LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
* out-of-bounds array index
@ 2008-02-07 18:56 Jens Axboe
  2008-02-07 19:03 ` Jesse Barnes
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Jens Axboe @ 2008-02-07 18:56 UTC (permalink / raw)
  To: linux-kernel, jesse.barnes

Hi,

Just saw this from gcc:

drivers/char/drm/i915_drv.c: In function ?i915_suspend?:
drivers/char/drm/i915_drv.c:173: warning: array subscript is above array
bounds
  CC [M]  drivers/char/drm/i915_dma.o
drivers/char/drm/i915_drv.c: In function ?i915_resume?:
drivers/char/drm/i915_drv.c:220: warning: array subscript is above array
bounds

It's this code:

        dev_priv->saveGR[0x18] =
                i915_read_indexed(VGA_GR_INDEX, VGA_GR_DATA, 0x18);

which looks legit, since saveGR is

        u8 saveGR[24];

It has been introduced by commit
ba8bbcf6ff4650712f64c0ef61139c73898e2165, which seems to be you Jesse.

-- 
Jens Axboe


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: out-of-bounds array index
  2008-02-07 18:56 out-of-bounds array index Jens Axboe
@ 2008-02-07 19:03 ` Jesse Barnes
  2008-02-07 19:15 ` Jesse Barnes
  2008-02-07 19:21 ` Jan Engelhardt
  2 siblings, 0 replies; 6+ messages in thread
From: Jesse Barnes @ 2008-02-07 19:03 UTC (permalink / raw)
  To: Jens Axboe; +Cc: linux-kernel

On Thursday, February 07, 2008 10:56 am Jens Axboe wrote:
> Hi,
>
> Just saw this from gcc:
>
> drivers/char/drm/i915_drv.c: In function ?i915_suspend?:
> drivers/char/drm/i915_drv.c:173: warning: array subscript is above array
> bounds
>   CC [M]  drivers/char/drm/i915_dma.o
> drivers/char/drm/i915_drv.c: In function ?i915_resume?:
> drivers/char/drm/i915_drv.c:220: warning: array subscript is above array
> bounds
>
> It's this code:
>
>         dev_priv->saveGR[0x18] =
>                 i915_read_indexed(VGA_GR_INDEX, VGA_GR_DATA, 0x18);
>
> which looks legit, since saveGR is
>
>         u8 saveGR[24];
>
> It has been introduced by commit
> ba8bbcf6ff4650712f64c0ef61139c73898e2165, which seems to be you Jesse.

I'll take a look, thanks.

Jesse

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: out-of-bounds array index
  2008-02-07 18:56 out-of-bounds array index Jens Axboe
  2008-02-07 19:03 ` Jesse Barnes
@ 2008-02-07 19:15 ` Jesse Barnes
  2008-02-07 19:21 ` Jan Engelhardt
  2 siblings, 0 replies; 6+ messages in thread
From: Jesse Barnes @ 2008-02-07 19:15 UTC (permalink / raw)
  To: Jens Axboe; +Cc: linux-kernel, torvalds

On Thursday, February 07, 2008 10:56 am Jens Axboe wrote:
> Hi,
>
> Just saw this from gcc:
>
> drivers/char/drm/i915_drv.c: In function ?i915_suspend?:
> drivers/char/drm/i915_drv.c:173: warning: array subscript is above array
> bounds
>   CC [M]  drivers/char/drm/i915_dma.o
> drivers/char/drm/i915_drv.c: In function ?i915_resume?:
> drivers/char/drm/i915_drv.c:220: warning: array subscript is above array
> bounds
>
> It's this code:
>
>         dev_priv->saveGR[0x18] =
>                 i915_read_indexed(VGA_GR_INDEX, VGA_GR_DATA, 0x18);
>
> which looks legit, since saveGR is
>
>         u8 saveGR[24];
>
> It has been introduced by commit
> ba8bbcf6ff4650712f64c0ef61139c73898e2165, which seems to be you Jesse.

Just a silly off by one, don't know why I didn't catch it earlier.  I'll push 
the fix to the drm tree.  Linus, you may want to take it in parallel.

Jesse

Make sure we have enough room for all the GR registers or we'll end up 
clobbering the AR index register (which should actually be harmless unless 
the BIOS is making an assumption about it).

Signed-off-by:  Jesse Barnes <jesse.barnes@intel.com>

diff --git a/drivers/char/drm/i915_drv.h b/drivers/char/drm/i915_drv.h
index 37bbf67..f8308bf 100644
--- a/drivers/char/drm/i915_drv.h
+++ b/drivers/char/drm/i915_drv.h
@@ -187,7 +187,7 @@ typedef struct drm_i915_private {
 	u32 saveSWF2[3];
 	u8 saveMSR;
 	u8 saveSR[8];
-	u8 saveGR[24];
+	u8 saveGR[25];
 	u8 saveAR_INDEX;
 	u8 saveAR[20];
 	u8 saveDACMASK;

