From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ville =?iso-8859-1?Q?Syrj=E4l=E4?= Subject: Re: [Intel-gfx] [PATCH 1/7] drm/i915: Make hpd arrays big enough to avoid out of bounds access Date: Fri, 9 Jan 2015 17:27:14 +0200 Message-ID: <20150109152714.GC10649@intel.com> References: <1420806078-20507-1-git-send-email-ville.syrjala@linux.intel.com> <1420806078-20507-2-git-send-email-ville.syrjala@linux.intel.com> <87sifkxbhe.fsf@intel.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Return-path: Content-Disposition: inline In-Reply-To: <87sifkxbhe.fsf@intel.com> Sender: stable-owner@vger.kernel.org To: Jani Nikula Cc: intel-gfx@lists.freedesktop.org, Egbert Eich , stable@vger.kernel.org List-Id: intel-gfx@lists.freedesktop.org On Fri, Jan 09, 2015 at 04:41:33PM +0200, Jani Nikula wrote: > On Fri, 09 Jan 2015, ville.syrjala@linux.intel.com wrote: > > From: Ville Syrj=E4l=E4 > > > > intel_hpd_irq_handler() walks the passed in hpd[] array assuming it > > contains HPD_NUM_PINS elements. Currently that's not true as we don= 't > > specify an explicit size for the arrays when initializing them. Avo= id > > the out of bounds accesses by specifying the size for the arrays. >=20 > My first impression was wowowow, this must fix some of those obscure = hpd > bugs we seem to have. But no, all of the arrays have HPD_PORT_D which > means we don't go out of bounds. This patch doesn't change the sizes = of > the arrays. Hmm, I somehow convinced myself that PORT_D wasn't in all of them. I suppose I was thinking that port D isn't around on all platforms and then thought the same will hold for the arrays without actually checking. That does make the patch a bit less interesting. >=20 > > Cc: stable@vger.kernel.org >=20 > I'm not sure if that's appropriate in light of the above ("It must fi= x a > real bug that bothers people"). >=20 Yeah I guess we can drop the stable then. > But we should do this *before* it becomes a bug. >=20 > Reviewed-by: Jani Nikula >=20 > > Signed-off-by: Ville Syrj=E4l=E4 > > --- > > drivers/gpu/drm/i915/i915_irq.c | 12 ++++++------ > > 1 file changed, 6 insertions(+), 6 deletions(-) > > > > diff --git a/drivers/gpu/drm/i915/i915_irq.c b/drivers/gpu/drm/i915= /i915_irq.c > > index 818ab4e..1d52ae9 100644 > > --- a/drivers/gpu/drm/i915/i915_irq.c > > +++ b/drivers/gpu/drm/i915/i915_irq.c > > @@ -45,7 +45,7 @@ > > * and related files, but that will be described in separate chapt= ers. > > */ > > =20 > > -static const u32 hpd_ibx[] =3D { > > +static const u32 hpd_ibx[HPD_NUM_PINS] =3D { > > [HPD_CRT] =3D SDE_CRT_HOTPLUG, > > [HPD_SDVO_B] =3D SDE_SDVOB_HOTPLUG, > > [HPD_PORT_B] =3D SDE_PORTB_HOTPLUG, > > @@ -53,7 +53,7 @@ static const u32 hpd_ibx[] =3D { > > [HPD_PORT_D] =3D SDE_PORTD_HOTPLUG > > }; > > =20 > > -static const u32 hpd_cpt[] =3D { > > +static const u32 hpd_cpt[HPD_NUM_PINS] =3D { > > [HPD_CRT] =3D SDE_CRT_HOTPLUG_CPT, > > [HPD_SDVO_B] =3D SDE_SDVOB_HOTPLUG_CPT, > > [HPD_PORT_B] =3D SDE_PORTB_HOTPLUG_CPT, > > @@ -61,7 +61,7 @@ static const u32 hpd_cpt[] =3D { > > [HPD_PORT_D] =3D SDE_PORTD_HOTPLUG_CPT > > }; > > =20 > > -static const u32 hpd_mask_i915[] =3D { > > +static const u32 hpd_mask_i915[HPD_NUM_PINS] =3D { > > [HPD_CRT] =3D CRT_HOTPLUG_INT_EN, > > [HPD_SDVO_B] =3D SDVOB_HOTPLUG_INT_EN, > > [HPD_SDVO_C] =3D SDVOC_HOTPLUG_INT_EN, > > @@ -70,7 +70,7 @@ static const u32 hpd_mask_i915[] =3D { > > [HPD_PORT_D] =3D PORTD_HOTPLUG_INT_EN > > }; > > =20 > > -static const u32 hpd_status_g4x[] =3D { > > +static const u32 hpd_status_g4x[HPD_NUM_PINS] =3D { > > [HPD_CRT] =3D CRT_HOTPLUG_INT_STATUS, > > [HPD_SDVO_B] =3D SDVOB_HOTPLUG_INT_STATUS_G4X, > > [HPD_SDVO_C] =3D SDVOC_HOTPLUG_INT_STATUS_G4X, > > @@ -79,7 +79,7 @@ static const u32 hpd_status_g4x[] =3D { > > [HPD_PORT_D] =3D PORTD_HOTPLUG_INT_STATUS > > }; > > =20 > > -static const u32 hpd_status_i915[] =3D { /* i915 and valleyview ar= e the same */ > > +static const u32 hpd_status_i915[HPD_NUM_PINS] =3D { /* i915 and v= alleyview are the same */ > > [HPD_CRT] =3D CRT_HOTPLUG_INT_STATUS, > > [HPD_SDVO_B] =3D SDVOB_HOTPLUG_INT_STATUS_I915, > > [HPD_SDVO_C] =3D SDVOC_HOTPLUG_INT_STATUS_I915, > > @@ -1522,7 +1522,7 @@ static inline enum port get_port_from_pin(enu= m hpd_pin pin) > > static inline void intel_hpd_irq_handler(struct drm_device *dev, > > u32 hotplug_trigger, > > u32 dig_hotplug_reg, > > - const u32 *hpd) > > + const u32 hpd[HPD_NUM_PINS]) > > { > > struct drm_i915_private *dev_priv =3D dev->dev_private; > > int i; > > --=20 > > 2.0.5 > > > > _______________________________________________ > > Intel-gfx mailing list > > Intel-gfx@lists.freedesktop.org > > http://lists.freedesktop.org/mailman/listinfo/intel-gfx >=20 > --=20 > Jani Nikula, Intel Open Source Technology Center --=20 Ville Syrj=E4l=E4 Intel OTC