<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=EN-US link=blue vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal>If it’s correct I’d like to see it make its way upstream. I have no idea what the submission procedure is.</p><p class=MsoNormal><o:p> </o:p></p><div style='mso-element:para-border-div;border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='border:none;padding:0in'><b>From: </b><a href="mailto:imirkin@alum.mit.edu">Ilia Mirkin</a><br><b>Sent: </b>Thursday, January 20, 2022 11:24 AM<br><b>To: </b><a href="mailto:nick@glowingmonkey.org">Nick Lopez</a><br><b>Cc: </b><a href="mailto:nouveau@lists.freedesktop.org">nouveau@lists.freedesktop.org</a><br><b>Subject: </b>Re: [Nouveau] Off-by-one or bad BIOS image? Apple eMac 800 GeForce 2MX</p></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>This stuff is always so confusing. Let's think this through.... if</p><p class=MsoNormal>bios size is 4, and we're trying to read a 4-byte thing starting at</p><p class=MsoNormal>address 0, that _ought_ to work, I think. So in my strawman case,</p><p class=MsoNormal>bios->size == 4, and size == 4. So we should only error if size ></p><p class=MsoNormal>bios->size, not if they're ==. Looks like your patch is right.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Want to make a linux kernel patch submission with this? (i.e.</p><p class=MsoNormal>including changelog, signoff, etc?)</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Cheers,</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal> -ilia</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>On Thu, Jan 20, 2022 at 1:17 PM Nick Lopez <nick@glowingmonkey.org> wrote:</p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>> Because I watch too much retro YouTube I decided it was a good idea to try installing Adelie Linux on my old G4/800 eMac, but the Live installer would freeze. By blacklisting nouveau I was able to get it booted and manually installed and, after hours and hours of compiling, get a working kernel tree to poke at. After only a few iterations with dump_stack() and nvkm_debug and the output of envytools/nvbios I worked out at the last initscript instruction was stored in the last byte of the ROM. I think the bounds check in the nvbios_addr() function is miscalculating the limit as one byte short, that’s why I was seeing this in the syslog:</p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>> nouveau 0000:00:10.0: bios: OOB 1 000007b2 000007b2</p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>> nouveau 0000:00:10.0: devinit: 0x000007b2[ ]: unknown opcode 0x00</p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>> nouveau 0000:00:10.0: preinit failed with -22</p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>> nouveau: DRM-master:00000000:00000080: init failed with -22</p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>> nouveau 0000:00:10.0: DRM-master: Device allocation failed: -22</p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>> nouveau: probe of 0000:00:10.0 failed with error -22</p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>> After I changed the limit check from:</p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>> if (unlikely(*addr + size >= bios->size)) {</p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>> to:</p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>> if (unlikely(*addr + size > bios->size)) {</p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>> it initialized the card properly, brought up the fbconsole and even seems to be working in X with DRI. So the question is: was the bounds check wrong, or is the NVDA,BMP image provided by OpenFirmware truncated? I’m guess this doesn’t turn up elsewhere because the ROM images read through any of the other methods are the size of flash chip they’re stored on so there’s always unused space at the end and they never use the last byte where the NVDA,BMP provided by OpenFirmware is just the active section.</p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>> The patch is against the Adelie easy-kernel patch 5.4 tree, but it looks like that code is still there in the current upstream torvalds/linux git.</p><p class=MsoNormal><o:p> </o:p></p></div></body></html>