Hi, Jason:
On Wed, 2023-06-21 at 18:22 +0800, Jason-JH.Lin wrote:
> 1. Add casting before assign to avoid the unintentional integer
> overflow or unintended sign extension.
> 2. Add a int varriable for multiplier calculation instead of
> calculating
> different types multiplier with dma_addr_t varriable directly.
I agree with these modification, but the title does not match the
modification.
Regards,
CK
>
> Fixes: 1a64a7aff8da ("drm/mediatek: Fix cursor plane no update")
> Signed-off-by: Jason-JH.Lin <[email protected]>
> ---
> drivers/gpu/drm/mediatek/mtk_drm_gem.c | 3 ++-
> drivers/gpu/drm/mediatek/mtk_drm_plane.c | 22 +++++++++++++---------
> 2 files changed, 15 insertions(+), 10 deletions(-)
>
> diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> b/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> index a25b28d3ee90..da087d74612d 100644
> --- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> +++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> @@ -121,7 +121,8 @@ int mtk_drm_gem_dumb_create(struct drm_file
> *file_priv, struct drm_device *dev,
> int ret;
>
> args->pitch = DIV_ROUND_UP(args->width * args->bpp, 8);
> - args->size = args->pitch * args->height;
> + args->size = args->pitch;
> + args->size *= args->height;
>
> mtk_gem = mtk_drm_gem_create(dev, args->size, false);
> if (IS_ERR(mtk_gem))
> diff --git a/drivers/gpu/drm/mediatek/mtk_drm_plane.c
> b/drivers/gpu/drm/mediatek/mtk_drm_plane.c
> index 31f9420aff6f..1cd41454d545 100644
> --- a/drivers/gpu/drm/mediatek/mtk_drm_plane.c
> +++ b/drivers/gpu/drm/mediatek/mtk_drm_plane.c
> @@ -145,6 +145,7 @@ static void mtk_plane_update_new_state(struct
> drm_plane_state *new_state,
> dma_addr_t addr;
> dma_addr_t hdr_addr = 0;
> unsigned int hdr_pitch = 0;
> + int offset;
>
> gem = fb->obj[0];
> mtk_gem = to_mtk_gem_obj(gem);
> @@ -154,8 +155,10 @@ static void mtk_plane_update_new_state(struct
> drm_plane_state *new_state,
> modifier = fb->modifier;
>
> if (modifier == DRM_FORMAT_MOD_LINEAR) {
> - addr += (new_state->src.x1 >> 16) * fb->format->cpp[0];
> - addr += (new_state->src.y1 >> 16) * pitch;
> + offset = (new_state->src.x1 >> 16) * fb->format-
> >cpp[0];
> + addr += offset;
> + offset = (new_state->src.y1 >> 16) * pitch;
> + addr += offset;
> } else {
> int width_in_blocks = ALIGN(fb->width,
> AFBC_DATA_BLOCK_WIDTH)
> / AFBC_DATA_BLOCK_WIDTH;
> @@ -163,21 +166,22 @@ static void mtk_plane_update_new_state(struct
> drm_plane_state *new_state,
> / AFBC_DATA_BLOCK_HEIGHT;
> int x_offset_in_blocks = (new_state->src.x1 >> 16) /
> AFBC_DATA_BLOCK_WIDTH;
> int y_offset_in_blocks = (new_state->src.y1 >> 16) /
> AFBC_DATA_BLOCK_HEIGHT;
> - int hdr_size;
> + int hdr_size, hdr_offset;
>
> hdr_pitch = width_in_blocks * AFBC_HEADER_BLOCK_SIZE;
> pitch = width_in_blocks * AFBC_DATA_BLOCK_WIDTH *
> AFBC_DATA_BLOCK_HEIGHT * fb->format->cpp[0];
>
> hdr_size = ALIGN(hdr_pitch * height_in_blocks,
> AFBC_HEADER_ALIGNMENT);
> + hdr_offset = hdr_pitch * y_offset_in_blocks +
> + AFBC_HEADER_BLOCK_SIZE * x_offset_in_blocks;
> + hdr_addr = addr + hdr_offset;
>
> - hdr_addr = addr + hdr_pitch * y_offset_in_blocks +
> - AFBC_HEADER_BLOCK_SIZE * x_offset_in_blocks;
> /* The data plane is offset by 1 additional block. */
> - addr = addr + hdr_size +
> - pitch * y_offset_in_blocks +
> - AFBC_DATA_BLOCK_WIDTH * AFBC_DATA_BLOCK_HEIGHT *
> - fb->format->cpp[0] * (x_offset_in_blocks + 1);
> + offset = pitch * y_offset_in_blocks +
> + AFBC_DATA_BLOCK_WIDTH * AFBC_DATA_BLOCK_HEIGHT
> *
> + fb->format->cpp[0] * (x_offset_in_blocks + 1);
> + addr = addr + hdr_size + offset;
> }
>
> mtk_plane_state->pending.enable = true;
Hi CK,
Thanks for the reviews.
