From: sashiko-bot@kernel.org
To: "Berkant Koc" <me@berkoc.com>
Cc: linux-hyperv@vger.kernel.org
Subject: Re: [PATCH v5 1/2] drm/hyperv: validate resolution_count and fix WIN8 fallback
Date: Sat, 23 May 2026 14:37:21 +0000 [thread overview]
Message-ID: <20260523143721.E3D681F000E9@smtp.kernel.org> (raw)
In-Reply-To: <6945b22419c7d404b4954a113de2ac9c900dba93.1779542874.git.me@berkoc.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] State Machine Desynchronization and Type Confusion due to missing reinit_completion()
--
commit 75355159caa20ef4cf6b36266c2aa7dcbac0177d
Author: Berkant Koc <me@berkoc.com>
drm/hyperv: validate resolution_count and fix WIN8 fallback
This commit bounds the resolution_count in SYNTHVID_RESOLUTION_RESPONSE
to avoid out-of-bounds array access. It also adds a unified fallback
for WIN8 default resolutions when the probe fails or max dimensions
are left unpopulated.
> diff --git a/drivers/gpu/drm/hyperv/hyperv_drm_proto.c b/drivers/gpu/drm/hyperv/hyperv_drm_proto.c
> index 051ecc5268321..c3d0ff229e3d0 100644
> --- a/drivers/gpu/drm/hyperv/hyperv_drm_proto.c
> +++ b/drivers/gpu/drm/hyperv/hyperv_drm_proto.c
> @@ -391,8 +391,11 @@ static int hyperv_get_supported_resolution(struct hv_device *hdev)
> return -ETIMEDOUT;
> }
[Severity: High]
This is a pre-existing issue, but does reusing hv->wait without calling
reinit_completion() risk state machine desynchronization?
If a prior request like hyperv_negotiate_version() times out, a delayed
response could trigger complete(&hv->wait) and leave the completion
signaled. When wait_for_completion_timeout() is called in this function,
would it return immediately without waiting for the actual response?
If a WIN10 version negotiation times out and falls back to WIN8, could a
delayed WIN10 response satisfy the subsequent WIN8 wait, leading the driver
to mistakenly assume the hypervisor agreed to the WIN8 protocol?
Since there is no validation of msg->vid_hdr.type after waking up, could
this lead to type confusion where a delayed response from an earlier
request is incorrectly interpreted as the current response?
--
Sashiko AI review · https://sashiko.dev/#/patchset/cover.1779542874.git.me@berkoc.com?part=1
next prev parent reply other threads:[~2026-05-23 14:37 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-23 13:27 [PATCH v5 0/2] drm/hyperv: harden host message parsing Berkant Koc
2026-05-19 20:08 ` [PATCH v5 1/2] drm/hyperv: validate resolution_count and fix WIN8 fallback Berkant Koc
2026-05-23 14:37 ` sashiko-bot [this message]
2026-05-23 15:16 ` Michael Kelley
2026-05-23 13:27 ` [PATCH v5 2/2] drm/hyperv: validate VMBus packet size in receive callback Berkant Koc
2026-05-23 15:06 ` sashiko-bot
2026-05-23 15:17 ` Michael Kelley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260523143721.E3D681F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-hyperv@vger.kernel.org \
--cc=me@berkoc.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox