| Message ID | 20220518065856.18936-1-hbh25y@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | drm: bridge: sii8620: fix possible off-by-one | expand |
On 18.05.2022 08:58, Hangyu Hua wrote: > The next call to sii8620_burst_get_tx_buf will result in off-by-one > When ctx->burst.tx_count + size == ARRAY_SIZE(ctx->burst.tx_buf). The same > thing happens in sii8620_burst_get_rx_buf. > > This patch also change tx_count and tx_buf to rx_count and rx_buf in > sii8620_burst_get_rx_buf. It is unreasonable to check tx_buf's size and > use rx_buf. > > Fixes: e19e9c692f81 ("drm/bridge/sii8620: add support for burst eMSC transmissions") > Signed-off-by: Hangyu Hua <hbh25y@gmail.com> Reviewed-by: Andrzej Hajda <andrzej.hajda@intel.com> Regards Andrzej > --- > drivers/gpu/drm/bridge/sil-sii8620.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/gpu/drm/bridge/sil-sii8620.c b/drivers/gpu/drm/bridge/sil-sii8620.c > index ec7745c31da0..ab0bce4a988c 100644 > --- a/drivers/gpu/drm/bridge/sil-sii8620.c > +++ b/drivers/gpu/drm/bridge/sil-sii8620.c > @@ -605,7 +605,7 @@ static void *sii8620_burst_get_tx_buf(struct sii8620 *ctx, int len) > u8 *buf = &ctx->burst.tx_buf[ctx->burst.tx_count]; > int size = len + 2; > > - if (ctx->burst.tx_count + size > ARRAY_SIZE(ctx->burst.tx_buf)) { > + if (ctx->burst.tx_count + size >= ARRAY_SIZE(ctx->burst.tx_buf)) { > dev_err(ctx->dev, "TX-BLK buffer exhausted\n"); > ctx->error = -EINVAL; > return NULL; > @@ -622,7 +622,7 @@ static u8 *sii8620_burst_get_rx_buf(struct sii8620 *ctx, int len) > u8 *buf = &ctx->burst.rx_buf[ctx->burst.rx_count]; > int size = len + 1; > > - if (ctx->burst.tx_count + size > ARRAY_SIZE(ctx->burst.tx_buf)) { > + if (ctx->burst.rx_count + size >= ARRAY_SIZE(ctx->burst.rx_buf)) { > dev_err(ctx->dev, "RX-BLK buffer exhausted\n"); > ctx->error = -EINVAL; > return NULL;
On 2022/5/18 15:57, Andrzej Hajda wrote: > > > On 18.05.2022 08:58, Hangyu Hua wrote: >> The next call to sii8620_burst_get_tx_buf will result in off-by-one >> When ctx->burst.tx_count + size == ARRAY_SIZE(ctx->burst.tx_buf). The >> same >> thing happens in sii8620_burst_get_rx_buf. >> >> This patch also change tx_count and tx_buf to rx_count and rx_buf in >> sii8620_burst_get_rx_buf. It is unreasonable to check tx_buf's size and >> use rx_buf. >> >> Fixes: e19e9c692f81 ("drm/bridge/sii8620: add support for burst eMSC >> transmissions") >> Signed-off-by: Hangyu Hua <hbh25y@gmail.com> > Reviewed-by: Andrzej Hajda <andrzej.hajda@intel.com> > > Regards > Andrzej >> --- >> drivers/gpu/drm/bridge/sil-sii8620.c | 4 ++-- >> 1 file changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/drivers/gpu/drm/bridge/sil-sii8620.c >> b/drivers/gpu/drm/bridge/sil-sii8620.c >> index ec7745c31da0..ab0bce4a988c 100644 >> --- a/drivers/gpu/drm/bridge/sil-sii8620.c >> +++ b/drivers/gpu/drm/bridge/sil-sii8620.c >> @@ -605,7 +605,7 @@ static void *sii8620_burst_get_tx_buf(struct >> sii8620 *ctx, int len) >> u8 *buf = &ctx->burst.tx_buf[ctx->burst.tx_count]; >> int size = len + 2; >> - if (ctx->burst.tx_count + size > ARRAY_SIZE(ctx->burst.tx_buf)) { >> + if (ctx->burst.tx_count + size >= ARRAY_SIZE(ctx->burst.tx_buf)) { >> dev_err(ctx->dev, "TX-BLK buffer exhausted\n"); >> ctx->error = -EINVAL; >> return NULL; >> @@ -622,7 +622,7 @@ static u8 *sii8620_burst_get_rx_buf(struct sii8620 >> *ctx, int len) >> u8 *buf = &ctx->burst.rx_buf[ctx->burst.rx_count]; >> int size = len + 1; >> - if (ctx->burst.tx_count + size > ARRAY_SIZE(ctx->burst.tx_buf)) { >> + if (ctx->burst.rx_count + size >= ARRAY_SIZE(ctx->burst.rx_buf)) { >> dev_err(ctx->dev, "RX-BLK buffer exhausted\n"); >> ctx->error = -EINVAL; >> return NULL; > Hi guys, Another patches for this module that I submitted at the same time as this one have been merged. Is this patch forgotten to merge? Thanks, Hangyu
