diff mbox

drm: Shift wrap bug in create_in_format_blob()

Message ID 20170809111906.4rv3hzritctfktv3@mwanda (mailing list archive)
State New, archived
Headers show

Commit Message

Dan Carpenter Aug. 9, 2017, 11:19 a.m. UTC 
"plane->format_count" can go up to 64.  (It's capped in
drm_universal_plane_init().)  So we should be using ULL type instead of
int here to prevent shift wrapping.

Fixes: db1689aa61bd ("drm: Create a format/modifier blob")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Comments

Sean Paul Aug. 9, 2017, 2:36 p.m. UTC | #1 
On Wed, Aug 09, 2017 at 02:19:06PM +0300, Dan Carpenter wrote:
> "plane->format_count" can go up to 64.  (It's capped in
> drm_universal_plane_init().)  So we should be using ULL type instead of
> int here to prevent shift wrapping.
> 
> Fixes: db1689aa61bd ("drm: Create a format/modifier blob")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Thank you for the fix, Dan.

I've applied it to drm-misc-next.

Sean

> 
> diff --git a/drivers/gpu/drm/drm_plane.c b/drivers/gpu/drm/drm_plane.c
> index 5c14beee52ff..85ab1eec73e5 100644
> --- a/drivers/gpu/drm/drm_plane.c
> +++ b/drivers/gpu/drm/drm_plane.c
> @@ -126,7 +126,7 @@ static int create_in_format_blob(struct drm_device *dev, struct drm_plane *plane
>  							       plane->format_types[j],
>  							       plane->modifiers[i])) {
>  
> -				mod->formats |= 1 << j;
> +				mod->formats |= 1ULL << j;
>  			}
>  		}
>
Daniel Stone Aug. 9, 2017, 2:38 p.m. UTC | #2 
On 9 August 2017 at 15:36, Sean Paul <seanpaul@chromium.org> wrote:
> On Wed, Aug 09, 2017 at 02:19:06PM +0300, Dan Carpenter wrote:
>> "plane->format_count" can go up to 64.  (It's capped in
>> drm_universal_plane_init().)  So we should be using ULL type instead of
>> int here to prevent shift wrapping.
>>
>> Fixes: db1689aa61bd ("drm: Create a format/modifier blob")
>> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> Thank you for the fix, Dan.
>
> I've applied it to drm-misc-next.

Yes, thanks Dan!

Out of interest, how was this found? With sparse?

Cheers,
Daniel
Dan Carpenter Aug. 10, 2017, 8:21 p.m. UTC | #3 
On Wed, Aug 09, 2017 at 03:38:33PM +0100, Daniel Stone wrote:
> On 9 August 2017 at 15:36, Sean Paul <seanpaul@chromium.org> wrote:
> > On Wed, Aug 09, 2017 at 02:19:06PM +0300, Dan Carpenter wrote:
> >> "plane->format_count" can go up to 64.  (It's capped in
> >> drm_universal_plane_init().)  So we should be using ULL type instead of
> >> int here to prevent shift wrapping.
> >>
> >> Fixes: db1689aa61bd ("drm: Create a format/modifier blob")
> >> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> >
> > Thank you for the fix, Dan.
> >
> > I've applied it to drm-misc-next.
> 
> Yes, thanks Dan!
> 
> Out of interest, how was this found? With sparse?
> 

These are Smatch checks that I haven't totally cleaned up enough to
publish yet.  I have a couple versions of this check.  This one is doing
cross function analysis so it knows that ->format_count can go up to 64
bits.

regards,
dan carpenter
diff mbox

Patch

diff --git a/drivers/gpu/drm/drm_plane.c b/drivers/gpu/drm/drm_plane.c
index 5c14beee52ff..85ab1eec73e5 100644
--- a/drivers/gpu/drm/drm_plane.c
+++ b/drivers/gpu/drm/drm_plane.c
@@ -126,7 +126,7 @@  static int create_in_format_blob(struct drm_device *dev, struct drm_plane *plane
 							       plane->format_types[j],
 							       plane->modifiers[i])) {
 
-				mod->formats |= 1 << j;
+				mod->formats |= 1ULL << j;
 			}
 		}