diff mbox series

drm: bridge: sii8620: fix possible off-by-one

Message ID 20220518065856.18936-1-hbh25y@gmail.com (mailing list archive)
State New, archived
Headers show
Series drm: bridge: sii8620: fix possible off-by-one | expand

Commit Message

Hangyu Hua May 18, 2022, 6:58 a.m. UTC
The next call to sii8620_burst_get_tx_buf will result in off-by-one
When ctx->burst.tx_count + size == ARRAY_SIZE(ctx->burst.tx_buf). The same
thing happens in sii8620_burst_get_rx_buf.

This patch also change tx_count and tx_buf to rx_count and rx_buf in
sii8620_burst_get_rx_buf. It is unreasonable to check tx_buf's size and
use rx_buf.

Fixes: e19e9c692f81 ("drm/bridge/sii8620: add support for burst eMSC transmissions")
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
---
 drivers/gpu/drm/bridge/sil-sii8620.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Andrzej Hajda May 18, 2022, 7:57 a.m. UTC | #1
On 18.05.2022 08:58, Hangyu Hua wrote:
> The next call to sii8620_burst_get_tx_buf will result in off-by-one
> When ctx->burst.tx_count + size == ARRAY_SIZE(ctx->burst.tx_buf). The same
> thing happens in sii8620_burst_get_rx_buf.
>
> This patch also change tx_count and tx_buf to rx_count and rx_buf in
> sii8620_burst_get_rx_buf. It is unreasonable to check tx_buf's size and
> use rx_buf.
>
> Fixes: e19e9c692f81 ("drm/bridge/sii8620: add support for burst eMSC transmissions")
> Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
Reviewed-by: Andrzej Hajda <andrzej.hajda@intel.com>

Regards
Andrzej
> ---
>   drivers/gpu/drm/bridge/sil-sii8620.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/bridge/sil-sii8620.c b/drivers/gpu/drm/bridge/sil-sii8620.c
> index ec7745c31da0..ab0bce4a988c 100644
> --- a/drivers/gpu/drm/bridge/sil-sii8620.c
> +++ b/drivers/gpu/drm/bridge/sil-sii8620.c
> @@ -605,7 +605,7 @@ static void *sii8620_burst_get_tx_buf(struct sii8620 *ctx, int len)
>   	u8 *buf = &ctx->burst.tx_buf[ctx->burst.tx_count];
>   	int size = len + 2;
>   
> -	if (ctx->burst.tx_count + size > ARRAY_SIZE(ctx->burst.tx_buf)) {
> +	if (ctx->burst.tx_count + size >= ARRAY_SIZE(ctx->burst.tx_buf)) {
>   		dev_err(ctx->dev, "TX-BLK buffer exhausted\n");
>   		ctx->error = -EINVAL;
>   		return NULL;
> @@ -622,7 +622,7 @@ static u8 *sii8620_burst_get_rx_buf(struct sii8620 *ctx, int len)
>   	u8 *buf = &ctx->burst.rx_buf[ctx->burst.rx_count];
>   	int size = len + 1;
>   
> -	if (ctx->burst.tx_count + size > ARRAY_SIZE(ctx->burst.tx_buf)) {
> +	if (ctx->burst.rx_count + size >= ARRAY_SIZE(ctx->burst.rx_buf)) {
>   		dev_err(ctx->dev, "RX-BLK buffer exhausted\n");
>   		ctx->error = -EINVAL;
>   		return NULL;
Hangyu Hua June 23, 2022, 2:55 a.m. UTC | #2
On 2022/5/18 15:57, Andrzej Hajda wrote:
> 
> 
> On 18.05.2022 08:58, Hangyu Hua wrote:
>> The next call to sii8620_burst_get_tx_buf will result in off-by-one
>> When ctx->burst.tx_count + size == ARRAY_SIZE(ctx->burst.tx_buf). The 
>> same
>> thing happens in sii8620_burst_get_rx_buf.
>>
>> This patch also change tx_count and tx_buf to rx_count and rx_buf in
>> sii8620_burst_get_rx_buf. It is unreasonable to check tx_buf's size and
>> use rx_buf.
>>
>> Fixes: e19e9c692f81 ("drm/bridge/sii8620: add support for burst eMSC 
>> transmissions")
>> Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
> Reviewed-by: Andrzej Hajda <andrzej.hajda@intel.com>
> 
> Regards
> Andrzej
>> ---
>>   drivers/gpu/drm/bridge/sil-sii8620.c | 4 ++--
>>   1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/gpu/drm/bridge/sil-sii8620.c 
>> b/drivers/gpu/drm/bridge/sil-sii8620.c
>> index ec7745c31da0..ab0bce4a988c 100644
>> --- a/drivers/gpu/drm/bridge/sil-sii8620.c
>> +++ b/drivers/gpu/drm/bridge/sil-sii8620.c
>> @@ -605,7 +605,7 @@ static void *sii8620_burst_get_tx_buf(struct 
>> sii8620 *ctx, int len)
>>       u8 *buf = &ctx->burst.tx_buf[ctx->burst.tx_count];
>>       int size = len + 2;
>> -    if (ctx->burst.tx_count + size > ARRAY_SIZE(ctx->burst.tx_buf)) {
>> +    if (ctx->burst.tx_count + size >= ARRAY_SIZE(ctx->burst.tx_buf)) {
>>           dev_err(ctx->dev, "TX-BLK buffer exhausted\n");
>>           ctx->error = -EINVAL;
>>           return NULL;
>> @@ -622,7 +622,7 @@ static u8 *sii8620_burst_get_rx_buf(struct sii8620 
>> *ctx, int len)
>>       u8 *buf = &ctx->burst.rx_buf[ctx->burst.rx_count];
>>       int size = len + 1;
>> -    if (ctx->burst.tx_count + size > ARRAY_SIZE(ctx->burst.tx_buf)) {
>> +    if (ctx->burst.rx_count + size >= ARRAY_SIZE(ctx->burst.rx_buf)) {
>>           dev_err(ctx->dev, "RX-BLK buffer exhausted\n");
>>           ctx->error = -EINVAL;
>>           return NULL;
> 

