Re: [PATCH 0/1] hopefully fix null pointer dereference on i915 load

[Mihai Moldovan <ionic@ionic.de>]

[-- Attachment #1: Type: text/plain, Size: 2508 bytes --]

* On 13.08.2012 05:09 PM, Daniel Vetter wrote:
> On Mon, Aug 13, 2012 at 05:03:24PM +0200, Mihai Moldovan wrote:
>> Hi Jani,
>>
>> The reason sounds sane to me, but while looking through the code, I have seen a
>> few other problems, too.
>>
>> To my understanding, we should use port for dev_priv->gmbus[], not the pin
>> mapping (which is only used for gmbus_ports[]).
>> Don't forget to add the +1 for pin -> port mapping to the error case.
>>
>> Also, intel_gmbus_get_adapter is already accepting a port value (I made sure to
>> look at the calls in other files too), so don't map the port back to a pin.
>>
>> Keep the same in mind for the intel_teardown_gmbus "destructor".
>>
>> The current code adds the gmbus algorithm (gmbus_xfer) to gmbus port 0, which is
>> known as "disabled" and shouldn't be used (previously has_gpio was set to false
>> for those ports to not do any transfer on those ports.)
>>
>> I may be wrong, could you review this and maybe add it to your patch?
> This seems to essentially undo
>
> commit 2ed06c93a1fce057808894d73167aae03c76deaf
> Author: Daniel Kurtz <djkurtz@chromium.org>
> Date:   Wed Mar 28 02:36:15 2012 +0800
>
>     drm/i915/intel_i2c: gmbus disabled and reserved ports are invalid
>
> Note that port numbers start at 1, whereas the array is 0-index based. So
> you patch here would blow up if you don't extend the dev_priv->gmbus
> array.

Uhm, no, quite on the contrary. gmbus starts at 0 (with idx 0 being labeled
"disabled" and idx ((GMBUS_NUM_PORTS == 6) + 1) being labeled "reserved", which
neither should be touched).
Thus, in effect, it starts with 1 and ends with 6, but the current code does not
take that into account, instead accessing elements from 0 onwards:

The code currently would access *dev_priv->gmbus[0] in the first iteration,
which is labeled as "disabled" and shouldn't be touched. Instead, we should do a
pin->port mapping and access *dev_priv->gmbus[1, 2, 3 ... 6] instead (with
*dev_priv->gmbus[7] left out, as it's marked as "reserved" and again shouldn't
be touched.)

However, accessing gmbus_ports[0] is fine, and we can then copy
gmbus_ports[0].name to  *dev_priv->gmbus[1]->adapter.name
                     ^ pin                          
                                                 ^ port

Blowing up seems impossible too, as GMBUS_NUM_PORTS is #defined as END_PORT -
BEGIN_PORT + 1 which will evaluate to 6 and be the last index used.

Best regards,


Mihai


[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4506 bytes --]