[v3,3/4] drm/mediatek: Add casting before assign

Message ID	20230621102247.10116-4-jason-jh.lin@mediatek.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org> From: Jason-JH.Lin <jason-jh.lin@mediatek.com> To: Chun-Kuang Hu <chunkuang.hu@kernel.org>, AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>, Alexandre Mergnat <amergnat@baylibre.com> CC: Matthias Brugger <matthias.bgg@gmail.com>, Jason-ch Chen <jason-ch.chen@mediatek.com>, Johnson Wang <johnson.wang@mediatek.com>, "Jason-JH . Lin" <jason-jh.lin@mediatek.com>, Singo Chang <singo.chang@mediatek.com>, Nancy Lin <nancy.lin@mediatek.com>, Shawn Sung <shawn.sung@mediatek.com>, <dri-devel@lists.freedesktop.org>, <linux-mediatek@lists.infradead.org>, <linux-arm-kernel@lists.infradead.org>, <linux-kernel@vger.kernel.org>, <Project_Global_Chrome_Upstream_Group@mediatek.com> Subject: [PATCH v3 3/4] drm/mediatek: Add casting before assign Date: Wed, 21 Jun 2023 18:22:46 +0800 Message-ID: <20230621102247.10116-4-jason-jh.lin@mediatek.com> In-Reply-To: <20230621102247.10116-1-jason-jh.lin@mediatek.com> References: <20230621102247.10116-1-jason-jh.lin@mediatek.com> MIME-Version: 1.0 Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org> Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org
Series	Fix mediatek-drm coverity issues \| expand [v3,0/4] Fix mediatek-drm coverity issues [v3,1/4] drm/mediatek: Remove freeing not dynamic allocated memory [v3,2/4] drm/mediatek: Add cnt checking for coverity issue [v3,3/4] drm/mediatek: Add casting before assign [v3,4/4] drm/mediatek: Fix dereference before null check

Jason-JH.Lin June 21, 2023, 10:22 a.m. UTC

1. Add casting before assign to avoid the unintentional integer
   overflow or unintended sign extension.
2. Add a int varriable for multiplier calculation instead of calculating
   different types multiplier with dma_addr_t varriable directly.

Fixes: 1a64a7aff8da ("drm/mediatek: Fix cursor plane no update")
Signed-off-by: Jason-JH.Lin <jason-jh.lin@mediatek.com>
---
 drivers/gpu/drm/mediatek/mtk_drm_gem.c   |  3 ++-
 drivers/gpu/drm/mediatek/mtk_drm_plane.c | 22 +++++++++++++---------
 2 files changed, 15 insertions(+), 10 deletions(-)

Alexandre Mergnat June 21, 2023, 12:34 p.m. UTC | #1

On 21/06/2023 12:22, Jason-JH.Lin wrote:
> 1. Add casting before assign to avoid the unintentional integer
>     overflow or unintended sign extension.
> 2. Add a int varriable for multiplier calculation instead of calculating
>     different types multiplier with dma_addr_t varriable directly.
> 
> Fixes: 1a64a7aff8da ("drm/mediatek: Fix cursor plane no update")
> Signed-off-by: Jason-JH.Lin <jason-jh.lin@mediatek.com>
> ---
>   drivers/gpu/drm/mediatek/mtk_drm_gem.c   |  3 ++-
>   drivers/gpu/drm/mediatek/mtk_drm_plane.c | 22 +++++++++++++---------
>   2 files changed, 15 insertions(+), 10 deletions(-)
> 
> diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c b/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> index a25b28d3ee90..da087d74612d 100644
> --- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> +++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> @@ -121,7 +121,8 @@ int mtk_drm_gem_dumb_create(struct drm_file *file_priv, struct drm_device *dev,
>   	int ret;
>   
>   	args->pitch = DIV_ROUND_UP(args->width * args->bpp, 8);
> -	args->size = args->pitch * args->height;
> +	args->size = args->pitch;
> +	args->size *= args->height;
>   
>   	mtk_gem = mtk_drm_gem_create(dev, args->size, false);
>   	if (IS_ERR(mtk_gem))
> diff --git a/drivers/gpu/drm/mediatek/mtk_drm_plane.c b/drivers/gpu/drm/mediatek/mtk_drm_plane.c
> index 31f9420aff6f..1cd41454d545 100644
> --- a/drivers/gpu/drm/mediatek/mtk_drm_plane.c
> +++ b/drivers/gpu/drm/mediatek/mtk_drm_plane.c
> @@ -145,6 +145,7 @@ static void mtk_plane_update_new_state(struct drm_plane_state *new_state,
>   	dma_addr_t addr;
>   	dma_addr_t hdr_addr = 0;
>   	unsigned int hdr_pitch = 0;
> +	int offset;

