2022-10-10 01:25:41

by Palmer Dabbelt

[permalink] [raw]
Subject: [PATCH] drm/amd/display: fix another array-bounds error in dc_stream_remove_writeback()

From: Palmer Dabbelt <[email protected]>

Without this I get some warnings. I get the following with GCC 11:

drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_stream.c: In function ‘dc_stream_remove_writeback’:
drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_stream.c:527:83: warning: array subscript 1 is above array bounds of ‘struct dc_writeback_info[1]’ [-Warray-bounds]
527 | stream->writeback_info[j] = stream->writeback_info[i];
| ~~~~~~~~~~~~~~~~~~~~~~^~~
In file included from ./drivers/gpu/drm/amd/amdgpu/../display/dc/dc.h:1269,
from ./drivers/gpu/drm/amd/amdgpu/../display/dc/inc/core_types.h:29,
from ./drivers/gpu/drm/amd/amdgpu/../display/dc/basics/dc_common.h:29,
from drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_stream.c:27:
./drivers/gpu/drm/amd/amdgpu/../display/dc/dc_stream.h:241:34: note: while referencing ‘writeback_info’
241 | struct dc_writeback_info writeback_info[MAX_DWB_PIPES];
| ^~~~~~~~~~~~~~

and something slightly different with GCC 12:

drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_stream.c: In function 'dc_stream_remove_writeback':
rivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_stream.c:527:83: error: array subscript [0, 0] is outside array bounds of 'struct dc_writeback_info[1]' [-Werror=array-bounds]
527 | stream->writeback_info[j] = stream->writeback_info[i];
| ~~~~~~~~~~~~~~~~~~~~~~^~~
In file included from drivers/gpu/drm/amd/amdgpu/../display/dc/dc.h:1269,
from drivers/gpu/drm/amd/amdgpu/../display/dc/inc/core_types.h:29,
from drivers/gpu/drm/amd/amdgpu/../display/dc/basics/dc_common.h:29,
from drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_stream.c:27:
drivers/gpu/drm/amd/amdgpu/../display/dc/dc_stream.h:241:34: note: while referencing 'writeback_info'
241 | struct dc_writeback_info writeback_info[MAX_DWB_PIPES];
| ^~~~~~~~~~~~~~

This fixes both warnings for me.

I'm not sure how sane it is, as MAX_DWB_PIPES is 1 so the loop now
doesn't do anything: i and j are both 0, so they're always equal, so no
trimming is ever done. IIUC that was the case before, though, as the
only way this could trigger would result in an out of bounds array
access.

Signed-off-by: Palmer Dabbelt <[email protected]>
---
drivers/gpu/drm/amd/display/dc/core/dc_stream.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_stream.c b/drivers/gpu/drm/amd/display/dc/core/dc_stream.c
index ae13887756bf..b64cef17afba 100644
--- a/drivers/gpu/drm/amd/display/dc/core/dc_stream.c
+++ b/drivers/gpu/drm/amd/display/dc/core/dc_stream.c
@@ -520,7 +520,7 @@ bool dc_stream_remove_writeback(struct dc *dc,
}

/* remove writeback info for disabled writeback pipes from stream */
- for (i = 0, j = 0; i < stream->num_wb_info && j < MAX_DWB_PIPES; i++) {
+ for (i = 0, j = 0; i < stream->num_wb_info && i < MAX_DWB_PIPES && j < MAX_DWB_PIPES; i++) {
if (stream->writeback_info[i].wb_enabled) {
if (i != j)
/* trim the array */
--
2.34.1