Hi,
On Thu, Dec 14, 2023 at 12:38 PM Douglas Anderson <dianders@xxxxxxxxxxxx> wrote:
>
> For aux reads, the value `msg->size` indicates the size of the buffer
> provided by `msg->buffer`. We should never in any circumstances write
> more bytes to the buffer since it may overflow the buffer.
>
> In the ti-sn65dsi86 driver there is one code path that reads the
> transfer length from hardware. Even though it's never been seen to be
> a problem, we should make extra sure that the hardware isn't
> increasing the length since doing so would cause us to overrun the
> buffer.
>
> Fixes: 982f589bde7a ("drm/bridge: ti-sn65dsi86: Update reply on aux failures")
> Signed-off-by: Douglas Anderson <dianders@xxxxxxxxxxxx>
> ---
>
> (no changes since v2)
>
> Changes in v2:
> - Updated patch subject to match ps8640 patch.
>
> drivers/gpu/drm/bridge/ti-sn65dsi86.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
Since the patch fixes a potential crash, has two Reviews (even if
they're both from @chromium), and doesn't seem controversial, I didn't
want a full week and just landed it in drm-misc-fixes. If anyone is
upset by this then please shout and we can revert or I can post a
followup patch.
Pushed to drm-misc-fixes:
aca58eac52b8 drm/bridge: ti-sn65dsi86: Never store more than msg->size
bytes in AUX xfer