I agree with Angelo, please set offset as unsigned.

>   
>   	gem = fb->obj[0];
>   	mtk_gem = to_mtk_gem_obj(gem);
> @@ -154,8 +155,10 @@ static void mtk_plane_update_new_state(struct drm_plane_state *new_state,
>   	modifier = fb->modifier;
>   
>   	if (modifier == DRM_FORMAT_MOD_LINEAR) {
> -		addr += (new_state->src.x1 >> 16) * fb->format->cpp[0];
> -		addr += (new_state->src.y1 >> 16) * pitch;
> +		offset = (new_state->src.x1 >> 16) * fb->format->cpp[0];
> +		addr += offset;
> +		offset = (new_state->src.y1 >> 16) * pitch;
> +		addr += offset;
>   	} else {
>   		int width_in_blocks = ALIGN(fb->width, AFBC_DATA_BLOCK_WIDTH)
>   				      / AFBC_DATA_BLOCK_WIDTH;
> @@ -163,21 +166,22 @@ static void mtk_plane_update_new_state(struct drm_plane_state *new_state,
>   				       / AFBC_DATA_BLOCK_HEIGHT;
>   		int x_offset_in_blocks = (new_state->src.x1 >> 16) / AFBC_DATA_BLOCK_WIDTH;
>   		int y_offset_in_blocks = (new_state->src.y1 >> 16) / AFBC_DATA_BLOCK_HEIGHT;
> -		int hdr_size;
> +		int hdr_size, hdr_offset;
>   
>   		hdr_pitch = width_in_blocks * AFBC_HEADER_BLOCK_SIZE;
>   		pitch = width_in_blocks * AFBC_DATA_BLOCK_WIDTH *
>   			AFBC_DATA_BLOCK_HEIGHT * fb->format->cpp[0];
>   
>   		hdr_size = ALIGN(hdr_pitch * height_in_blocks, AFBC_HEADER_ALIGNMENT);
> +		hdr_offset = hdr_pitch * y_offset_in_blocks +
> +			AFBC_HEADER_BLOCK_SIZE * x_offset_in_blocks;
> +		hdr_addr = addr + hdr_offset;
>   
> -		hdr_addr = addr + hdr_pitch * y_offset_in_blocks +
> -			   AFBC_HEADER_BLOCK_SIZE * x_offset_in_blocks;
>   		/* The data plane is offset by 1 additional block. */
> -		addr = addr + hdr_size +
> -		       pitch * y_offset_in_blocks +
> -		       AFBC_DATA_BLOCK_WIDTH * AFBC_DATA_BLOCK_HEIGHT *
> -		       fb->format->cpp[0] * (x_offset_in_blocks + 1);
> +		offset = pitch * y_offset_in_blocks +
> +			 AFBC_DATA_BLOCK_WIDTH * AFBC_DATA_BLOCK_HEIGHT *
> +			 fb->format->cpp[0] * (x_offset_in_blocks + 1);
> +		addr = addr + hdr_size + offset;
>   	}
>   
>   	mtk_plane_state->pending.enable = true;

Jason-JH.Lin June 22, 2023, 8:02 a.m. UTC | #2

Hi Alexandre,

Thanks for the reviews.

