Commit b0b0d811 authored by Jason-JH.Lin's avatar Jason-JH.Lin Committed by Chun-Kuang Hu
Browse files

drm/mediatek: Fix coverity issue with unintentional integer overflow 



1. Instead of multiplying 2 variable of different types. Change to
assign a value of one variable and then multiply the other variable.

2. Add a int variable for multiplier calculation instead of calculating
different types multiplier with dma_addr_t variable directly.

Fixes: 1a64a7af ("drm/mediatek: Fix cursor plane no update")
Signed-off-by: default avatarJason-JH.Lin <jason-jh.lin@mediatek.com>
Reviewed-by: default avatarAlexandre Mergnat <amergnat@baylibre.com>
Reviewed-by: default avatarAngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://patchwork.kernel.org/project/dri-devel/patch/20230907091425.9526-1-jason-jh.lin@mediatek.com/


Signed-off-by: default avatarChun-Kuang Hu <chunkuang.hu@kernel.org>
parent 814d5341

drivers/gpu/drm/mediatek/mtk_drm_gem.c

+8 −1
Original line number Diff line number Diff line
@@ -121,7 +121,14 @@ int mtk_drm_gem_dumb_create(struct drm_file *file_priv, struct drm_device *dev, 
	int ret;



	args->pitch = DIV_ROUND_UP(args->width * args->bpp, 8);

	args->size = args->pitch * args->height;



	/*

	 * Multiply 2 variables of different types,

	 * for example: args->size = args->spacing * args->height;

	 * may cause coverity issue with unintentional overflow.

	 */

	args->size = args->pitch;

	args->size *= args->height;



	mtk_gem = mtk_drm_gem_create(dev, args->size, false);

	if (IS_ERR(mtk_gem))

drivers/gpu/drm/mediatek/mtk_drm_plane.c

+30 −9
Original line number Diff line number Diff line
@@ -141,6 +141,7 @@ static void mtk_plane_update_new_state(struct drm_plane_state *new_state, 
	dma_addr_t addr;

	dma_addr_t hdr_addr = 0;

	unsigned int hdr_pitch = 0;

	int offset;



	gem = fb->obj[0];

	mtk_gem = to_mtk_gem_obj(gem);
@@ -150,8 +151,15 @@ static void mtk_plane_update_new_state(struct drm_plane_state *new_state, 
	modifier = fb->modifier;



	if (modifier == DRM_FORMAT_MOD_LINEAR) {

		addr += (new_state->src.x1 >> 16) * fb->format->cpp[0];

		addr += (new_state->src.y1 >> 16) * pitch;

		/*

		 * Using dma_addr_t variable to calculate with multiplier of different types,

		 * for example: addr += (new_state->src.x1 >> 16) * fb->format->cpp[0];

		 * may cause coverity issue with unintentional overflow.

		 */

		offset = (new_state->src.x1 >> 16) * fb->format->cpp[0];

		addr += offset;

		offset = (new_state->src.y1 >> 16) * pitch;

		addr += offset;

	} else {

		int width_in_blocks = ALIGN(fb->width, AFBC_DATA_BLOCK_WIDTH)

				      / AFBC_DATA_BLOCK_WIDTH;
@@ -159,21 +167,34 @@ static void mtk_plane_update_new_state(struct drm_plane_state *new_state, 
				       / AFBC_DATA_BLOCK_HEIGHT;

		int x_offset_in_blocks = (new_state->src.x1 >> 16) / AFBC_DATA_BLOCK_WIDTH;

		int y_offset_in_blocks = (new_state->src.y1 >> 16) / AFBC_DATA_BLOCK_HEIGHT;

		int hdr_size;

		int hdr_size, hdr_offset;



		hdr_pitch = width_in_blocks * AFBC_HEADER_BLOCK_SIZE;

		pitch = width_in_blocks * AFBC_DATA_BLOCK_WIDTH *

			AFBC_DATA_BLOCK_HEIGHT * fb->format->cpp[0];



		hdr_size = ALIGN(hdr_pitch * height_in_blocks, AFBC_HEADER_ALIGNMENT);



		hdr_addr = addr + hdr_pitch * y_offset_in_blocks +

		hdr_offset = hdr_pitch * y_offset_in_blocks +

			AFBC_HEADER_BLOCK_SIZE * x_offset_in_blocks;



		/*

		 * Using dma_addr_t variable to calculate with multiplier of different types,

		 * for example: addr += hdr_pitch * y_offset_in_blocks;

		 * may cause coverity issue with unintentional overflow.

		 */

		hdr_addr = addr + hdr_offset;



		/* The data plane is offset by 1 additional block. */

		addr = addr + hdr_size +

		       pitch * y_offset_in_blocks +

		offset = pitch * y_offset_in_blocks +

			 AFBC_DATA_BLOCK_WIDTH * AFBC_DATA_BLOCK_HEIGHT *

			 fb->format->cpp[0] * (x_offset_in_blocks + 1);



		/*

		 * Using dma_addr_t variable to calculate with multiplier of different types,

		 * for example: addr += pitch * y_offset_in_blocks;

		 * may cause coverity issue with unintentional overflow.

		 */

		addr = addr + hdr_size + offset;

	}



	mtk_plane_state->pending.enable = true;