From: "Ville Syrjälä" <syrjala@sci.fi>
To: Arnd Bergmann <arnd@arndb.de>
Cc: Tomi Valkeinen <tomi.valkeinen@ti.com>,
Jean-Christophe Plagniol-Villard <plagnioj@jcrosoft.com>,
Ingo Molnar <mingo@kernel.org>,
"Luis R. Rodriguez" <mcgrof@suse.com>,
Borislav Petkov <bp@suse.de>,
linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] fbdev: atyfb: fix array overflow
Date: Thu, 23 Jun 2016 17:26:48 +0000 [thread overview]
Message-ID: <20160623172648.GA15594@sci.fi> (raw)
In-Reply-To: <4078476.C7oJjrxxdA@wuerfel>
On Thu, Jun 23, 2016 at 11:06:11AM +0200, Arnd Bergmann wrote:
> On Thursday, June 23, 2016 3:28:25 AM CEST Ville Syrjälä wrote:
> > On Wed, Jun 22, 2016 at 02:37:11PM +0200, Arnd Bergmann wrote:
> > > When building with CONFIG_UBSAN_SANITIZE_ALL on ARM, I get this
> > > gcc warning for atyfb:
> > >
> > > drivers/video/fbdev/aty/atyfb_base.c: In function 'aty_bl_update_status':
> > > drivers/video/fbdev/aty/atyfb_base.c:167:33: warning: array subscript is above array bounds [-Warray-bounds]
> > > drivers/video/fbdev/aty/atyfb_base.c:152:26: warning: array subscript is above array bounds [-Warray-bounds]
> > >
> > > Apparently the warning is correct and there is indeed an overflow,
> >
> > Nope. All the LCD register indexes on the Rage LT (the only relevant
> > chip for this code path) should stay below the table size. At least
> > I can't see any place where we'd walk past the end.
>
> I don't understand what you mean: the warning is about LCD_MISC_CNTL,
> which is defined as 0x14, while the array size is 9 and that is smaller.
>
> Is there something more subtle going on than what gcc sees?
The LCD_MISC_CNTL access is in the backlight code, and thanks to the
following piece of code
if (M64_HAS(MOBIL_BUS) && ...) {
aty_bl_init(...);
}
we register the backlight only on Rage Mobility. Rage LT is not a Rage
Mobility, so everything is fine.
--
Ville Syrjälä
syrjala@sci.fi
http://www.sci.fi/~syrjala/
WARNING: multiple messages have this Message-ID (diff)
From: "Ville Syrjälä" <syrjala@sci.fi>
To: Arnd Bergmann <arnd@arndb.de>
Cc: Tomi Valkeinen <tomi.valkeinen@ti.com>,
Jean-Christophe Plagniol-Villard <plagnioj@jcrosoft.com>,
Ingo Molnar <mingo@kernel.org>,
"Luis R. Rodriguez" <mcgrof@suse.com>,
Borislav Petkov <bp@suse.de>,
linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] fbdev: atyfb: fix array overflow
Date: Thu, 23 Jun 2016 20:26:48 +0300 [thread overview]
Message-ID: <20160623172648.GA15594@sci.fi> (raw)
In-Reply-To: <4078476.C7oJjrxxdA@wuerfel>
On Thu, Jun 23, 2016 at 11:06:11AM +0200, Arnd Bergmann wrote:
> On Thursday, June 23, 2016 3:28:25 AM CEST Ville Syrjälä wrote:
> > On Wed, Jun 22, 2016 at 02:37:11PM +0200, Arnd Bergmann wrote:
> > > When building with CONFIG_UBSAN_SANITIZE_ALL on ARM, I get this
> > > gcc warning for atyfb:
> > >
> > > drivers/video/fbdev/aty/atyfb_base.c: In function 'aty_bl_update_status':
> > > drivers/video/fbdev/aty/atyfb_base.c:167:33: warning: array subscript is above array bounds [-Warray-bounds]
> > > drivers/video/fbdev/aty/atyfb_base.c:152:26: warning: array subscript is above array bounds [-Warray-bounds]
> > >
> > > Apparently the warning is correct and there is indeed an overflow,
> >
> > Nope. All the LCD register indexes on the Rage LT (the only relevant
> > chip for this code path) should stay below the table size. At least
> > I can't see any place where we'd walk past the end.
>
> I don't understand what you mean: the warning is about LCD_MISC_CNTL,
> which is defined as 0x14, while the array size is 9 and that is smaller.
>
> Is there something more subtle going on than what gcc sees?
The LCD_MISC_CNTL access is in the backlight code, and thanks to the
following piece of code
if (M64_HAS(MOBIL_BUS) && ...) {
aty_bl_init(...);
}
we register the backlight only on Rage Mobility. Rage LT is not a Rage
Mobility, so everything is fine.
--
Ville Syrjälä
syrjala@sci.fi
http://www.sci.fi/~syrjala/
next prev parent reply other threads:[~2016-06-23 17:26 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-22 12:37 [PATCH] fbdev: atyfb: fix array overflow Arnd Bergmann
2016-06-22 12:37 ` Arnd Bergmann
2016-06-23 0:28 ` Ville Syrjälä
2016-06-23 0:28 ` Ville Syrjälä
2016-06-23 9:06 ` Arnd Bergmann
2016-06-23 9:06 ` Arnd Bergmann
2016-06-23 17:26 ` Ville Syrjälä [this message]
2016-06-23 17:26 ` Ville Syrjälä
2016-06-23 8:50 ` Geert Uytterhoeven
2016-06-23 8:50 ` Geert Uytterhoeven
2016-06-23 9:22 ` Arnd Bergmann
2016-06-23 9:22 ` Arnd Bergmann
2016-06-23 17:35 ` Ville Syrjälä
2016-06-23 17:35 ` Ville Syrjälä
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160623172648.GA15594@sci.fi \
--to=syrjala@sci.fi \
--cc=arnd@arndb.de \
--cc=bp@suse.de \
--cc=linux-fbdev@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mcgrof@suse.com \
--cc=mingo@kernel.org \
--cc=plagnioj@jcrosoft.com \
--cc=tomi.valkeinen@ti.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.