All of lore.kernel.org
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: suryasaimadhu <suryasaimadhu369@gmail.com>
Cc: dri-devel@lists.freedesktop.org
Subject: Re: [PATCH] staging: fbtft: fix unaligned access and txbuf safety issues
Date: Thu, 25 Jun 2026 11:54:15 +0000	[thread overview]
Message-ID: <20260625115416.1A0E91F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260625114215.325973-1-suryasaimadhu369@gmail.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Hardware protocol violation in unbuffered SPI write fallback paths.
--

commit 3d08e05dccbf9cbe108bf3c042c710ace7899fe1
Author: suryasaimadhu <suryasaimadhu369@gmail.com>

staging: fbtft: fix unaligned access and txbuf safety issues

This commit fixes unaligned access issues during register writes and pixel
data copies in the fbtft driver. It also adds bounds checking and fallbacks
for when the transmit buffer size underflows or is missing.

> diff --git a/drivers/staging/fbtft/fb_ra8875.c b/drivers/staging/fbtft/fb_ra8875.c
> index 0ab1de6647d07..06f650aacc204 100644
> --- a/drivers/staging/fbtft/fb_ra8875.c
> +++ b/drivers/staging/fbtft/fb_ra8875.c
> @@ -250,7 +251,14 @@ static int write_vmem16_bus8(struct fbtft_par *par, size_t offset, size_t len)
>  
>  	remain = len / 2;
>  	vmem16 = (u16 *)(par->info->screen_buffer + offset);
> +
> +	if (!par->txbuf.buf)
> +		return par->fbtftops.write(par, vmem16, len);
> +
>  	tx_array_size = par->txbuf.len / 2;
> +	if (tx_array_size <= 2)
> +		return par->fbtftops.write(par, vmem16, len);
> +

[Severity: High]
Does this fallback bypass the 0x00 command prefix required by the RA8875
hardware?

Since vmem16 points directly to the framebuffer memory, this direct write
will omit the prefix, which might cause the display controller to
misinterpret the first pixel as a command.

Additionally, could this skip the cpu_to_be16() conversion on
little-endian CPUs, sending pixels in the wrong byte order?

Would it be safer to return an error if the required transmission buffer
is unavailable or too small to prepend the hardware protocol prefix?

>  	txbuf16 = par->txbuf.buf + 1;
>  	tx_array_size -= 2;
>  	*(u8 *)(par->txbuf.buf) = 0x00;

[ ... ]

> diff --git a/drivers/staging/fbtft/fbtft-bus.c b/drivers/staging/fbtft/fbtft-bus.c
> index 30e436ff19e4c..52a0c5c0cbaed 100644
> --- a/drivers/staging/fbtft/fbtft-bus.c
> +++ b/drivers/staging/fbtft/fbtft-bus.c

[ ... ]

> @@ -142,19 +146,24 @@ int fbtft_write_vmem16_bus8(struct fbtft_par *par, size_t offset, size_t len)
>  	tx_array_size = par->txbuf.len / 2;
>  
>  	if (par->startbyte) {
> +		if (tx_array_size <= 2)
> +			return par->fbtftops.write(par, vmem16, len);

[Severity: High]
Does this skip prepending the par->startbyte prefix when the buffer is
too small, despite the prefix being explicitly required?

Like the RA8875 case above, this fallback bypasses both the command
prefix and endianness conversions.

>  		txbuf16 = par->txbuf.buf + 1;
>  		tx_array_size -= 2;
>  		*(u8 *)(par->txbuf.buf) = par->startbyte | 0x2;
>  		startbyte_size = 1;
>  	}
>  
> +	if (!tx_array_size)
> +		return par->fbtftops.write(par, vmem16, len);
> +

[Severity: High]
Could this result in the same issue of bypassing necessary prefixes and
endianness conversions if tx_array_size evaluates to zero?

Should we return an error instead of silently sending incorrectly
formatted data?

>  	while (remain) {
>  		to_copy = min(tx_array_size, remain);

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260625114215.325973-1-suryasaimadhu369@gmail.com?part=1

  reply	other threads:[~2026-06-25 11:54 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-25 10:30 [PATCH] staging: fbtft: fix unaligned access and buffer size when startbyte is used suryasaimadhu
2026-06-25 10:42 ` sashiko-bot
2026-06-25 11:02   ` [PATCH] staging: fbtft: fix unaligned vmem writes when txbuf is byte-offset suryasaimadhu
2026-06-25 11:16     ` sashiko-bot
2026-06-25 11:42       ` [PATCH] staging: fbtft: fix unaligned access and txbuf safety issues suryasaimadhu
2026-06-25 11:54         ` sashiko-bot [this message]
2026-06-25 12:00         ` Dan Carpenter
2026-06-25 14:05         ` Andy Shevchenko
2026-06-25 13:20     ` [PATCH] staging: fbtft: fix unaligned vmem writes when txbuf is byte-offset kernel test robot
2026-06-25 13:53     ` kernel test robot
2026-06-25 13:59     ` Andy Shevchenko
2026-06-25 14:08 ` [PATCH] staging: fbtft: fix unaligned access and buffer size when startbyte is used Andy Shevchenko
2026-06-26  6:48 ` David Laight

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260625115416.1A0E91F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=dri-devel@lists.freedesktop.org \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=suryasaimadhu369@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.