On Fri, 2023-07-14 at 05:45 +0000, CK Hu (胡俊光) wrote:
> Hi, Jason:
>
> On Wed, 2023-06-21 at 18:22 +0800, Jason-JH.Lin wrote:
> > 1. Add casting before assign to avoid the unintentional integer
> > overflow or unintended sign extension.
> > 2. Add a int varriable for multiplier calculation instead of
> > calculating
> > different types multiplier with dma_addr_t varriable directly.
>
> I agree with these modification, but the title does not match the
> modification.
>
> Regards,
> CK
I'll change the title and commit msg at the next version below:
Fix unintentional integer overflow in multiplying different types
1. Instead of multiplying 2 variable of different types. Change to
assign a value of one variable and then multiply the other variable.
2. Add a int variable for multiplier calculation instead of calculating
different types multiplier with dma_addr_t variable directly.
Thanks!
Regards,
Jason-JH.Lin
>
From: Jason-JH Lin
> Sent: 14 July 2023 07:46
>
> Hi CK,
>
> Thanks for the reviews.
>
> On Fri, 2023-07-14 at 05:45 +0000, CK Hu (胡俊光) wrote:
> > Hi, Jason:
> >
> > On Wed, 2023-06-21 at 18:22 +0800, Jason-JH.Lin wrote:
> > > 1. Add casting before assign to avoid the unintentional integer
> > > overflow or unintended sign extension.
> > > 2. Add a int varriable for multiplier calculation instead of
> > > calculating
> > > different types multiplier with dma_addr_t varriable directly.
> >
> > I agree with these modification, but the title does not match the
> > modification.
> >
> > Regards,
> > CK
>
> I'll change the title and commit msg at the next version below:
>
> Fix unintentional integer overflow in multiplying different types
>
> 1. Instead of multiplying 2 variable of different types. Change to
> assign a value of one variable and then multiply the other variable.
>
> 2. Add a int variable for multiplier calculation instead of calculating
> different types multiplier with dma_addr_t variable directly.
I'm pretty sure the patch makes absolutely no difference.
In C all arithmetic is done with char/short (inc. unsigned)
promoted to int.
So the only likely overflow is if the values exceed 2^31.
Since the temporaries you are using are 'int' this isn't true.
David
-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)
Hi David,
Thanks for the reviews.
On Mon, 2023-07-17 at 13:17 +0000, David Laight wrote:
>
> External email : Please do not click links or open attachments until
> you have verified the sender or the content.
> From: Jason-JH Lin
> > Sent: 14 July 2023 07:46
> >
> > Hi CK,
> >
> > Thanks for the reviews.
> >
> > On Fri, 2023-07-14 at 05:45 +0000, CK Hu (胡俊光) wrote:
> > > Hi, Jason:
> > >
> > > On Wed, 2023-06-21 at 18:22 +0800, Jason-JH.Lin wrote:
> > > > 1. Add casting before assign to avoid the unintentional integer
> > > > overflow or unintended sign extension.
> > > > 2. Add a int varriable for multiplier calculation instead of
> > > > calculating
> > > > different types multiplier with dma_addr_t varriable
> directly.
> > >
> > > I agree with these modification, but the title does not match the
> > > modification.
> > >
> > > Regards,
> > > CK
> >
> > I'll change the title and commit msg at the next version below:
> >
> > Fix unintentional integer overflow in multiplying different types
> >
> > 1. Instead of multiplying 2 variable of different types. Change to
> > assign a value of one variable and then multiply the other
> variable.
> >
> > 2. Add a int variable for multiplier calculation instead of
> calculating
> > different types multiplier with dma_addr_t variable directly.
>
> I'm pretty sure the patch makes absolutely no difference.
> In C all arithmetic is done with char/short (inc. unsigned)
> promoted to int.
`char/short promoted to int` could you give me an example or more
detail for this?
I can't really understand about that. Thanks~
>
> So the only likely overflow is if the values exceed 2^31.
> Since the temporaries you are using are 'int' this isn't true.
>
According to the modification:
+ int offset;
...
- addr += (new_state->src.x1 >> 16) * fb->format->cpp[0];
- addr += (new_state->src.y1 >> 16) * pitch;
+ offset = (new_state->src.x1 >> 16) * fb->format->cpp[0];
+ addr += offset;
+ offset = (new_state->src.y1 >> 16) * pitch;
+ addr += offset;
The main reasons why I use `int offset` here is that
src.x1 and src.y1 are `32bits int` defined in
struct drm_rect {
int x1, y1, x2, y2;
};
We know that the values of `x1 * cpp` and `y1 * pitch` would never
cause 32bits overflow actually.
So I just add the same type `int offset` as a 32bits variable to avoid
Coverity checker catching the unintentional overflow of
`64bits addr += 32bits x1 * 8bits cpp` and
`64bits addr += 32bits y1 * 32bits pitch`.
Another reason is that using `unsined int offset` to store the
calculation result of negative x1 and y1, offset may be a very big
number because of overflow of `negative int`.
Do you agree with that?
Regards,
Jason-JH.Lin
> David
>
> -
> Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes,
> MK1 1PT, UK
> Registration No: 1397386 (Wales)
>