[<prev] [next>] [day] [month] [year] [list]
Message-ID: <c7a7f4ec1cc32825e66978a7fccc9306fd309abd.camel@mediatek.com>
Date: Tue, 12 Sep 2023 09:14:55 +0000
From: CK Hu (胡俊光) <ck.hu@...iatek.com>
To: Jason-JH Lin (林睿祥)
<Jason-JH.Lin@...iatek.com>,
"chunkuang.hu@...nel.org" <chunkuang.hu@...nel.org>
CC: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
Singo Chang (張興國)
<Singo.Chang@...iatek.com>,
Johnson Wang (王聖鑫)
<Johnson.Wang@...iatek.com>,
Jason-ch Chen (陳建豪)
<Jason-ch.Chen@...iatek.com>,
Shawn Sung (宋孝謙)
<Shawn.Sung@...iatek.com>,
"linux-mediatek@...ts.infradead.org"
<linux-mediatek@...ts.infradead.org>,
Nancy Lin (林欣螢) <Nancy.Lin@...iatek.com>,
"dri-devel@...ts.freedesktop.org" <dri-devel@...ts.freedesktop.org>,
Project_Global_Chrome_Upstream_Group
<Project_Global_Chrome_Upstream_Group@...iatek.com>,
"amergnat@...libre.com" <amergnat@...libre.com>,
"linux-arm-kernel@...ts.infradead.org"
<linux-arm-kernel@...ts.infradead.org>,
"angelogioacchino.delregno@...labora.com"
<angelogioacchino.delregno@...labora.com>
Subject: Re: [PATCH v5] drm/mediatek: Fix coverity issue with unintentional
integer overflow
Hi, Jason:
On Thu, 2023-09-07 at 17:14 +0800, Jason-JH.Lin wrote:
> 1. Instead of multiplying 2 variable of different types. Change to
> assign a value of one variable and then multiply the other variable.
>
> 2. Add a int variable for multiplier calculation instead of
> calculating
> different types multiplier with dma_addr_t variable directly.
Applied. Thanks.
Regards,
CK
>
> Fixes: 1a64a7aff8da ("drm/mediatek: Fix cursor plane no update")
> Signed-off-by: Jason-JH.Lin <jason-jh.lin@...iatek.com>
> Reviewed-by: Alexandre Mergnat <amergnat@...libre.com>
> Reviewed-by: AngeloGioacchino Del Regno <
> angelogioacchino.delregno@...labora.com>
> ---
> Change in v5:
> Add 'coverity issue' in title and code comments.
> ---
> drivers/gpu/drm/mediatek/mtk_drm_gem.c | 9 +++++-
> drivers/gpu/drm/mediatek/mtk_drm_plane.c | 39 ++++++++++++++++++--
> ----
> 2 files changed, 38 insertions(+), 10 deletions(-)
>
> diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> b/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> index 9f364df52478..f6632a0fe509 100644
> --- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> +++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> @@ -121,7 +121,14 @@ int mtk_drm_gem_dumb_create(struct drm_file
> *file_priv, struct drm_device *dev,
> int ret;
>
> args->pitch = DIV_ROUND_UP(args->width * args->bpp, 8);
> - args->size = args->pitch * args->height;
> +
> + /*
> + * Multiply 2 variables of different types,
> + * for example: args->size = args->spacing * args->height;
> + * may cause coverity issue with unintentional overflow.