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: out-of-bounds array index
  2008-02-07 18:56 out-of-bounds array index Jens Axboe
  2008-02-07 19:03 ` Jesse Barnes
  2008-02-07 19:15 ` Jesse Barnes
@ 2008-02-07 19:21 ` Jan Engelhardt
  2008-02-07 19:28   ` Jesse Barnes
  2 siblings, 1 reply; 6+ messages in thread
From: Jan Engelhardt @ 2008-02-07 19:21 UTC (permalink / raw)
  To: Jens Axboe; +Cc: linux-kernel, jesse.barnes


On Feb 7 2008 19:56, Jens Axboe wrote:
>
>Just saw this from gcc:
>
>drivers/char/drm/i915_drv.c: In function ?i915_suspend?:
>drivers/char/drm/i915_drv.c:173: warning: array subscript is above array
>bounds
>  CC [M]  drivers/char/drm/i915_dma.o
>drivers/char/drm/i915_drv.c: In function ?i915_resume?:
>drivers/char/drm/i915_drv.c:220: warning: array subscript is above array
>bounds
>
>It's this code:
>
>        dev_priv->saveGR[0x18] =
>                i915_read_indexed(VGA_GR_INDEX, VGA_GR_DATA, 0x18);
>
>which looks legit, since saveGR is

It is not legit at all. 0x18 is the 25th position in the array,
but it is only 24 big. (Excluding play-hide-and-seek games like
allocating more in case of malloc or char *foo[0].)


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: out-of-bounds array index
  2008-02-07 19:21 ` Jan Engelhardt
@ 2008-02-07 19:28   ` Jesse Barnes
  2008-02-07 20:01     ` Jens Axboe
  0 siblings, 1 reply; 6+ messages in thread
From: Jesse Barnes @ 2008-02-07 19:28 UTC (permalink / raw)
  To: Jan Engelhardt; +Cc: Jens Axboe, linux-kernel

On Thursday, February 07, 2008 11:21 am Jan Engelhardt wrote:
> On Feb 7 2008 19:56, Jens Axboe wrote:
> >Just saw this from gcc:
> >
> >drivers/char/drm/i915_drv.c: In function ?i915_suspend?:
> >drivers/char/drm/i915_drv.c:173: warning: array subscript is above array
> >bounds
> >  CC [M]  drivers/char/drm/i915_dma.o
> >drivers/char/drm/i915_drv.c: In function ?i915_resume?:
> >drivers/char/drm/i915_drv.c:220: warning: array subscript is above array
> >bounds
> >
> >It's this code:
> >
> >        dev_priv->saveGR[0x18] =
> >                i915_read_indexed(VGA_GR_INDEX, VGA_GR_DATA, 0x18);
> >
> >which looks legit, since saveGR is
>
> It is not legit at all. 0x18 is the 25th position in the array,
> but it is only 24 big. (Excluding play-hide-and-seek games like
> allocating more in case of malloc or char *foo[0].)

I think he was saying that the warning was legit.  Anyway, my gcc isn't smart 
enough to emit warnings like this, maybe it's time to ugprade...

Jesse

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: out-of-bounds array index
  2008-02-07 19:28   ` Jesse Barnes
@ 2008-02-07 20:01     ` Jens Axboe
  0 siblings, 0 replies; 6+ messages in thread
From: Jens Axboe @ 2008-02-07 20:01 UTC (permalink / raw)
  To: Jesse Barnes; +Cc: Jan Engelhardt, linux-kernel

On Thu, Feb 07 2008, Jesse Barnes wrote:
> On Thursday, February 07, 2008 11:21 am Jan Engelhardt wrote:
> > On Feb 7 2008 19:56, Jens Axboe wrote:
> > >Just saw this from gcc:
> > >
> > >drivers/char/drm/i915_drv.c: In function ?i915_suspend?:
> > >drivers/char/drm/i915_drv.c:173: warning: array subscript is above array
> > >bounds
> > >  CC [M]  drivers/char/drm/i915_dma.o
> > >drivers/char/drm/i915_drv.c: In function ?i915_resume?:
> > >drivers/char/drm/i915_drv.c:220: warning: array subscript is above array
> > >bounds
> > >
> > >It's this code:
> > >
> > >        dev_priv->saveGR[0x18] =
> > >                i915_read_indexed(VGA_GR_INDEX, VGA_GR_DATA, 0x18);
> > >
> > >which looks legit, since saveGR is
> >
> > It is not legit at all. 0x18 is the 25th position in the array,
> > but it is only 24 big. (Excluding play-hide-and-seek games like
> > allocating more in case of malloc or char *foo[0].)
> 
> I think he was saying that the warning was legit.  Anyway, my gcc isn't smart 
> enough to emit warnings like this, maybe it's time to ugprade...

of course, the reference was to the warning (I do know C and array
indexing 101 :-)

-- 
Jens Axboe


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2008-02-07 20:01 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2008-02-07 18:56 out-of-bounds array index Jens Axboe
2008-02-07 19:03 ` Jesse Barnes
2008-02-07 19:15 ` Jesse Barnes
2008-02-07 19:21 ` Jan Engelhardt
2008-02-07 19:28   ` Jesse Barnes
2008-02-07 20:01     ` Jens Axboe

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).