From: sashiko-bot@kernel.org
Cc: dri-devel@lists.freedesktop.org
Subject: Re: [PATCH] drm/bridge: sii902x: Read "sil,i2s-data-lanes" as u32
Date: Fri, 12 Jun 2026 21:58:06 +0000 [thread overview]
Message-ID: <20260612215806.9A6181F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260612215205.1887206-1-robh@kernel.org>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Missing bounds check on 'sil,i2s-data-lanes' values leads to out-of-bounds array read.
--
commit 460b61bf52ca50a54beb619610726eb8680ea41a
Author: Rob Herring (Arm) <robh@kernel.org>
drm/bridge: sii902x: Read "sil,i2s-data-lanes" as u32
The commit updates the sii902x driver to read the "sil,i2s-data-lanes"
device tree property as a u32 array instead of a u8 array. This change makes
the driver follow the documented DT element size and binding specifications.
> diff --git a/drivers/gpu/drm/bridge/sii902x.c b/drivers/gpu/drm/bridge/sii902x.c
> index ea543be4ae3e2..7c90194449e1a 100644
> --- a/drivers/gpu/drm/bridge/sii902x.c
> +++ b/drivers/gpu/drm/bridge/sii902x.c
> @@ -862,7 +862,7 @@ static int sii902x_audio_codec_init(struct sii902x *sii902x,
> .max_i2s_channels = 0,
> .no_capture_mute = 1,
> };
> - u8 lanes[4];
> + u32 lanes[4];
[Severity: High]
This isn't a bug introduced by this patch, but does changing the type of lanes
from u8 to u32 increase the severity of a potential out-of-bounds read?
Later in sii902x_audio_codec_init() around line 894 of
drivers/gpu/drm/bridge/sii902x.c, the values parsed from the device tree are
used directly as indices into the i2s_lane_id array:
for (i = 0; i < num_lanes; i++)
sii902x->audio.i2s_fifo_sequence[i] |= audio_fifo_id[i] |
i2s_lane_id[lanes[i]] | SII902X_TPI_I2S_FIFO_ENABLE;
Because i2s_lane_id has a fixed size of 4 elements and there is no validation
on the parsed values, a malformed device tree could provide a value larger
than 3. When lanes was an array of u8, the read offset was limited, but as a
u32 it could hit unmapped memory and trigger a kernel oops during device probe.
Could we add a bounds check to ensure the values are within the correct range?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260612215205.1887206-1-robh@kernel.org?part=1
prev parent reply other threads:[~2026-06-12 21:58 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-12 21:52 [PATCH] drm/bridge: sii902x: Read "sil,i2s-data-lanes" as u32 Rob Herring (Arm)
2026-06-12 21:58 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260612215806.9A6181F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.