From: "Ville Syrjälä" <syrjala@sci.fi>
To: Arnd Bergmann <arnd@arndb.de>
Cc: Tomi Valkeinen <tomi.valkeinen@ti.com>,
Jean-Christophe Plagniol-Villard <plagnioj@jcrosoft.com>,
Ingo Molnar <mingo@kernel.org>,
"Luis R. Rodriguez" <mcgrof@suse.com>,
Borislav Petkov <bp@suse.de>,
linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] fbdev: atyfb: fix array overflow
Date: Thu, 23 Jun 2016 00:28:25 +0000 [thread overview]
Message-ID: <20160623002825.GA12365@sci.fi> (raw)
In-Reply-To: <20160622123822.1262383-1-arnd@arndb.de>
On Wed, Jun 22, 2016 at 02:37:11PM +0200, Arnd Bergmann wrote:
> When building with CONFIG_UBSAN_SANITIZE_ALL on ARM, I get this
> gcc warning for atyfb:
>
> drivers/video/fbdev/aty/atyfb_base.c: In function 'aty_bl_update_status':
> drivers/video/fbdev/aty/atyfb_base.c:167:33: warning: array subscript is above array bounds [-Warray-bounds]
> drivers/video/fbdev/aty/atyfb_base.c:152:26: warning: array subscript is above array bounds [-Warray-bounds]
>
> Apparently the warning is correct and there is indeed an overflow,
Nope. All the LCD register indexes on the Rage LT (the only relevant
chip for this code path) should stay below the table size. At least
I can't see any place where we'd walk past the end.
> which was never caught. I could only reproduce this on ARM and
> have opened a bug against the compiler for the lack of warning.
>
> This patch makes the array larger, so we cover all possible
> registers in the LCD controller without an overflow.
>
> Signed-off-by: Arnd Bergmann <arnd@arndb.de>
> Link: https://bugs.linaro.org/show_bug.cgi?id#49
> ---
> drivers/video/fbdev/aty/atyfb_base.c | 2 +-
> include/video/mach64.h | 1 +
> 2 files changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/video/fbdev/aty/atyfb_base.c b/drivers/video/fbdev/aty/atyfb_base.c
> index 001d3d871800..36ffba152eab 100644
> --- a/drivers/video/fbdev/aty/atyfb_base.c
> +++ b/drivers/video/fbdev/aty/atyfb_base.c
> @@ -134,7 +134,7 @@
>
> #if defined(CONFIG_PM) || defined(CONFIG_PMAC_BACKLIGHT) || \
> defined (CONFIG_FB_ATY_GENERIC_LCD) || defined(CONFIG_FB_ATY_BACKLIGHT)
> -static const u32 lt_lcd_regs[] = {
> +static const u32 lt_lcd_regs[LCD_REG_NUM] = {
> CNFG_PANEL_LG,
> LCD_GEN_CNTL_LG,
> DSTN_CONTROL_LG,
> diff --git a/include/video/mach64.h b/include/video/mach64.h
> index 89e91c0cb737..9f74e9e0aeb8 100644
> --- a/include/video/mach64.h
> +++ b/include/video/mach64.h
> @@ -1299,6 +1299,7 @@
> #define APC_LUT_KL 0x38
> #define APC_LUT_MN 0x39
> #define APC_LUT_OP 0x3A
> +#define LCD_REG_NUM 0x3B /* total number */
>
> /* Values in LCD_GEN_CTRL */
> #define CRT_ON 0x00000001ul
> --
> 2.9.0
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-fbdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
Ville Syrjälä
syrjala@sci.fi
http://www.sci.fi/~syrjala/
next prev parent reply other threads:[~2016-06-23 0:28 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-22 12:37 [PATCH] fbdev: atyfb: fix array overflow Arnd Bergmann
2016-06-23 0:28 ` Ville Syrjälä [this message]
2016-06-23 9:06 ` Arnd Bergmann
2016-06-23 17:26 ` Ville Syrjälä
2016-06-23 8:50 ` Geert Uytterhoeven
2016-06-23 9:22 ` Arnd Bergmann
2016-06-23 17:35 ` Ville Syrjälä
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160623002825.GA12365@sci.fi \
--to=syrjala@sci.fi \
--cc=arnd@arndb.de \
--cc=bp@suse.de \
--cc=linux-fbdev@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mcgrof@suse.com \
--cc=mingo@kernel.org \
--cc=plagnioj@jcrosoft.com \
--cc=tomi.valkeinen@ti.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).