[bug report] [PATCH] powerpc: Thermal control for dual core G5s

linuxppc-dev.lists.ozlabs.org archive mirror
 help / color / mirror / Atom feed

From: Dan Carpenter <dan.carpenter@oracle.com>
To: benh@kernel.crashing.org
Cc: linuxppc-dev@lists.ozlabs.org
Subject: [bug report] [PATCH] powerpc: Thermal control for dual core G5s
Date: Wed, 13 Jul 2016 13:15:46 +0300	[thread overview]
Message-ID: <20160713101546.GK29468@mwanda> (raw)

Hello Benjamin Herrenschmidt,

The patch ac171c46667c: "[PATCH] powerpc: Thermal control for dual
core G5s" from Feb 8, 2006, leads to the following static checker
warning:

	drivers/macintosh/windfarm_smu_controls.c:83 smu_set_fan()
	warn: buffer overflow 'buffer' 16 <= 16

drivers/macintosh/windfarm_smu_controls.c
    54  static int smu_set_fan(int pwm, u8 id, u16 value)
    55  {
    56          struct smu_cmd cmd;
    57          u8 buffer[16];
                   ^^^^^^^^^^
16 bytes.

    58          DECLARE_COMPLETION_ONSTACK(comp);
    59          int rc;
    60  
    61          /* Fill SMU command structure */
    62          cmd.cmd = SMU_CMD_FAN_COMMAND;
    63  
    64          /* The SMU has an "old" and a "new" way of setting the fan speed
    65           * Unfortunately, I found no reliable way to know which one works
    66           * on a given machine model. After some investigations it appears
    67           * that MacOS X just tries the new one, and if it fails fallbacks
    68           * to the old ones ... Ugh.
    69           */
    70   retry:
    71          if (smu_supports_new_fans_ops) {
    72                  buffer[0] = 0x30;
    73                  buffer[1] = id;
    74                  *((u16 *)(&buffer[2])) = value;
    75                  cmd.data_len = 4;
    76          } else {
    77                  if (id > 7)
                            ^^^^^^
Assume id is 7.

    78                          return -EINVAL;
    79                  /* Fill argument buffer */
    80                  memset(buffer, 0, 16);
    81                  buffer[0] = pwm ? 0x10 : 0x00;
    82                  buffer[1] = 0x01 << id;
    83                  *((u16 *)&buffer[2 + id * 2]) = value;
                                  ^^^^^^^^^^^^^^^^^^
2 + 7 * 2 = 16.  We're write two bytes beyond the end of the array.

    84                  cmd.data_len = 14;
    85          }
    86  


regards,
dan carpenter

next             reply	other threads:[~2016-07-13 10:15 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-07-13 10:15 Dan Carpenter [this message]
2016-07-13 22:44 ` [bug report] [PATCH] powerpc: Thermal control for dual core G5s Benjamin Herrenschmidt

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160713101546.GK29468@mwanda \
    --to=dan.carpenter@oracle.com \
    --cc=benh@kernel.crashing.org \
    --cc=linuxppc-dev@lists.ozlabs.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).