[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <f9adb530-89e6-40f4-af00-c6b407908817@linaro.org>
Date: Thu, 2 May 2024 09:26:56 +0200
From: Neil Armstrong <neil.armstrong@...aro.org>
To: Douglas Anderson <dianders@...omium.org>, dri-devel@...ts.freedesktop.org
Cc: Linus Walleij <linus.walleij@...aro.org>,
Jani Nikula <jani.nikula@...ux.intel.com>,
Dmitry Baryshkov <dmitry.baryshkov@...aro.org>,
Cong Yang <yangcong5@...qin.corp-partner.google.com>,
Hsin-Yi Wang <hsinyi@...gle.com>, Brian Norris <briannorris@...omium.org>,
Sam Ravnborg <sam@...nborg.org>,
Javier Martinez Canillas <javierm@...hat.com>, Joel Selvaraj
<jo@...amily.in>, lvzhaoxiong@...qin.corp-partner.google.com,
Daniel Vetter <daniel@...ll.ch>, David Airlie <airlied@...il.com>,
Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>,
Maxime Ripard <mripard@...nel.org>, Thomas Zimmermann <tzimmermann@...e.de>,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3 2/9] drm/mipi-dsi: Fix theoretical int overflow in
mipi_dsi_generic_write_seq()
On 01/05/2024 17:41, Douglas Anderson wrote:
> The mipi_dsi_generic_write_seq() macro makes a call to
> mipi_dsi_generic_write() which returns a type ssize_t. The macro then
> stores it in an int and checks to see if it's negative. This could
> theoretically be a problem if "ssize_t" is larger than "int".
>
> To see the issue, imagine that "ssize_t" is 32-bits and "int" is
> 16-bits, you could see a problem if there was some code out there that
> looked like:
>
> mipi_dsi_generic_write_seq(dsi, <32768 bytes as arguments>);
>
> ...since we'd get back that 32768 bytes were transferred and 32768
> stored in a 16-bit int would look negative.
>
> Though there are no callsites where we'd actually hit this (even if
> "int" was only 16-bit), it's cleaner to make the types match so let's
> fix it.
>
> Fixes: a9015ce59320 ("drm/mipi-dsi: Add a mipi_dsi_dcs_write_seq() macro")
> Signed-off-by: Douglas Anderson <dianders@...omium.org>
> ---
>
> Changes in v3:
> - Use %zd in print instead of casting errors to int.
>
> Changes in v2:
> - New
>
> include/drm/drm_mipi_dsi.h | 22 +++++++++++-----------
> 1 file changed, 11 insertions(+), 11 deletions(-)
>
> diff --git a/include/drm/drm_mipi_dsi.h b/include/drm/drm_mipi_dsi.h
> index 70ce0b8cbc68..e0f56564bf97 100644
> --- a/include/drm/drm_mipi_dsi.h
> +++ b/include/drm/drm_mipi_dsi.h
> @@ -314,17 +314,17 @@ int mipi_dsi_dcs_get_display_brightness_large(struct mipi_dsi_device *dsi,
> * @dsi: DSI peripheral device
> * @seq: buffer containing the payload
> */
> -#define mipi_dsi_generic_write_seq(dsi, seq...) \
> - do { \
> - static const u8 d[] = { seq }; \
> - struct device *dev = &dsi->dev; \
> - int ret; \
> - ret = mipi_dsi_generic_write(dsi, d, ARRAY_SIZE(d)); \
> - if (ret < 0) { \
> - dev_err_ratelimited(dev, "transmit data failed: %d\n", \
> - ret); \
> - return ret; \
> - } \
> +#define mipi_dsi_generic_write_seq(dsi, seq...) \
> + do { \
> + static const u8 d[] = { seq }; \
> + struct device *dev = &dsi->dev; \
> + ssize_t ret; \
> + ret = mipi_dsi_generic_write(dsi, d, ARRAY_SIZE(d)); \
> + if (ret < 0) { \
> + dev_err_ratelimited(dev, "transmit data failed: %zd\n", \
> + ret); \
> + return ret; \
> + } \
> } while (0)
>
> /**
Reviewed-by: Neil Armstrong <neil.armstrong@...aro.org>
Powered by blists - more mailing lists