.deak@intel.com
(cherry picked from commit 4ec5ffc341cecbea060739aea1d53398ac2ec3f8)
Signed-off-by: Jani Nikula <jani.nikula@...el.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
---
 drivers/gpu/drm/i915/display/intel_dp.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/gpu/drm/i915/display/intel_dp.c
+++ b/drivers/gpu/drm/i915/display/intel_dp.c
@@ -1924,6 +1924,9 @@ void intel_dp_sync_state(struct intel_en
 {
 	struct intel_dp *intel_dp = enc_to_intel_dp(encoder);
 
+	if (!crtc_state)
+		return;
+
 	/*
 	 * Don't clobber DPCD if it's been already read out during output
 	 * setup (eDP) or detect.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