On Wed, 2023-06-21 at 14:34 +0200, Alexandre Mergnat wrote:
>  	 
> External email : Please do not click links or open attachments until
> you have verified the sender or the content.
>  
> 
> On 21/06/2023 12:22, Jason-JH.Lin wrote:
> > 1. Add casting before assign to avoid the unintentional integer
> >     overflow or unintended sign extension.
> > 2. Add a int varriable for multiplier calculation instead of
> calculating
> >     different types multiplier with dma_addr_t varriable directly.
> > 
> > Fixes: 1a64a7aff8da ("drm/mediatek: Fix cursor plane no update")
> > Signed-off-by: Jason-JH.Lin <jason-jh.lin@mediatek.com>
> > ---
> >   drivers/gpu/drm/mediatek/mtk_drm_gem.c   |  3 ++-
> >   drivers/gpu/drm/mediatek/mtk_drm_plane.c | 22 +++++++++++++----
> -----
> >   2 files changed, 15 insertions(+), 10 deletions(-)
> > 
> > diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> b/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> > index a25b28d3ee90..da087d74612d 100644
> > --- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> > +++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> > @@ -121,7 +121,8 @@ int mtk_drm_gem_dumb_create(struct drm_file
> *file_priv, struct drm_device *dev,
> >   int ret;
> >   
> >   args->pitch = DIV_ROUND_UP(args->width * args->bpp, 8);
> > -args->size = args->pitch * args->height;
> > +args->size = args->pitch;
> > +args->size *= args->height;
> >   
> >   mtk_gem = mtk_drm_gem_create(dev, args->size, false);
> >   if (IS_ERR(mtk_gem))
> > diff --git a/drivers/gpu/drm/mediatek/mtk_drm_plane.c
> b/drivers/gpu/drm/mediatek/mtk_drm_plane.c
> > index 31f9420aff6f..1cd41454d545 100644
> > --- a/drivers/gpu/drm/mediatek/mtk_drm_plane.c
> > +++ b/drivers/gpu/drm/mediatek/mtk_drm_plane.c
> > @@ -145,6 +145,7 @@ static void mtk_plane_update_new_state(struct
> drm_plane_state *new_state,
> >   dma_addr_t addr;
> >   dma_addr_t hdr_addr = 0;
> >   unsigned int hdr_pitch = 0;
> > +int offset;
> 
> I agree with Angelo, please set offset as unsigned.
> 
I think offset should be unsigned, but since src.x1 and src.y1 are
'int'. That means 'unsigned int' offset will be very big when src.x1 or
src.y1 is negative.
So I just use 'int' for offset here.

Regards,
Jason-JH.Lin

> >   
> >   gem = fb->obj[0];
> >   mtk_gem = to_mtk_gem_obj(gem);
> > @@ -154,8 +155,10 @@ static void mtk_plane_update_new_state(struct
> drm_plane_state *new_state,
> >   modifier = fb->modifier;
> >   
> >   if (modifier == DRM_FORMAT_MOD_LINEAR) {
> > -addr += (new_state->src.x1 >> 16) * fb->format->cpp[0];
> > -addr += (new_state->src.y1 >> 16) * pitch;
> > +offset = (new_state->src.x1 >> 16) * fb->format->cpp[0];
> > +addr += offset;
> > +offset = (new_state->src.y1 >> 16) * pitch;
> > +addr += offset;
>

Alexandre Mergnat July 12, 2023, 1:07 p.m. UTC | #3

On 22/06/2023 10:02, Jason-JH Lin (林睿祥) wrote:
>> drm_plane_state *new_state,
>> >   dma_addr_t addr;
>> >   dma_addr_t hdr_addr = 0;
>> >   unsigned int hdr_pitch = 0;
>> > +int offset;
>> 
>> I agree with Angelo, please set offset as unsigned.
>> 
> I think offset should be unsigned, but since src.x1 and src.y1 are
> 'int'. That means 'unsigned int' offset will be very big when src.x1 or
> src.y1 is negative.
> So I just use 'int' for offset here.

