Re: [PATCH 1/4] drm/i915: Sanity check DP AUX message buffer and size

[Imre Deak <imre.deak@xxxxxxxxx>]

On ma, 2016-02-01 at 11:42 +0530, Thulasimani, Sivakumar wrote:
> 
> On 1/29/2016 6:22 PM, Imre Deak wrote:
> > While we are calling intel_dp_aux_transfer() with msg->size=0
> > whenever
> > msg->buffer is NULL, passing NULL to memcpy() is undefined
> > according to
> > the ISO C standard. I haven't found any notes about this in the GNU
> > C's
> > or the kernel's documentation of the function and can't imagine
> > what it
> > would do with the NULL ptr. To better document this use of the
> > parameters it still make sense to add an explicit check for this to
> > the
> > code.
> > 
> > Caught by Coverity.
> can you share more info on when is this scenario triggered ?

When sending a bare address packet at the start and end of the I2c over
AUX transfer. See drm_dp_i2c_xfer().

> > Signed-off-by: Imre Deak <imre.deak@xxxxxxxxx>
> > ---
> >   drivers/gpu/drm/i915/intel_dp.c | 5 ++++-
> >   1 file changed, 4 insertions(+), 1 deletion(-)
> > 
> > diff --git a/drivers/gpu/drm/i915/intel_dp.c
> > b/drivers/gpu/drm/i915/intel_dp.c
> > index e2bea710..2aed36e 100644
> > --- a/drivers/gpu/drm/i915/intel_dp.c
> > +++ b/drivers/gpu/drm/i915/intel_dp.c
> > @@ -979,7 +979,10 @@ intel_dp_aux_transfer(struct drm_dp_aux *aux,
> > struct drm_dp_aux_msg *msg)
> >   		if (WARN_ON(txsize > 20))
> >   			return -E2BIG;
> >   
> > -		memcpy(txbuf + HEADER_SIZE, msg->buffer, msg-
> > >size);
> > +		if (msg->buffer)
> > +			memcpy(txbuf + HEADER_SIZE, msg->buffer,
> > msg->size);
> > +		else
> > +			WARN_ON(msg->size);
> >   
> >   		ret = intel_dp_aux_ch(intel_dp, txbuf, txsize,
> > rxbuf, rxsize);
> >   		if (ret > 0) {
> 
_______________________________________________
Intel-gfx mailing list
Intel-gfx@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/intel-gfx