| Message ID | 20230907091425.9526-1-jason-jh.lin@mediatek.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [v5] drm/mediatek: Fix coverity issue with unintentional integer overflow | expand |
Hi, Jason: On Thu, 2023-09-07 at 17:14 +0800, Jason-JH.Lin wrote: > 1. Instead of multiplying 2 variable of different types. Change to > assign a value of one variable and then multiply the other variable. > > 2. Add a int variable for multiplier calculation instead of > calculating > different types multiplier with dma_addr_t variable directly. Applied. Thanks. Regards, CK > > Fixes: 1a64a7aff8da ("drm/mediatek: Fix cursor plane no update") > Signed-off-by: Jason-JH.Lin <jason-jh.lin@mediatek.com> > Reviewed-by: Alexandre Mergnat <amergnat@baylibre.com> > Reviewed-by: AngeloGioacchino Del Regno < > angelogioacchino.delregno@collabora.com> > --- > Change in v5: > Add 'coverity issue' in title and code comments. > --- > drivers/gpu/drm/mediatek/mtk_drm_gem.c | 9 +++++- > drivers/gpu/drm/mediatek/mtk_drm_plane.c | 39 ++++++++++++++++++-- > ---- > 2 files changed, 38 insertions(+), 10 deletions(-) > > diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c > b/drivers/gpu/drm/mediatek/mtk_drm_gem.c > index 9f364df52478..f6632a0fe509 100644 > --- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c > +++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c > @@ -121,7 +121,14 @@ int mtk_drm_gem_dumb_create(struct drm_file > *file_priv, struct drm_device *dev, > int ret; > > args->pitch = DIV_ROUND_UP(args->width * args->bpp, 8); > - args->size = args->pitch * args->height; > + > + /* > + * Multiply 2 variables of different types, > + * for example: args->size = args->spacing * args->height; > + * may cause coverity issue with unintentional overflow. > + */ > + args->size = args->pitch; > + args->size *= args->height; > > mtk_gem = mtk_drm_gem_create(dev, args->size, false); > if (IS_ERR(mtk_gem)) > diff --git a/drivers/gpu/drm/mediatek/mtk_drm_plane.c > b/drivers/gpu/drm/mediatek/mtk_drm_plane.c > index db2f70ae060d..5acb03b7c6fe 100644 > --- a/drivers/gpu/drm/mediatek/mtk_drm_plane.c > +++ b/drivers/gpu/drm/mediatek/mtk_drm_plane.c > @@ -141,6 +141,7 @@ static void mtk_plane_update_new_state(struct > drm_plane_state *new_state, > dma_addr_t addr; > dma_addr_t hdr_addr = 0; > unsigned int hdr_pitch = 0; > + int offset; > > gem = fb->obj[0]; > mtk_gem = to_mtk_gem_obj(gem); > @@ -150,8 +151,15 @@ static void mtk_plane_update_new_state(struct > drm_plane_state *new_state, > modifier = fb->modifier; > > if (modifier == DRM_FORMAT_MOD_LINEAR) { > - addr += (new_state->src.x1 >> 16) * fb->format->cpp[0]; > - addr += (new_state->src.y1 >> 16) * pitch; > + /* > + * Using dma_addr_t variable to calculate with > multiplier of different types, > + * for example: addr += (new_state->src.x1 >> 16) * fb- > >format->cpp[0]; > + * may cause coverity issue with unintentional > overflow. > + */ > + offset = (new_state->src.x1 >> 16) * fb->format- > >cpp[0]; > + addr += offset; > + offset = (new_state->src.y1 >> 16) * pitch; > + addr += offset; > } else { > int width_in_blocks = ALIGN(fb->width, > AFBC_DATA_BLOCK_WIDTH) > / AFBC_DATA_BLOCK_WIDTH; > @@ -159,21 +167,34 @@ static void mtk_plane_update_new_state(struct > drm_plane_state *new_state, > / AFBC_DATA_BLOCK_HEIGHT; > int x_offset_in_blocks = (new_state->src.x1 >> 16) / > AFBC_DATA_BLOCK_WIDTH; > int y_offset_in_blocks = (new_state->src.y1 >> 16) / > AFBC_DATA_BLOCK_HEIGHT; > - int hdr_size; > + int hdr_size, hdr_offset; > > hdr_pitch = width_in_blocks * AFBC_HEADER_BLOCK_SIZE; > pitch = width_in_blocks * AFBC_DATA_BLOCK_WIDTH * > AFBC_DATA_BLOCK_HEIGHT * fb->format->cpp[0]; > > hdr_size = ALIGN(hdr_pitch * height_in_blocks, > AFBC_HEADER_ALIGNMENT); > + hdr_offset = hdr_pitch * y_offset_in_blocks + > + AFBC_HEADER_BLOCK_SIZE * x_offset_in_blocks; > + > + /* > + * Using dma_addr_t variable to calculate with > multiplier of different types, > + * for example: addr += hdr_pitch * y_offset_in_blocks; > + * may cause coverity issue with unintentional > overflow. > + */ > + hdr_addr = addr + hdr_offset; > > - hdr_addr = addr + hdr_pitch * y_offset_in_blocks + > - AFBC_HEADER_BLOCK_SIZE * x_offset_in_blocks; > /* The data plane is offset by 1 additional block. */ > - addr = addr + hdr_size + > - pitch * y_offset_in_blocks + > - AFBC_DATA_BLOCK_WIDTH * AFBC_DATA_BLOCK_HEIGHT * > - fb->format->cpp[0] * (x_offset_in_blocks + 1); > + offset = pitch * y_offset_in_blocks + > + AFBC_DATA_BLOCK_WIDTH * AFBC_DATA_BLOCK_HEIGHT > * > + fb->format->cpp[0] * (x_offset_in_blocks + 1); > + > + /* > + * Using dma_addr_t variable to calculate with > multiplier of different types, > + * for example: addr += pitch * y_offset_in_blocks; > + * may cause coverity issue with unintentional > overflow. > + */ > + addr = addr + hdr_size + offset; > } > > mtk_plane_state->pending.enable = true;
diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c b/drivers/gpu/drm/mediatek/mtk_drm_gem.c index 9f364df52478..f6632a0fe509 100644 --- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c +++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c @@ -121,7 +121,14 @@ int mtk_drm_gem_dumb_create(struct drm_file *file_priv, struct drm_device *dev, int ret; args->pitch = DIV_ROUND_UP(args->width * args->bpp, 8); - args->size = args->pitch * args->height; + + /* + * Multiply 2 variables of different types, + * for example: args->size = args->spacing * args->height; + * may cause coverity issue with unintentional overflow. + */ + args->size = args->pitch; + args->size *= args->height; mtk_gem = mtk_drm_gem_create(dev, args->size, false); if (IS_ERR(mtk_gem)) diff --git a/drivers/gpu/drm/mediatek/mtk_drm_plane.c b/drivers/gpu/drm/mediatek/mtk_drm_plane.c index db2f70ae060d..5acb03b7c6fe 100644 --- a/drivers/gpu/drm/mediatek/mtk_drm_plane.c +++ b/drivers/gpu/drm/mediatek/mtk_drm_plane.c @@ -141,6 +141,7 @@ static void mtk_plane_update_new_state(struct drm_plane_state *new_state, dma_addr_t addr; dma_addr_t hdr_addr = 0; unsigned int hdr_pitch = 0; + int offset; gem = fb->obj[0]; mtk_gem = to_mtk_gem_obj(gem); @@ -150,8 +151,15 @@ static void mtk_plane_update_new_state(struct drm_plane_state *new_state, modifier = fb->modifier; if (modifier == DRM_FORMAT_MOD_LINEAR) { - addr += (new_state->src.x1 >> 16) * fb->format->cpp[0]; - addr += (new_state->src.y1 >> 16) * pitch; + /* + * Using dma_addr_t variable to calculate with multiplier of different types, + * for example: addr += (new_state->src.x1 >> 16) * fb->format->cpp[0]; + * may cause coverity issue with unintentional overflow. + */ + offset = (new_state->src.x1 >> 16) * fb->format->cpp[0]; + addr += offset; + offset = (new_state->src.y1 >> 16) * pitch; + addr += offset; } else { int width_in_blocks = ALIGN(fb->width, AFBC_DATA_BLOCK_WIDTH) / AFBC_DATA_BLOCK_WIDTH; @@ -159,21 +167,34 @@ static void mtk_plane_update_new_state(struct drm_plane_state *new_state, / AFBC_DATA_BLOCK_HEIGHT; int x_offset_in_blocks = (new_state->src.x1 >> 16) / AFBC_DATA_BLOCK_WIDTH; int y_offset_in_blocks = (new_state->src.y1 >> 16) / AFBC_DATA_BLOCK_HEIGHT; - int hdr_size; + int hdr_size, hdr_offset; hdr_pitch = width_in_blocks * AFBC_HEADER_BLOCK_SIZE; pitch = width_in_blocks * AFBC_DATA_BLOCK_WIDTH * AFBC_DATA_BLOCK_HEIGHT * fb->format->cpp[0]; hdr_size = ALIGN(hdr_pitch * height_in_blocks, AFBC_HEADER_ALIGNMENT); + hdr_offset = hdr_pitch * y_offset_in_blocks + + AFBC_HEADER_BLOCK_SIZE * x_offset_in_blocks; + + /* + * Using dma_addr_t variable to calculate with multiplier of different types, + * for example: addr += hdr_pitch * y_offset_in_blocks; + * may cause coverity issue with unintentional overflow. + */ + hdr_addr = addr + hdr_offset; - hdr_addr = addr + hdr_pitch * y_offset_in_blocks + - AFBC_HEADER_BLOCK_SIZE * x_offset_in_blocks; /* The data plane is offset by 1 additional block. */ - addr = addr + hdr_size + - pitch * y_offset_in_blocks + - AFBC_DATA_BLOCK_WIDTH * AFBC_DATA_BLOCK_HEIGHT * - fb->format->cpp[0] * (x_offset_in_blocks + 1); + offset = pitch * y_offset_in_blocks + + AFBC_DATA_BLOCK_WIDTH * AFBC_DATA_BLOCK_HEIGHT * + fb->format->cpp[0] * (x_offset_in_blocks + 1); + + /* + * Using dma_addr_t variable to calculate with multiplier of different types, + * for example: addr += pitch * y_offset_in_blocks; + * may cause coverity issue with unintentional overflow. + */ + addr = addr + hdr_size + offset; } mtk_plane_state->pending.enable = true;
1. Instead of multiplying 2 variable of different types. Change to assign a value of one variable and then multiply the other variable. 2. Add a int variable for multiplier calculation instead of calculating different types multiplier with dma_addr_t variable directly. Fixes: 1a64a7aff8da ("drm/mediatek: Fix cursor plane no update") Signed-off-by: Jason-JH.Lin <jason-jh.lin@mediatek.com> Reviewed-by: Alexandre Mergnat <amergnat@baylibre.com> Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com> --- Change in v5: Add 'coverity issue' in title and code comments. --- drivers/gpu/drm/mediatek/mtk_drm_gem.c | 9 +++++- drivers/gpu/drm/mediatek/mtk_drm_plane.c | 39 ++++++++++++++++++------ 2 files changed, 38 insertions(+), 10 deletions(-)