Ok

Reviewed-by: Alexandre Mergnat <amergnat@baylibre.com>

CK Hu (胡俊光) July 14, 2023, 5:45 a.m. UTC | #4

Hi, Jason:

On Wed, 2023-06-21 at 18:22 +0800, Jason-JH.Lin wrote:
> 1. Add casting before assign to avoid the unintentional integer
>    overflow or unintended sign extension.
> 2. Add a int varriable for multiplier calculation instead of
> calculating
>    different types multiplier with dma_addr_t varriable directly.

I agree with these modification, but the title does not match the
modification.

Regards,
CK

> 
> Fixes: 1a64a7aff8da ("drm/mediatek: Fix cursor plane no update")
> Signed-off-by: Jason-JH.Lin <jason-jh.lin@mediatek.com>
> ---
>  drivers/gpu/drm/mediatek/mtk_drm_gem.c   |  3 ++-
>  drivers/gpu/drm/mediatek/mtk_drm_plane.c | 22 +++++++++++++---------
>  2 files changed, 15 insertions(+), 10 deletions(-)
> 
> diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> b/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> index a25b28d3ee90..da087d74612d 100644
> --- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> +++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> @@ -121,7 +121,8 @@ int mtk_drm_gem_dumb_create(struct drm_file
> *file_priv, struct drm_device *dev,
>  	int ret;
>  
>  	args->pitch = DIV_ROUND_UP(args->width * args->bpp, 8);
> -	args->size = args->pitch * args->height;
> +	args->size = args->pitch;
> +	args->size *= args->height;
>  
>  	mtk_gem = mtk_drm_gem_create(dev, args->size, false);
>  	if (IS_ERR(mtk_gem))
> diff --git a/drivers/gpu/drm/mediatek/mtk_drm_plane.c
> b/drivers/gpu/drm/mediatek/mtk_drm_plane.c
> index 31f9420aff6f..1cd41454d545 100644
> --- a/drivers/gpu/drm/mediatek/mtk_drm_plane.c
> +++ b/drivers/gpu/drm/mediatek/mtk_drm_plane.c
> @@ -145,6 +145,7 @@ static void mtk_plane_update_new_state(struct
> drm_plane_state *new_state,
>  	dma_addr_t addr;
>  	dma_addr_t hdr_addr = 0;
>  	unsigned int hdr_pitch = 0;
> +	int offset;
>  
>  	gem = fb->obj[0];
>  	mtk_gem = to_mtk_gem_obj(gem);
> @@ -154,8 +155,10 @@ static void mtk_plane_update_new_state(struct
> drm_plane_state *new_state,
>  	modifier = fb->modifier;
>  
>  	if (modifier == DRM_FORMAT_MOD_LINEAR) {
> -		addr += (new_state->src.x1 >> 16) * fb->format->cpp[0];
> -		addr += (new_state->src.y1 >> 16) * pitch;
> +		offset = (new_state->src.x1 >> 16) * fb->format-
> >cpp[0];
> +		addr += offset;
> +		offset = (new_state->src.y1 >> 16) * pitch;
> +		addr += offset;
>  	} else {
>  		int width_in_blocks = ALIGN(fb->width,
> AFBC_DATA_BLOCK_WIDTH)
>  				      / AFBC_DATA_BLOCK_WIDTH;
> @@ -163,21 +166,22 @@ static void mtk_plane_update_new_state(struct
> drm_plane_state *new_state,
>  				       / AFBC_DATA_BLOCK_HEIGHT;
>  		int x_offset_in_blocks = (new_state->src.x1 >> 16) /
> AFBC_DATA_BLOCK_WIDTH;
>  		int y_offset_in_blocks = (new_state->src.y1 >> 16) /
> AFBC_DATA_BLOCK_HEIGHT;
> -		int hdr_size;
> +		int hdr_size, hdr_offset;
>  
>  		hdr_pitch = width_in_blocks * AFBC_HEADER_BLOCK_SIZE;
>  		pitch = width_in_blocks * AFBC_DATA_BLOCK_WIDTH *
>  			AFBC_DATA_BLOCK_HEIGHT * fb->format->cpp[0];
>  
>  		hdr_size = ALIGN(hdr_pitch * height_in_blocks,
> AFBC_HEADER_ALIGNMENT);
> +		hdr_offset = hdr_pitch * y_offset_in_blocks +
> +			AFBC_HEADER_BLOCK_SIZE * x_offset_in_blocks;
> +		hdr_addr = addr + hdr_offset;
>  
> -		hdr_addr = addr + hdr_pitch * y_offset_in_blocks +
> -			   AFBC_HEADER_BLOCK_SIZE * x_offset_in_blocks;
>  		/* The data plane is offset by 1 additional block. */
> -		addr = addr + hdr_size +
> -		       pitch * y_offset_in_blocks +
> -		       AFBC_DATA_BLOCK_WIDTH * AFBC_DATA_BLOCK_HEIGHT *
> -		       fb->format->cpp[0] * (x_offset_in_blocks + 1);
> +		offset = pitch * y_offset_in_blocks +
> +			 AFBC_DATA_BLOCK_WIDTH * AFBC_DATA_BLOCK_HEIGHT
> *
> +			 fb->format->cpp[0] * (x_offset_in_blocks + 1);
> +		addr = addr + hdr_size + offset;
>  	}
>  
>  	mtk_plane_state->pending.enable = true;