> + */
> + args->size = args->pitch;
> + args->size *= args->height;
>
> mtk_gem = mtk_drm_gem_create(dev, args->size, false);
> if (IS_ERR(mtk_gem))
> diff --git a/drivers/gpu/drm/mediatek/mtk_drm_plane.c
> b/drivers/gpu/drm/mediatek/mtk_drm_plane.c
> index db2f70ae060d..5acb03b7c6fe 100644
> --- a/drivers/gpu/drm/mediatek/mtk_drm_plane.c
> +++ b/drivers/gpu/drm/mediatek/mtk_drm_plane.c
> @@ -141,6 +141,7 @@ static void mtk_plane_update_new_state(struct
> drm_plane_state *new_state,
> dma_addr_t addr;
> dma_addr_t hdr_addr = 0;
> unsigned int hdr_pitch = 0;
> + int offset;
>
> gem = fb->obj[0];
> mtk_gem = to_mtk_gem_obj(gem);
> @@ -150,8 +151,15 @@ static void mtk_plane_update_new_state(struct
> drm_plane_state *new_state,
> modifier = fb->modifier;
>
> if (modifier == DRM_FORMAT_MOD_LINEAR) {
> - addr += (new_state->src.x1 >> 16) * fb->format->cpp[0];
> - addr += (new_state->src.y1 >> 16) * pitch;
> + /*
> + * Using dma_addr_t variable to calculate with
> multiplier of different types,
> + * for example: addr += (new_state->src.x1 >> 16) * fb-
> >format->cpp[0];
> + * may cause coverity issue with unintentional
> overflow.
> + */
> + offset = (new_state->src.x1 >> 16) * fb->format-
> >cpp[0];
> + addr += offset;
> + offset = (new_state->src.y1 >> 16) * pitch;
> + addr += offset;
> } else {
> int width_in_blocks = ALIGN(fb->width,
> AFBC_DATA_BLOCK_WIDTH)
> / AFBC_DATA_BLOCK_WIDTH;
> @@ -159,21 +167,34 @@ static void mtk_plane_update_new_state(struct
> drm_plane_state *new_state,
> / AFBC_DATA_BLOCK_HEIGHT;
> int x_offset_in_blocks = (new_state->src.x1 >> 16) /
> AFBC_DATA_BLOCK_WIDTH;
> int y_offset_in_blocks = (new_state->src.y1 >> 16) /
> AFBC_DATA_BLOCK_HEIGHT;
> - int hdr_size;
> + int hdr_size, hdr_offset;
>
> hdr_pitch = width_in_blocks * AFBC_HEADER_BLOCK_SIZE;
> pitch = width_in_blocks * AFBC_DATA_BLOCK_WIDTH *
> AFBC_DATA_BLOCK_HEIGHT * fb->format->cpp[0];
>
> hdr_size = ALIGN(hdr_pitch * height_in_blocks,
> AFBC_HEADER_ALIGNMENT);
> + hdr_offset = hdr_pitch * y_offset_in_blocks +
> + AFBC_HEADER_BLOCK_SIZE * x_offset_in_blocks;
> +
> + /*
> + * Using dma_addr_t variable to calculate with
> multiplier of different types,
> + * for example: addr += hdr_pitch * y_offset_in_blocks;
> + * may cause coverity issue with unintentional
> overflow.
> + */
> + hdr_addr = addr + hdr_offset;
>
> - hdr_addr = addr + hdr_pitch * y_offset_in_blocks +
> - AFBC_HEADER_BLOCK_SIZE * x_offset_in_blocks;
> /* The data plane is offset by 1 additional block. */
> - addr = addr + hdr_size +
> - pitch * y_offset_in_blocks +
> - AFBC_DATA_BLOCK_WIDTH * AFBC_DATA_BLOCK_HEIGHT *
> - fb->format->cpp[0] * (x_offset_in_blocks + 1);
> + offset = pitch * y_offset_in_blocks +
> + AFBC_DATA_BLOCK_WIDTH * AFBC_DATA_BLOCK_HEIGHT
> *
> + fb->format->cpp[0] * (x_offset_in_blocks + 1);
> +
> + /*
> + * Using dma_addr_t variable to calculate with
> multiplier of different types,
> + * for example: addr += pitch * y_offset_in_blocks;
> + * may cause coverity issue with unintentional
> overflow.
> + */
> + addr = addr + hdr_size + offset;
> }
>
> mtk_plane_state->pending.enable = true;
Powered by blists - more mailing lists