| Message ID | 20230621102247.10116-4-jason-jh.lin@mediatek.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Fix mediatek-drm coverity issues | expand |
On 21/06/2023 12:22, Jason-JH.Lin wrote: > 1. Add casting before assign to avoid the unintentional integer > overflow or unintended sign extension. > 2. Add a int varriable for multiplier calculation instead of calculating > different types multiplier with dma_addr_t varriable directly. > > Fixes: 1a64a7aff8da ("drm/mediatek: Fix cursor plane no update") > Signed-off-by: Jason-JH.Lin <jason-jh.lin@mediatek.com> > --- > drivers/gpu/drm/mediatek/mtk_drm_gem.c | 3 ++- > drivers/gpu/drm/mediatek/mtk_drm_plane.c | 22 +++++++++++++--------- > 2 files changed, 15 insertions(+), 10 deletions(-) > > diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c b/drivers/gpu/drm/mediatek/mtk_drm_gem.c > index a25b28d3ee90..da087d74612d 100644 > --- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c > +++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c > @@ -121,7 +121,8 @@ int mtk_drm_gem_dumb_create(struct drm_file *file_priv, struct drm_device *dev, > int ret; > > args->pitch = DIV_ROUND_UP(args->width * args->bpp, 8); > - args->size = args->pitch * args->height; > + args->size = args->pitch; > + args->size *= args->height; > > mtk_gem = mtk_drm_gem_create(dev, args->size, false); > if (IS_ERR(mtk_gem)) > diff --git a/drivers/gpu/drm/mediatek/mtk_drm_plane.c b/drivers/gpu/drm/mediatek/mtk_drm_plane.c > index 31f9420aff6f..1cd41454d545 100644 > --- a/drivers/gpu/drm/mediatek/mtk_drm_plane.c > +++ b/drivers/gpu/drm/mediatek/mtk_drm_plane.c > @@ -145,6 +145,7 @@ static void mtk_plane_update_new_state(struct drm_plane_state *new_state, > dma_addr_t addr; > dma_addr_t hdr_addr = 0; > unsigned int hdr_pitch = 0; > + int offset; I agree with Angelo, please set offset as unsigned. > > gem = fb->obj[0]; > mtk_gem = to_mtk_gem_obj(gem); > @@ -154,8 +155,10 @@ static void mtk_plane_update_new_state(struct drm_plane_state *new_state, > modifier = fb->modifier; > > if (modifier == DRM_FORMAT_MOD_LINEAR) { > - addr += (new_state->src.x1 >> 16) * fb->format->cpp[0]; > - addr += (new_state->src.y1 >> 16) * pitch; > + offset = (new_state->src.x1 >> 16) * fb->format->cpp[0]; > + addr += offset; > + offset = (new_state->src.y1 >> 16) * pitch; > + addr += offset; > } else { > int width_in_blocks = ALIGN(fb->width, AFBC_DATA_BLOCK_WIDTH) > / AFBC_DATA_BLOCK_WIDTH; > @@ -163,21 +166,22 @@ static void mtk_plane_update_new_state(struct drm_plane_state *new_state, > / AFBC_DATA_BLOCK_HEIGHT; > int x_offset_in_blocks = (new_state->src.x1 >> 16) / AFBC_DATA_BLOCK_WIDTH; > int y_offset_in_blocks = (new_state->src.y1 >> 16) / AFBC_DATA_BLOCK_HEIGHT; > - int hdr_size; > + int hdr_size, hdr_offset; > > hdr_pitch = width_in_blocks * AFBC_HEADER_BLOCK_SIZE; > pitch = width_in_blocks * AFBC_DATA_BLOCK_WIDTH * > AFBC_DATA_BLOCK_HEIGHT * fb->format->cpp[0]; > > hdr_size = ALIGN(hdr_pitch * height_in_blocks, AFBC_HEADER_ALIGNMENT); > + hdr_offset = hdr_pitch * y_offset_in_blocks + > + AFBC_HEADER_BLOCK_SIZE * x_offset_in_blocks; > + hdr_addr = addr + hdr_offset; > > - hdr_addr = addr + hdr_pitch * y_offset_in_blocks + > - AFBC_HEADER_BLOCK_SIZE * x_offset_in_blocks; > /* The data plane is offset by 1 additional block. */ > - addr = addr + hdr_size + > - pitch * y_offset_in_blocks + > - AFBC_DATA_BLOCK_WIDTH * AFBC_DATA_BLOCK_HEIGHT * > - fb->format->cpp[0] * (x_offset_in_blocks + 1); > + offset = pitch * y_offset_in_blocks + > + AFBC_DATA_BLOCK_WIDTH * AFBC_DATA_BLOCK_HEIGHT * > + fb->format->cpp[0] * (x_offset_in_blocks + 1); > + addr = addr + hdr_size + offset; > } > > mtk_plane_state->pending.enable = true;