Jason-JH.Lin July 14, 2023, 6:45 a.m. UTC | #5

Hi CK,

Thanks for the reviews.

On Fri, 2023-07-14 at 05:45 +0000, CK Hu (胡俊光) wrote:
> Hi, Jason:
> 
> On Wed, 2023-06-21 at 18:22 +0800, Jason-JH.Lin wrote:
> > 1. Add casting before assign to avoid the unintentional integer
> >    overflow or unintended sign extension.
> > 2. Add a int varriable for multiplier calculation instead of
> > calculating
> >    different types multiplier with dma_addr_t varriable directly.
> 
> I agree with these modification, but the title does not match the
> modification.
> 
> Regards,
> CK

I'll change the title and commit msg at the next version below:

Fix unintentional integer overflow in multiplying different types

1. Instead of multiplying 2 variable of different types. Change to
assign a value of one variable and then multiply the other variable.

2. Add a int variable for multiplier calculation instead of calculating
different types multiplier with dma_addr_t variable directly.

Thanks!

Regards,
Jason-JH.Lin
>

David Laight July 17, 2023, 1:17 p.m. UTC | #6

From: Jason-JH Lin
> Sent: 14 July 2023 07:46
> 
> Hi CK,
> 
> Thanks for the reviews.
> 
> On Fri, 2023-07-14 at 05:45 +0000, CK Hu (胡俊光) wrote:
> > Hi, Jason:
> >
> > On Wed, 2023-06-21 at 18:22 +0800, Jason-JH.Lin wrote:
> > > 1. Add casting before assign to avoid the unintentional integer
> > >    overflow or unintended sign extension.
> > > 2. Add a int varriable for multiplier calculation instead of
> > > calculating
> > >    different types multiplier with dma_addr_t varriable directly.
> >
> > I agree with these modification, but the title does not match the
> > modification.
> >
> > Regards,
> > CK
> 
> I'll change the title and commit msg at the next version below:
> 
> Fix unintentional integer overflow in multiplying different types
> 
> 1. Instead of multiplying 2 variable of different types. Change to
> assign a value of one variable and then multiply the other variable.
> 
> 2. Add a int variable for multiplier calculation instead of calculating
> different types multiplier with dma_addr_t variable directly.

I'm pretty sure the patch makes absolutely no difference.
In C all arithmetic is done with char/short (inc. unsigned)
promoted to int.

So the only likely overflow is if the values exceed 2^31.
Since the temporaries you are using are 'int' this isn't true.

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

[v3,3/4] drm/mediatek: Add casting before assign

Commit Message

Comments

Patch