drm/bridge: ti-sn65dsi86: Never store more than msg->size bytes in AUX xfer

For aux reads, the value `msg->size` indicates the size of the buffer
provided by `msg->buffer`. We should never in any circumstances write
more bytes to the buffer since it may overflow the buffer.

In the ti-sn65dsi86 driver there is one code path that reads the
transfer length from hardware. Even though it's never been seen to be
a problem, we should make extra sure that the hardware isn't
increasing the length since doing so would cause us to overrun the
buffer.

Fixes: 982f589bde7a ("drm/bridge: ti-sn65dsi86: Update reply on aux failures")
Reviewed-by: Stephen Boyd <swboyd@chromium.org>
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20231214123752.v3.2.I7b83c0f31aeedc6b1dc98c7c741d3e1f94f040f8@changeid

diff --git a/drivers/gpu/drm/bridge/ti-sn65dsi86.c b/drivers/gpu/drm/bridge/ti-sn65dsi86.c
index c45c07840f645a3216e0f0a8986920f1bd17d997..b5464199b6334e213c2b1f22a48cff79488c5c93 100644 (file)
--- a/drivers/gpu/drm/bridge/ti-sn65dsi86.c
+++ b/drivers/gpu/drm/bridge/ti-sn65dsi86.c
@@ -527,6 +527,7 @@ static ssize_t ti_sn_aux_transfer(struct drm_dp_aux *aux,
        u32 request_val = AUX_CMD_REQ(msg->request);
        u8 *buf = msg->buffer;
        unsigned int len = msg->size;
+       unsigned int short_len;
        unsigned int val;
        int ret;
        u8 addr_len[SN_AUX_LENGTH_REG + 1 - SN_AUX_ADDR_19_16_REG];
@@ -600,7 +601,8 @@ static ssize_t ti_sn_aux_transfer(struct drm_dp_aux *aux,
        }
 
        if (val & AUX_IRQ_STATUS_AUX_SHORT) {
-               ret = regmap_read(pdata->regmap, SN_AUX_LENGTH_REG, &len);
+               ret = regmap_read(pdata->regmap, SN_AUX_LENGTH_REG, &short_len);
+               len = min(len, short_len);
                if (ret)
                        goto exit;
        } else if (val & AUX_IRQ_STATUS_NAT_I2C_FAIL) {