From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jani Nikula <jani.nikula@linux.intel.com>
Subject: Re: [PATCH 2/5] drm/i915: fix
	intel_dp_aux_native_read's reply array size
Date: Fri, 13 Sep 2013 12:21:21 +0300
Message-ID: <871u4tnkku.fsf@intel.com>
References: <20130912171523.GD12961@nuc-i3427.alporthouse.com>
	<1379019832-1526-1-git-send-email-przanoni@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <intel-gfx-bounces+gcfxdi-intel-gfx=m.gmane.org@lists.freedesktop.org>
Received: from mga11.intel.com (mga11.intel.com [192.55.52.93])
	by gabe.freedesktop.org (Postfix) with ESMTP id 33727E5CD6
	for <intel-gfx@lists.freedesktop.org>;
	Fri, 13 Sep 2013 02:19:14 -0700 (PDT)
In-Reply-To: <1379019832-1526-1-git-send-email-przanoni@gmail.com>
List-Unsubscribe: <http://lists.freedesktop.org/mailman/options/intel-gfx>,
	<mailto:intel-gfx-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <http://lists.freedesktop.org/archives/intel-gfx>
List-Post: <mailto:intel-gfx@lists.freedesktop.org>
List-Help: <mailto:intel-gfx-request@lists.freedesktop.org?subject=help>
List-Subscribe: <http://lists.freedesktop.org/mailman/listinfo/intel-gfx>,
	<mailto:intel-gfx-request@lists.freedesktop.org?subject=subscribe>
Sender: intel-gfx-bounces+gcfxdi-intel-gfx=m.gmane.org@lists.freedesktop.org
Errors-To: intel-gfx-bounces+gcfxdi-intel-gfx=m.gmane.org@lists.freedesktop.org
To: Paulo Zanoni <przanoni@gmail.com>, intel-gfx@lists.freedesktop.org
Cc: Paulo Zanoni <paulo.r.zanoni@intel.com>
List-Id: intel-gfx@lists.freedesktop.org

On Fri, 13 Sep 2013, Paulo Zanoni <przanoni@gmail.com> wrote:
> From: Paulo Zanoni <paulo.r.zanoni@intel.com>
>
> So far we control all the reads an none of them exceeds the current
> limit of 20 bytes, but we never think about this when reviewing
> patches, so we may at some point in the future overflow the buffer.
>
> My initial patch just added a WARN in case we were about to overflow
> the buffer, but Chris suggested to make the size of the array dynamic.

VLA on stack in kernel gives me an uneasy feeling, but I'll survive.

intel_dp_aux_native_write() has a range check and an error return for
this. Maybe make the same change there, and add a
BUG_ON({send,recv}_bytes > 0x100) to both, since that's the max?

Jani.


> Signed-off-by: Paulo Zanoni <paulo.r.zanoni@intel.com>
> ---
>  drivers/gpu/drm/i915/intel_dp.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/i915/intel_dp.c b/drivers/gpu/drm/i915/intel_dp.c
> index 20e468c..bf0b260 100644
> --- a/drivers/gpu/drm/i915/intel_dp.c
> +++ b/drivers/gpu/drm/i915/intel_dp.c
> @@ -564,7 +564,7 @@ intel_dp_aux_native_read(struct intel_dp *intel_dp,
>  {
>  	uint8_t msg[4];
>  	int msg_bytes;
> -	uint8_t reply[20];
> +	uint8_t reply[recv_bytes + 1];
>  	int reply_bytes;
>  	uint8_t ack;
>  	int ret;
> -- 
> 1.8.3.1
>
> _______________________________________________
> Intel-gfx mailing list
> Intel-gfx@lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/intel-gfx

-- 
Jani Nikula, Intel Open Source Technology Center