[Intel-gfx] [PATCH 1/4] drm/i915: Sanity check DP AUX message buffer and size
Imre Deak
imre.deak at intel.com
Mon Feb 1 11:38:22 UTC 2016
On ma, 2016-02-01 at 11:42 +0530, Thulasimani, Sivakumar wrote:
>
> On 1/29/2016 6:22 PM, Imre Deak wrote:
> > While we are calling intel_dp_aux_transfer() with msg->size=0
> > whenever
> > msg->buffer is NULL, passing NULL to memcpy() is undefined
> > according to
> > the ISO C standard. I haven't found any notes about this in the GNU
> > C's
> > or the kernel's documentation of the function and can't imagine
> > what it
> > would do with the NULL ptr. To better document this use of the
> > parameters it still make sense to add an explicit check for this to
> > the
> > code.
> >
> > Caught by Coverity.
> can you share more info on when is this scenario triggered ?
When sending a bare address packet at the start and end of the I2c over
AUX transfer. See drm_dp_i2c_xfer().
> > Signed-off-by: Imre Deak <imre.deak at intel.com>
> > ---
> > drivers/gpu/drm/i915/intel_dp.c | 5 ++++-
> > 1 file changed, 4 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/gpu/drm/i915/intel_dp.c
> > b/drivers/gpu/drm/i915/intel_dp.c
> > index e2bea710..2aed36e 100644
> > --- a/drivers/gpu/drm/i915/intel_dp.c
> > +++ b/drivers/gpu/drm/i915/intel_dp.c
> > @@ -979,7 +979,10 @@ intel_dp_aux_transfer(struct drm_dp_aux *aux,
> > struct drm_dp_aux_msg *msg)
> > if (WARN_ON(txsize > 20))
> > return -E2BIG;
> >
> > - memcpy(txbuf + HEADER_SIZE, msg->buffer, msg-
> > >size);
> > + if (msg->buffer)
> > + memcpy(txbuf + HEADER_SIZE, msg->buffer,
> > msg->size);
> > + else
> > + WARN_ON(msg->size);
> >
> > ret = intel_dp_aux_ch(intel_dp, txbuf, txsize,
> > rxbuf, rxsize);
> > if (ret > 0) {
>
More information about the Intel-gfx
mailing list