Hi guys,

Another patches for this module that I submitted at the same time as
this one have been merged. Is this patch forgotten to merge?

Thanks,
Hangyu
diff mbox series

Patch

diff --git a/drivers/gpu/drm/bridge/sil-sii8620.c b/drivers/gpu/drm/bridge/sil-sii8620.c
index ec7745c31da0..ab0bce4a988c 100644
--- a/drivers/gpu/drm/bridge/sil-sii8620.c
+++ b/drivers/gpu/drm/bridge/sil-sii8620.c
@@ -605,7 +605,7 @@  static void *sii8620_burst_get_tx_buf(struct sii8620 *ctx, int len)
 	u8 *buf = &ctx->burst.tx_buf[ctx->burst.tx_count];
 	int size = len + 2;
 
-	if (ctx->burst.tx_count + size > ARRAY_SIZE(ctx->burst.tx_buf)) {
+	if (ctx->burst.tx_count + size >= ARRAY_SIZE(ctx->burst.tx_buf)) {
 		dev_err(ctx->dev, "TX-BLK buffer exhausted\n");
 		ctx->error = -EINVAL;
 		return NULL;
@@ -622,7 +622,7 @@  static u8 *sii8620_burst_get_rx_buf(struct sii8620 *ctx, int len)
 	u8 *buf = &ctx->burst.rx_buf[ctx->burst.rx_count];
 	int size = len + 1;
 
-	if (ctx->burst.tx_count + size > ARRAY_SIZE(ctx->burst.tx_buf)) {
+	if (ctx->burst.rx_count + size >= ARRAY_SIZE(ctx->burst.rx_buf)) {
 		dev_err(ctx->dev, "RX-BLK buffer exhausted\n");
 		ctx->error = -EINVAL;
 		return NULL;