Hi Alexandre, Thanks for the reviews. On Wed, 2023-06-21 at 14:34 +0200, Alexandre Mergnat wrote: > > External email : Please do not click links or open attachments until > you have verified the sender or the content. > > > On 21/06/2023 12:22, Jason-JH.Lin wrote: > > 1. Add casting before assign to avoid the unintentional integer > > overflow or unintended sign extension. > > 2. Add a int varriable for multiplier calculation instead of > calculating > > different types multiplier with dma_addr_t varriable directly. > > > > Fixes: 1a64a7aff8da ("drm/mediatek: Fix cursor plane no update") > > Signed-off-by: Jason-JH.Lin <jason-jh.lin@mediatek.com> > > --- > > drivers/gpu/drm/mediatek/mtk_drm_gem.c | 3 ++- > > drivers/gpu/drm/mediatek/mtk_drm_plane.c | 22 +++++++++++++---- > ----- > > 2 files changed, 15 insertions(+), 10 deletions(-) > > > > diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c > b/drivers/gpu/drm/mediatek/mtk_drm_gem.c > > index a25b28d3ee90..da087d74612d 100644 > > --- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c > > +++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c > > @@ -121,7 +121,8 @@ int mtk_drm_gem_dumb_create(struct drm_file > *file_priv, struct drm_device *dev, > > int ret; > > > > args->pitch = DIV_ROUND_UP(args->width * args->bpp, 8); > > -args->size = args->pitch * args->height; > > +args->size = args->pitch; > > +args->size *= args->height; > > > > mtk_gem = mtk_drm_gem_create(dev, args->size, false); > > if (IS_ERR(mtk_gem)) > > diff --git a/drivers/gpu/drm/mediatek/mtk_drm_plane.c > b/drivers/gpu/drm/mediatek/mtk_drm_plane.c > > index 31f9420aff6f..1cd41454d545 100644 > > --- a/drivers/gpu/drm/mediatek/mtk_drm_plane.c > > +++ b/drivers/gpu/drm/mediatek/mtk_drm_plane.c > > @@ -145,6 +145,7 @@ static void mtk_plane_update_new_state(struct > drm_plane_state *new_state, > > dma_addr_t addr; > > dma_addr_t hdr_addr = 0; > > unsigned int hdr_pitch = 0; > > +int offset; > > I agree with Angelo, please set offset as unsigned. > I think offset should be unsigned, but since src.x1 and src.y1 are 'int'. That means 'unsigned int' offset will be very big when src.x1 or src.y1 is negative. So I just use 'int' for offset here. Regards, Jason-JH.Lin > > > > gem = fb->obj[0]; > > mtk_gem = to_mtk_gem_obj(gem); > > @@ -154,8 +155,10 @@ static void mtk_plane_update_new_state(struct > drm_plane_state *new_state, > > modifier = fb->modifier; > > > > if (modifier == DRM_FORMAT_MOD_LINEAR) { > > -addr += (new_state->src.x1 >> 16) * fb->format->cpp[0]; > > -addr += (new_state->src.y1 >> 16) * pitch; > > +offset = (new_state->src.x1 >> 16) * fb->format->cpp[0]; > > +addr += offset; > > +offset = (new_state->src.y1 >> 16) * pitch; > > +addr += offset; >
On 22/06/2023 10:02, Jason-JH Lin (林睿祥) wrote: >> drm_plane_state *new_state, >> > dma_addr_t addr; >> > dma_addr_t hdr_addr = 0; >> > unsigned int hdr_pitch = 0; >> > +int offset; >> >> I agree with Angelo, please set offset as unsigned. >> > I think offset should be unsigned, but since src.x1 and src.y1 are > 'int'. That means 'unsigned int' offset will be very big when src.x1 or > src.y1 is negative. > So I just use 'int' for offset here. Ok Reviewed-by: Alexandre Mergnat <amergnat@baylibre.com>
Hi, Jason: On Wed, 2023-06-21 at 18:22 +0800, Jason-JH.Lin wrote: > 1. Add casting before assign to avoid the unintentional integer > overflow or unintended sign extension. > 2. Add a int varriable for multiplier calculation instead of > calculating > different types multiplier with dma_addr_t varriable directly. I agree with these modification, but the title does not match the modification. Regards, CK > > Fixes: 1a64a7aff8da ("drm/mediatek: Fix cursor plane no update") > Signed-off-by: Jason-JH.Lin <jason-jh.lin@mediatek.com> > --- > drivers/gpu/drm/mediatek/mtk_drm_gem.c | 3 ++- > drivers/gpu/drm/mediatek/mtk_drm_plane.c | 22 +++++++++++++--------- > 2 files changed, 15 insertions(+), 10 deletions(-) > > diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c > b/drivers/gpu/drm/mediatek/mtk_drm_gem.c > index a25b28d3ee90..da087d74612d 100644 > --- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c > +++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c > @@ -121,7 +121,8 @@ int mtk_drm_gem_dumb_create(struct drm_file > *file_priv, struct drm_device *dev, > int ret; > > args->pitch = DIV_ROUND_UP(args->width * args->bpp, 8); > - args->size = args->pitch * args->height; > + args->size = args->pitch; > + args->size *= args->height; > > mtk_gem = mtk_drm_gem_create(dev, args->size, false); > if (IS_ERR(mtk_gem)) > diff --git a/drivers/gpu/drm/mediatek/mtk_drm_plane.c > b/drivers/gpu/drm/mediatek/mtk_drm_plane.c > index 31f9420aff6f..1cd41454d545 100644 > --- a/drivers/gpu/drm/mediatek/mtk_drm_plane.c > +++ b/drivers/gpu/drm/mediatek/mtk_drm_plane.c > @@ -145,6 +145,7 @@ static void mtk_plane_update_new_state(struct > drm_plane_state *new_state, > dma_addr_t addr; > dma_addr_t hdr_addr = 0; > unsigned int hdr_pitch = 0; > + int offset; > > gem = fb->obj[0]; > mtk_gem = to_mtk_gem_obj(gem); > @@ -154,8 +155,10 @@ static void mtk_plane_update_new_state(struct > drm_plane_state *new_state, > modifier = fb->modifier; > > if (modifier == DRM_FORMAT_MOD_LINEAR) { > - addr += (new_state->src.x1 >> 16) * fb->format->cpp[0]; > - addr += (new_state->src.y1 >> 16) * pitch; > + offset = (new_state->src.x1 >> 16) * fb->format- > >cpp[0]; > + addr += offset; > + offset = (new_state->src.y1 >> 16) * pitch; > + addr += offset; > } else { > int width_in_blocks = ALIGN(fb->width, > AFBC_DATA_BLOCK_WIDTH) > / AFBC_DATA_BLOCK_WIDTH; > @@ -163,21 +166,22 @@ static void mtk_plane_update_new_state(struct > drm_plane_state *new_state, > / AFBC_DATA_BLOCK_HEIGHT; > int x_offset_in_blocks = (new_state->src.x1 >> 16) / > AFBC_DATA_BLOCK_WIDTH; > int y_offset_in_blocks = (new_state->src.y1 >> 16) / > AFBC_DATA_BLOCK_HEIGHT; > - int hdr_size; > + int hdr_size, hdr_offset; > > hdr_pitch = width_in_blocks * AFBC_HEADER_BLOCK_SIZE; > pitch = width_in_blocks * AFBC_DATA_BLOCK_WIDTH * > AFBC_DATA_BLOCK_HEIGHT * fb->format->cpp[0]; > > hdr_size = ALIGN(hdr_pitch * height_in_blocks, > AFBC_HEADER_ALIGNMENT); > + hdr_offset = hdr_pitch * y_offset_in_blocks + > + AFBC_HEADER_BLOCK_SIZE * x_offset_in_blocks; > + hdr_addr = addr + hdr_offset; > > - hdr_addr = addr + hdr_pitch * y_offset_in_blocks + > - AFBC_HEADER_BLOCK_SIZE * x_offset_in_blocks; > /* The data plane is offset by 1 additional block. */ > - addr = addr + hdr_size + > - pitch * y_offset_in_blocks + > - AFBC_DATA_BLOCK_WIDTH * AFBC_DATA_BLOCK_HEIGHT * > - fb->format->cpp[0] * (x_offset_in_blocks + 1); > + offset = pitch * y_offset_in_blocks + > + AFBC_DATA_BLOCK_WIDTH * AFBC_DATA_BLOCK_HEIGHT > * > + fb->format->cpp[0] * (x_offset_in_blocks + 1); > + addr = addr + hdr_size + offset; > } > > mtk_plane_state->pending.enable = true;
Hi CK, Thanks for the reviews. On Fri, 2023-07-14 at 05:45 +0000, CK Hu (胡俊光) wrote: > Hi, Jason: > > On Wed, 2023-06-21 at 18:22 +0800, Jason-JH.Lin wrote: > > 1. Add casting before assign to avoid the unintentional integer > > overflow or unintended sign extension. > > 2. Add a int varriable for multiplier calculation instead of > > calculating > > different types multiplier with dma_addr_t varriable directly. > > I agree with these modification, but the title does not match the > modification. > > Regards, > CK I'll change the title and commit msg at the next version below: Fix unintentional integer overflow in multiplying different types 1. Instead of multiplying 2 variable of different types. Change to assign a value of one variable and then multiply the other variable. 2. Add a int variable for multiplier calculation instead of calculating different types multiplier with dma_addr_t variable directly. Thanks! Regards, Jason-JH.Lin >
