Re: [PATCH] media: pci: ttpci: av7110: avoid compiler optimization of reading data[0] in debiirq()

[Sean Young]

On Sun, Aug 30, 2020 at 04:20:42PM +0800, Jia-Ju Bai wrote:
> In debiirq(), data_0 stores the value of data[0], but it can be dropped
> by compiler optimization. Thus, data[0] is read through READ_ONCE().
> 
> Fixes: 6499a0db9b0f ("media: pci: ttpci: av7110: fix possible buffer overflow 
> caused by bad DMA value in debiirq()")
> Reported-by: Pavel Machek <pa...@ucw.cz>

Pavel reported that your patch was garbage, if you are trying to defend
against a malicious pci device. READ_ONCE() will not help here.

Sean

> Signed-off-by: Jia-Ju Bai <baiji...@tsinghua.edu.cn>
> ---
>  drivers/media/pci/ttpci/av7110.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/media/pci/ttpci/av7110.c 
> b/drivers/media/pci/ttpci/av7110.c
> index bf36b1e22b63..f7d098d5b198 100644
> --- a/drivers/media/pci/ttpci/av7110.c
> +++ b/drivers/media/pci/ttpci/av7110.c
> @@ -406,7 +406,7 @@ static void debiirq(unsigned long cookie)
>       case DATA_CI_GET:
>       {
>               u8 *data = av7110->debi_virt;
> -             u8 data_0 = data[0];
> +             u8 data_0 = READ_ONCE(data[0]);
>  
>               if (data_0 < 2 && data[2] == 0xff) {
>                       int flags = 0;
> -- 
> 2.17.1