linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Mihai Moldovan <ionic@ionic.de>
To: Daniel Vetter <daniel@ffwll.ch>
Cc: Jani Nikula <jani.nikula@intel.com>,
	intel-gfx@lists.freedesktop.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 0/1] hopefully fix null pointer dereference on i915 load
Date: Mon, 13 Aug 2012 17:27:00 +0200	[thread overview]
Message-ID: <50291CC4.4090604@ionic.de> (raw)
In-Reply-To: <20120813150955.GD5248@phenom.ffwll.local>

[-- Attachment #1: Type: text/plain, Size: 2508 bytes --]

* On 13.08.2012 05:09 PM, Daniel Vetter wrote:
> On Mon, Aug 13, 2012 at 05:03:24PM +0200, Mihai Moldovan wrote:
>> Hi Jani,
>>
>> The reason sounds sane to me, but while looking through the code, I have seen a
>> few other problems, too.
>>
>> To my understanding, we should use port for dev_priv->gmbus[], not the pin
>> mapping (which is only used for gmbus_ports[]).
>> Don't forget to add the +1 for pin -> port mapping to the error case.
>>
>> Also, intel_gmbus_get_adapter is already accepting a port value (I made sure to
>> look at the calls in other files too), so don't map the port back to a pin.
>>
>> Keep the same in mind for the intel_teardown_gmbus "destructor".
>>
>> The current code adds the gmbus algorithm (gmbus_xfer) to gmbus port 0, which is
>> known as "disabled" and shouldn't be used (previously has_gpio was set to false
>> for those ports to not do any transfer on those ports.)
>>
>> I may be wrong, could you review this and maybe add it to your patch?
> This seems to essentially undo
>
> commit 2ed06c93a1fce057808894d73167aae03c76deaf
> Author: Daniel Kurtz <djkurtz@chromium.org>
> Date:   Wed Mar 28 02:36:15 2012 +0800
>
>     drm/i915/intel_i2c: gmbus disabled and reserved ports are invalid
>
> Note that port numbers start at 1, whereas the array is 0-index based. So
> you patch here would blow up if you don't extend the dev_priv->gmbus
> array.

Uhm, no, quite on the contrary. gmbus starts at 0 (with idx 0 being labeled
"disabled" and idx ((GMBUS_NUM_PORTS == 6) + 1) being labeled "reserved", which
neither should be touched).
Thus, in effect, it starts with 1 and ends with 6, but the current code does not
take that into account, instead accessing elements from 0 onwards:

The code currently would access *dev_priv->gmbus[0] in the first iteration,
which is labeled as "disabled" and shouldn't be touched. Instead, we should do a
pin->port mapping and access *dev_priv->gmbus[1, 2, 3 ... 6] instead (with
*dev_priv->gmbus[7] left out, as it's marked as "reserved" and again shouldn't
be touched.)

However, accessing gmbus_ports[0] is fine, and we can then copy
gmbus_ports[0].name to  *dev_priv->gmbus[1]->adapter.name
                     ^ pin                          
                                                 ^ port

Blowing up seems impossible too, as GMBUS_NUM_PORTS is #defined as END_PORT -
BEGIN_PORT + 1 which will evaluate to 6 and be the last index used.

Best regards,


Mihai


[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4506 bytes --]

  reply	other threads:[~2012-08-13 15:27 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-08-08  4:50 null pointer dereference while loading i915 Mihai Moldovan
2012-08-10 10:10 ` Daniel Vetter
2012-08-10 16:05   ` Mihai Moldovan
2012-08-10 16:39     ` Daniel Vetter
2012-08-10 17:44       ` Mihai Moldovan
2012-08-10 23:09         ` Mihai Moldovan
2012-08-13 14:33         ` [PATCH 0/1] hopefully fix null pointer dereference on i915 load Jani Nikula
2012-08-13 14:33           ` [PATCH 1/1] drm/i915: ensure i2c adapter is all set before adding it Jani Nikula
2012-08-13 17:05             ` Daniel Vetter
2012-08-13 15:03           ` [PATCH 0/1] hopefully fix null pointer dereference on i915 load Mihai Moldovan
2012-08-13 15:09             ` Daniel Vetter
2012-08-13 15:27               ` Mihai Moldovan [this message]
2012-08-13 16:15                 ` Mihai Moldovan
2012-08-14  6:17                   ` Jani Nikula

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=50291CC4.4090604@ionic.de \
    --to=ionic@ionic.de \
    --cc=daniel@ffwll.ch \
    --cc=intel-gfx@lists.freedesktop.org \
    --cc=jani.nikula@intel.com \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).