From: Jason-JH Lin > Sent: 14 July 2023 07:46 > > Hi CK, > > Thanks for the reviews. > > On Fri, 2023-07-14 at 05:45 +0000, CK Hu (胡俊光) wrote: > > Hi, Jason: > > > > On Wed, 2023-06-21 at 18:22 +0800, Jason-JH.Lin wrote: > > > 1. Add casting before assign to avoid the unintentional integer > > > overflow or unintended sign extension. > > > 2. Add a int varriable for multiplier calculation instead of > > > calculating > > > different types multiplier with dma_addr_t varriable directly. > > > > I agree with these modification, but the title does not match the > > modification. > > > > Regards, > > CK > > I'll change the title and commit msg at the next version below: > > Fix unintentional integer overflow in multiplying different types > > 1. Instead of multiplying 2 variable of different types. Change to > assign a value of one variable and then multiply the other variable. > > 2. Add a int variable for multiplier calculation instead of calculating > different types multiplier with dma_addr_t variable directly. I'm pretty sure the patch makes absolutely no difference. In C all arithmetic is done with char/short (inc. unsigned) promoted to int. So the only likely overflow is if the values exceed 2^31. Since the temporaries you are using are 'int' this isn't true. David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)
Hi David, Thanks for the reviews. On Mon, 2023-07-17 at 13:17 +0000, David Laight wrote: > > External email : Please do not click links or open attachments until > you have verified the sender or the content. > From: Jason-JH Lin > > Sent: 14 July 2023 07:46 > > > > Hi CK, > > > > Thanks for the reviews. > > > > On Fri, 2023-07-14 at 05:45 +0000, CK Hu (胡俊光) wrote: > > > Hi, Jason: > > > > > > On Wed, 2023-06-21 at 18:22 +0800, Jason-JH.Lin wrote: > > > > 1. Add casting before assign to avoid the unintentional integer > > > > overflow or unintended sign extension. > > > > 2. Add a int varriable for multiplier calculation instead of > > > > calculating > > > > different types multiplier with dma_addr_t varriable > directly. > > > > > > I agree with these modification, but the title does not match the > > > modification. > > > > > > Regards, > > > CK > > > > I'll change the title and commit msg at the next version below: > > > > Fix unintentional integer overflow in multiplying different types > > > > 1. Instead of multiplying 2 variable of different types. Change to > > assign a value of one variable and then multiply the other > variable. > > > > 2. Add a int variable for multiplier calculation instead of > calculating > > different types multiplier with dma_addr_t variable directly. > > I'm pretty sure the patch makes absolutely no difference. > In C all arithmetic is done with char/short (inc. unsigned) > promoted to int. `char/short promoted to int` could you give me an example or more detail for this? I can't really understand about that. Thanks~ > > So the only likely overflow is if the values exceed 2^31. > Since the temporaries you are using are 'int' this isn't true. > According to the modification: + int offset; ... - addr += (new_state->src.x1 >> 16) * fb->format->cpp[0]; - addr += (new_state->src.y1 >> 16) * pitch; + offset = (new_state->src.x1 >> 16) * fb->format->cpp[0]; + addr += offset; + offset = (new_state->src.y1 >> 16) * pitch; + addr += offset; The main reasons why I use `int offset` here is that src.x1 and src.y1 are `32bits int` defined in struct drm_rect { int x1, y1, x2, y2; }; We know that the values of `x1 * cpp` and `y1 * pitch` would never cause 32bits overflow actually. So I just add the same type `int offset` as a 32bits variable to avoid Coverity checker catching the unintentional overflow of `64bits addr += 32bits x1 * 8bits cpp` and `64bits addr += 32bits y1 * 32bits pitch`. Another reason is that using `unsined int offset` to store the calculation result of negative x1 and y1, offset may be a very big number because of overflow of `negative int`. Do you agree with that? Regards, Jason-JH.Lin > David > > - > Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, > MK1 1PT, UK > Registration No: 1397386 (Wales) >
diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c b/drivers/gpu/drm/mediatek/mtk_drm_gem.c index a25b28d3ee90..da087d74612d 100644 --- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c +++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c @@ -121,7 +121,8 @@ int mtk_drm_gem_dumb_create(struct drm_file *file_priv, struct drm_device *dev, int ret; args->pitch = DIV_ROUND_UP(args->width * args->bpp, 8); - args->size = args->pitch * args->height; + args->size = args->pitch; + args->size *= args->height; mtk_gem = mtk_drm_gem_create(dev, args->size, false); if (IS_ERR(mtk_gem)) diff --git a/drivers/gpu/drm/mediatek/mtk_drm_plane.c b/drivers/gpu/drm/mediatek/mtk_drm_plane.c index 31f9420aff6f..1cd41454d545 100644 --- a/drivers/gpu/drm/mediatek/mtk_drm_plane.c +++ b/drivers/gpu/drm/mediatek/mtk_drm_plane.c @@ -145,6 +145,7 @@ static void mtk_plane_update_new_state(struct drm_plane_state *new_state, dma_addr_t addr; dma_addr_t hdr_addr = 0; unsigned int hdr_pitch = 0; + int offset; gem = fb->obj[0]; mtk_gem = to_mtk_gem_obj(gem); @@ -154,8 +155,10 @@ static void mtk_plane_update_new_state(struct drm_plane_state *new_state, modifier = fb->modifier; if (modifier == DRM_FORMAT_MOD_LINEAR) { - addr += (new_state->src.x1 >> 16) * fb->format->cpp[0]; - addr += (new_state->src.y1 >> 16) * pitch; + offset = (new_state->src.x1 >> 16) * fb->format->cpp[0]; + addr += offset; + offset = (new_state->src.y1 >> 16) * pitch; + addr += offset; } else { int width_in_blocks = ALIGN(fb->width, AFBC_DATA_BLOCK_WIDTH) / AFBC_DATA_BLOCK_WIDTH; @@ -163,21 +166,22 @@ static void mtk_plane_update_new_state(struct drm_plane_state *new_state, / AFBC_DATA_BLOCK_HEIGHT; int x_offset_in_blocks = (new_state->src.x1 >> 16) / AFBC_DATA_BLOCK_WIDTH; int y_offset_in_blocks = (new_state->src.y1 >> 16) / AFBC_DATA_BLOCK_HEIGHT; - int hdr_size; + int hdr_size, hdr_offset; hdr_pitch = width_in_blocks * AFBC_HEADER_BLOCK_SIZE; pitch = width_in_blocks * AFBC_DATA_BLOCK_WIDTH * AFBC_DATA_BLOCK_HEIGHT * fb->format->cpp[0]; hdr_size = ALIGN(hdr_pitch * height_in_blocks, AFBC_HEADER_ALIGNMENT); + hdr_offset = hdr_pitch * y_offset_in_blocks + + AFBC_HEADER_BLOCK_SIZE * x_offset_in_blocks; + hdr_addr = addr + hdr_offset; - hdr_addr = addr + hdr_pitch * y_offset_in_blocks + - AFBC_HEADER_BLOCK_SIZE * x_offset_in_blocks; /* The data plane is offset by 1 additional block. */ - addr = addr + hdr_size + - pitch * y_offset_in_blocks + - AFBC_DATA_BLOCK_WIDTH * AFBC_DATA_BLOCK_HEIGHT * - fb->format->cpp[0] * (x_offset_in_blocks + 1); + offset = pitch * y_offset_in_blocks + + AFBC_DATA_BLOCK_WIDTH * AFBC_DATA_BLOCK_HEIGHT * + fb->format->cpp[0] * (x_offset_in_blocks + 1); + addr = addr + hdr_size + offset; } mtk_plane_state->pending.enable = true;
1. Add casting before assign to avoid the unintentional integer overflow or unintended sign extension. 2. Add a int varriable for multiplier calculation instead of calculating different types multiplier with dma_addr_t varriable directly. Fixes: 1a64a7aff8da ("drm/mediatek: Fix cursor plane no update") Signed-off-by: Jason-JH.Lin <jason-jh.lin@mediatek.com> --- drivers/gpu/drm/mediatek/mtk_drm_gem.c | 3 ++- drivers/gpu/drm/mediatek/mtk_drm_plane.c | 22 +++++++++++++--------- 2 files changed, 15 insertions(+), 10 deletions(-)