On Thu, 23 Jun 2022 at 04:55, Hangyu Hua <hbh25y@gmail.com> wrote: > > On 2022/5/18 15:57, Andrzej Hajda wrote: > > > > > > On 18.05.2022 08:58, Hangyu Hua wrote: > >> The next call to sii8620_burst_get_tx_buf will result in off-by-one > >> When ctx->burst.tx_count + size == ARRAY_SIZE(ctx->burst.tx_buf). The > >> same > >> thing happens in sii8620_burst_get_rx_buf. > >> > >> This patch also change tx_count and tx_buf to rx_count and rx_buf in > >> sii8620_burst_get_rx_buf. It is unreasonable to check tx_buf's size and > >> use rx_buf. > >> > >> Fixes: e19e9c692f81 ("drm/bridge/sii8620: add support for burst eMSC > >> transmissions") > >> Signed-off-by: Hangyu Hua <hbh25y@gmail.com> > > Reviewed-by: Andrzej Hajda <andrzej.hajda@intel.com> > > > > Regards > > Andrzej > >> --- > >> drivers/gpu/drm/bridge/sil-sii8620.c | 4 ++-- > >> 1 file changed, 2 insertions(+), 2 deletions(-) > >> > >> diff --git a/drivers/gpu/drm/bridge/sil-sii8620.c > >> b/drivers/gpu/drm/bridge/sil-sii8620.c > >> index ec7745c31da0..ab0bce4a988c 100644 > >> --- a/drivers/gpu/drm/bridge/sil-sii8620.c > >> +++ b/drivers/gpu/drm/bridge/sil-sii8620.c > >> @@ -605,7 +605,7 @@ static void *sii8620_burst_get_tx_buf(struct > >> sii8620 *ctx, int len) > >> u8 *buf = &ctx->burst.tx_buf[ctx->burst.tx_count]; > >> int size = len + 2; > >> - if (ctx->burst.tx_count + size > ARRAY_SIZE(ctx->burst.tx_buf)) { > >> + if (ctx->burst.tx_count + size >= ARRAY_SIZE(ctx->burst.tx_buf)) { > >> dev_err(ctx->dev, "TX-BLK buffer exhausted\n"); > >> ctx->error = -EINVAL; > >> return NULL; > >> @@ -622,7 +622,7 @@ static u8 *sii8620_burst_get_rx_buf(struct sii8620 > >> *ctx, int len) > >> u8 *buf = &ctx->burst.rx_buf[ctx->burst.rx_count]; > >> int size = len + 1; > >> - if (ctx->burst.tx_count + size > ARRAY_SIZE(ctx->burst.tx_buf)) { > >> + if (ctx->burst.rx_count + size >= ARRAY_SIZE(ctx->burst.rx_buf)) { > >> dev_err(ctx->dev, "RX-BLK buffer exhausted\n"); > >> ctx->error = -EINVAL; > >> return NULL; > > > > Hi guys, > > Another patches for this module that I submitted at the same time as > this one have been merged. Is this patch forgotten to merge? Applied to drm-misc-next.
diff --git a/drivers/gpu/drm/bridge/sil-sii8620.c b/drivers/gpu/drm/bridge/sil-sii8620.c index ec7745c31da0..ab0bce4a988c 100644 --- a/drivers/gpu/drm/bridge/sil-sii8620.c +++ b/drivers/gpu/drm/bridge/sil-sii8620.c @@ -605,7 +605,7 @@ static void *sii8620_burst_get_tx_buf(struct sii8620 *ctx, int len) u8 *buf = &ctx->burst.tx_buf[ctx->burst.tx_count]; int size = len + 2; - if (ctx->burst.tx_count + size > ARRAY_SIZE(ctx->burst.tx_buf)) { + if (ctx->burst.tx_count + size >= ARRAY_SIZE(ctx->burst.tx_buf)) { dev_err(ctx->dev, "TX-BLK buffer exhausted\n"); ctx->error = -EINVAL; return NULL; @@ -622,7 +622,7 @@ static u8 *sii8620_burst_get_rx_buf(struct sii8620 *ctx, int len) u8 *buf = &ctx->burst.rx_buf[ctx->burst.rx_count]; int size = len + 1; - if (ctx->burst.tx_count + size > ARRAY_SIZE(ctx->burst.tx_buf)) { + if (ctx->burst.rx_count + size >= ARRAY_SIZE(ctx->burst.rx_buf)) { dev_err(ctx->dev, "RX-BLK buffer exhausted\n"); ctx->error = -EINVAL; return NULL;
The next call to sii8620_burst_get_tx_buf will result in off-by-one When ctx->burst.tx_count + size == ARRAY_SIZE(ctx->burst.tx_buf). The same thing happens in sii8620_burst_get_rx_buf. This patch also change tx_count and tx_buf to rx_count and rx_buf in sii8620_burst_get_rx_buf. It is unreasonable to check tx_buf's size and use rx_buf. Fixes: e19e9c692f81 ("drm/bridge/sii8620: add support for burst eMSC transmissions") Signed-off-by: Hangyu Hua <hbh25y@gmail.com> --- drivers/gpu/drm/bridge/sil-sii8620.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)