Re: [PATCH v3 3/4] drm/mediatek: Add casting before assign

[林睿祥]

RE: [PATCH v3 3/4] drm/mediatek: Add casting before assign

[David Laight]

From: Jason-JH Lin
> Sent: 14 July 2023 07:46
> 
> Hi CK,
> 
> Thanks for the reviews.
> 
> On Fri, 2023-07-14 at 05:45 +, CK Hu (胡俊光) wrote:
> > Hi, Jason:
> >
> > On Wed, 2023-06-21 at 18:22 +0800, Jason-JH.Lin wrote:
> > > 1. Add casting before assign to avoid the unintentional integer
> > >overflow or unintended sign extension.
> > > 2. Add a int varriable for multiplier calculation instead of
> > > calculating
> > >different types multiplier with dma_addr_t varriable directly.
> >
> > I agree with these modification, but the title does not match the
> > modification.
> >
> > Regards,
> > CK
> 
> I'll change the title and commit msg at the next version below:
> 
> Fix unintentional integer overflow in multiplying different types
> 
> 1. Instead of multiplying 2 variable of different types. Change to
> assign a value of one variable and then multiply the other variable.
> 
> 2. Add a int variable for multiplier calculation instead of calculating
> different types multiplier with dma_addr_t variable directly.

I'm pretty sure the patch makes absolutely no difference.
In C all arithmetic is done with char/short (inc. unsigned)
promoted to int.

So the only likely overflow is if the values exceed 2^31.
Since the temporaries you are using are 'int' this isn't true.

David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, 
UK
Registration No: 1397386 (Wales)

Re: [PATCH v3 3/4] drm/mediatek: Add casting before assign

[林睿祥]

Re: [PATCH v3 3/4] drm/mediatek: Add casting before assign

[胡俊光]

Re: [PATCH v3 3/4] drm/mediatek: Add casting before assign

[Alexandre Mergnat]

On 22/06/2023 10:02, Jason-JH Lin (林睿祥) wrote:

drm_plane_state *new_state,
>   dma_addr_t addr;
>   dma_addr_t hdr_addr = 0;
>   unsigned int hdr_pitch = 0;
> +int offset;

I agree with Angelo, please set offset as unsigned.


I think offset should be unsigned, but since src.x1 and src.y1 are
'int'. That means 'unsigned int' offset will be very big when src.x1 or
src.y1 is negative.
So I just use 'int' for offset here.


Ok

Reviewed-by: Alexandre Mergnat 

--
Regards,
Alexandre

Re: [PATCH v3 3/4] drm/mediatek: Add casting before assign

[林睿祥]

Re: [PATCH v3 3/4] drm/mediatek: Add casting before assign

[Alexandre Mergnat]

On 21/06/2023 12:22, Jason-JH.Lin wrote:

1. Add casting before assign to avoid the unintentional integer
overflow or unintended sign extension.
2. Add a int varriable for multiplier calculation instead of calculating
different types multiplier with dma_addr_t varriable directly.

Fixes: 1a64a7aff8da ("drm/mediatek: Fix cursor plane no update")
Signed-off-by: Jason-JH.Lin 
---
  drivers/gpu/drm/mediatek/mtk_drm_gem.c   |  3 ++-
  drivers/gpu/drm/mediatek/mtk_drm_plane.c | 22 +-
  2 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c 
b/drivers/gpu/drm/mediatek/mtk_drm_gem.c
index a25b28d3ee90..da087d74612d 100644
--- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c
+++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c
@@ -121,7 +121,8 @@ int mtk_drm_gem_dumb_create(struct drm_file *file_priv, 
struct drm_device *dev,
int ret;
  
  	args->pitch = DIV_ROUND_UP(args->width * args->bpp, 8);

-   args->size = args->pitch * args->height;
+   args->size = args->pitch;
+   args->size *= args->height;
  
  	mtk_gem = mtk_drm_gem_create(dev, args->size, false);

if (IS_ERR(mtk_gem))
diff --git a/drivers/gpu/drm/mediatek/mtk_drm_plane.c 
b/drivers/gpu/drm/mediatek/mtk_drm_plane.c
index 31f9420aff6f..1cd41454d545 100644
--- a/drivers/gpu/drm/mediatek/mtk_drm_plane.c
+++ b/drivers/gpu/drm/mediatek/mtk_drm_plane.c
@@ -145,6 +145,7 @@ static void mtk_plane_update_new_state(struct 
drm_plane_state *new_state,
dma_addr_t addr;
dma_addr_t hdr_addr = 0;
unsigned int hdr_pitch = 0;
+   int offset;


I agree with Angelo, please set offset as unsigned.

  
  	gem = fb->obj[0];

mtk_gem = to_mtk_gem_obj(gem);
@@ -154,8 +155,10 @@ static void mtk_plane_update_new_state(struct 
drm_plane_state *new_state,
modifier = fb->modifier;
  
  	if (modifier == DRM_FORMAT_MOD_LINEAR) {

-   addr += (new_state->src.x1 >> 16) * fb->format->cpp[0];
-   addr += (new_state->src.y1 >> 16) * pitch;
+   offset = (new_state->src.x1 >> 16) * fb->format->cpp[0];
+   addr += offset;
+   offset = (new_state->src.y1 >> 16) * pitch;
+   addr += offset;
} else {
int width_in_blocks = ALIGN(fb->width, AFBC_DATA_BLOCK_WIDTH)
  / AFBC_DATA_BLOCK_WIDTH;
@@ -163,21 +166,22 @@ static void mtk_plane_update_new_state(struct 
drm_plane_state *new_state,
   / AFBC_DATA_BLOCK_HEIGHT;
int x_offset_in_blocks = (new_state->src.x1 >> 16) / 
AFBC_DATA_BLOCK_WIDTH;
int y_offset_in_blocks = (new_state->src.y1 >> 16) / 
AFBC_DATA_BLOCK_HEIGHT;
-   int hdr_size;
+   int hdr_size, hdr_offset;
  
  		hdr_pitch = width_in_blocks * AFBC_HEADER_BLOCK_SIZE;

pitch = width_in_blocks * AFBC_DATA_BLOCK_WIDTH *
AFBC_DATA_BLOCK_HEIGHT * fb->format->cpp[0];
  
  		hdr_size = ALIGN(hdr_pitch * height_in_blocks, AFBC_HEADER_ALIGNMENT);

+   hdr_offset = hdr_pitch * y_offset_in_blocks +
+   AFBC_HEADER_BLOCK_SIZE * x_offset_in_blocks;
+   hdr_addr = addr + hdr_offset;
  
-		hdr_addr = addr + hdr_pitch * y_offset_in_blocks +

-  AFBC_HEADER_BLOCK_SIZE * x_offset_in_blocks;
/* The data plane is offset by 1 additional block. */
-   addr = addr + hdr_size +
-  pitch * y_offset_in_blocks +
-  AFBC_DATA_BLOCK_WIDTH * AFBC_DATA_BLOCK_HEIGHT *
-  fb->format->cpp[0] * (x_offset_in_blocks + 1);
+   offset = pitch * y_offset_in_blocks +
+AFBC_DATA_BLOCK_WIDTH * AFBC_DATA_BLOCK_HEIGHT *
+fb->format->cpp[0] * (x_offset_in_blocks + 1);
+   addr = addr + hdr_size + offset;
}
  
  	mtk_plane_state->pending.enable = true;


--
Regards,
Alexandre