| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aYXvCFo5X2l73tyZ@stanley.mountain>
Date: Fri, 6 Feb 2026 16:39:20 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: Hamza Mahfooz <hamzamahfooz@...ux.microsoft.com>
Cc: amd-gfx@...ts.freedesktop.org,
"SHANMUGAM, SRINIVASAN" <SRINIVASAN.SHANMUGAM@....com>,
linux-kernel <linux-kernel@...r.kernel.org>
Subject: [bug report] drm/amd/display: add DC changes for DCN351
[ Smatch checking is paused while we raise funding. #SadFace
https://lore.kernel.org/all/aTaiGSbWZ9DJaGo7@stanley.mountain/ -dan ]
Hello Hamza Mahfooz,
Commit 2728e9c7c842 ("drm/amd/display: add DC changes for DCN351")
from Feb 23, 2024 (linux-next), leads to the following Smatch static
checker warning:
drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn351/dcn351_resource.c:1284 dcn35_stream_encoder_create() index hardmax out of bounds 'stream_enc_regs[eng_id]' size=5 max='5' rl='s32min-5'
drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn36/dcn36_resource.c:1285 dcn35_stream_encoder_create() index hardmax out of bounds 'stream_enc_regs[eng_id]' size=5 max='5' rl='s32min-5'
drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn321/dcn321_resource.c:1222 dcn321_stream_encoder_create() index hardmax out of bounds 'stream_enc_regs[eng_id]' size=5 max='5' rl='s32min-5'
drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn315/dcn315_resource.c:1252 dcn315_stream_encoder_create() index hardmax out of bounds 'stream_enc_regs[eng_id]' size=5 max='5' rl='s32min-5'
drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn35/dcn35_resource.c:1304 dcn35_stream_encoder_create() index hardmax out of bounds 'stream_enc_regs[eng_id]' size=5 max='5' rl='s32min-5'
drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn32/dcn32_resource.c:1241 dcn32_stream_encoder_create() index hardmax out of bounds 'stream_enc_regs[eng_id]' size=5 max='5' rl='s32min-5'
drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn316/dcn316_resource.c:1245 dcn316_stream_encoder_create() index hardmax out of bounds 'stream_enc_regs[eng_id]' size=5 max='5' rl='s32min-5'
drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn351/dcn351_resource.c
1246 static struct stream_encoder *dcn35_stream_encoder_create(
1247 enum engine_id eng_id,
1248 struct dc_context *ctx)
1249 {
1250 struct dcn10_stream_encoder *enc1;
1251 struct vpg *vpg;
1252 struct afmt *afmt;
1253 int vpg_inst;
1254 int afmt_inst;
1255
1256 /* Mapping of VPG, AFMT, DME register blocks to DIO block instance */
1257 if (eng_id <= ENGINE_ID_DIGF) {
ENGINE_ID_DIGF is 5. should <= be <?
Unrelated but, ugh, why is Smatch saying that "eng_id" can be negative?
end_id is type signed long, but there are checks in the caller which
prevent it from being negative.
1258 vpg_inst = eng_id;
1259 afmt_inst = eng_id;
1260 } else
1261 return NULL;
1262
1263 enc1 = kzalloc(sizeof(struct dcn10_stream_encoder), GFP_KERNEL);
1264 vpg = dcn31_vpg_create(ctx, vpg_inst);
1265 afmt = dcn31_afmt_create(ctx, afmt_inst);
1266
1267 if (!enc1 || !vpg || !afmt) {
1268 kfree(enc1);
1269 kfree(vpg);
1270 kfree(afmt);
1271 return NULL;
1272 }
1273
1274 #undef REG_STRUCT
1275 #define REG_STRUCT stream_enc_regs
1276 stream_enc_regs_init(0),
1277 stream_enc_regs_init(1),
1278 stream_enc_regs_init(2),
1279 stream_enc_regs_init(3),
1280 stream_enc_regs_init(4);
1281
1282 dcn35_dio_stream_encoder_construct(enc1, ctx, ctx->dc_bios,
1283 eng_id, vpg, afmt,
--> 1284 &stream_enc_regs[eng_id],
^^^^^^^^^^^^^^^^^^^^^^^
This stream_enc_regs[] array has 5 elements so we are one element
beyond the end of the array.
1285 &se_shift, &se_mask);
1286
1287 return &enc1->base;
1288 }
regards,
dan carpenter
Powered by blists - more mailing lists