drm/mediatek: Fix coverity issue with unintentional integer overflow

1. Instead of multiplying 2 variable of different types. Change to
assign a value of one variable and then multiply the other variable.

2. Add a int variable for multiplier calculation instead of calculating
different types multiplier with dma_addr_t variable directly.

Fixes: 1a64a7aff8da ("drm/mediatek: Fix cursor plane no update")
Signed-off-by: Jason-JH.Lin <jason-jh.lin@mediatek.com>
Reviewed-by: Alexandre Mergnat <amergnat@baylibre.com>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://patchwork.kernel.org/project/dri-devel/patch/20230907091425.9526-1-jason-jh.lin@mediatek.com/
Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>

diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c b/drivers/gpu/drm/mediatek/mtk_drm_gem.c
index 9f364df52478d8a43ced1fb2a7f1c0b35ef9e53f..f6632a0fe509884d3cdca0c6a7af0e2dcecad1b7 100644 (file)
--- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c
+++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c
@@ -121,7 +121,14 @@ int mtk_drm_gem_dumb_create(struct drm_file *file_priv, struct drm_device *dev,
        int ret;
 
        args->pitch = DIV_ROUND_UP(args->width * args->bpp, 8);
-       args->size = args->pitch * args->height;
+
+       /*
+        * Multiply 2 variables of different types,
+        * for example: args->size = args->spacing * args->height;
+        * may cause coverity issue with unintentional overflow.
+        */
+       args->size = args->pitch;
+       args->size *= args->height;
 
        mtk_gem = mtk_drm_gem_create(dev, args->size, false);
        if (IS_ERR(mtk_gem))

diff --git a/drivers/gpu/drm/mediatek/mtk_drm_plane.c b/drivers/gpu/drm/mediatek/mtk_drm_plane.c
index db2f70ae060d6f4605bdd8be22569411aa7815b4..5acb03b7c6fe59afbeda4105f8a000acbdedd8a9 100644 (file)
--- a/drivers/gpu/drm/mediatek/mtk_drm_plane.c
+++ b/drivers/gpu/drm/mediatek/mtk_drm_plane.c
@@ -141,6 +141,7 @@ static void mtk_plane_update_new_state(struct drm_plane_state *new_state,
        dma_addr_t addr;
        dma_addr_t hdr_addr = 0;
        unsigned int hdr_pitch = 0;
+       int offset;
 
        gem = fb->obj[0];
        mtk_gem = to_mtk_gem_obj(gem);
@@ -150,8 +151,15 @@ static void mtk_plane_update_new_state(struct drm_plane_state *new_state,
        modifier = fb->modifier;
 
        if (modifier == DRM_FORMAT_MOD_LINEAR) {
-               addr += (new_state->src.x1 >> 16) * fb->format->cpp[0];
-               addr += (new_state->src.y1 >> 16) * pitch;
+               /*
+                * Using dma_addr_t variable to calculate with multiplier of different types,
+                * for example: addr += (new_state->src.x1 >> 16) * fb->format->cpp[0];
+                * may cause coverity issue with unintentional overflow.
+                */
+               offset = (new_state->src.x1 >> 16) * fb->format->cpp[0];
+               addr += offset;
+               offset = (new_state->src.y1 >> 16) * pitch;
+               addr += offset;
        } else {
                int width_in_blocks = ALIGN(fb->width, AFBC_DATA_BLOCK_WIDTH)
                                      / AFBC_DATA_BLOCK_WIDTH;
@@ -159,21 +167,34 @@ static void mtk_plane_update_new_state(struct drm_plane_state *new_state,
                                       / AFBC_DATA_BLOCK_HEIGHT;
                int x_offset_in_blocks = (new_state->src.x1 >> 16) / AFBC_DATA_BLOCK_WIDTH;
                int y_offset_in_blocks = (new_state->src.y1 >> 16) / AFBC_DATA_BLOCK_HEIGHT;
-               int hdr_size;
+               int hdr_size, hdr_offset;
 
                hdr_pitch = width_in_blocks * AFBC_HEADER_BLOCK_SIZE;
                pitch = width_in_blocks * AFBC_DATA_BLOCK_WIDTH *
                        AFBC_DATA_BLOCK_HEIGHT * fb->format->cpp[0];
 
                hdr_size = ALIGN(hdr_pitch * height_in_blocks, AFBC_HEADER_ALIGNMENT);
+               hdr_offset = hdr_pitch * y_offset_in_blocks +
+                       AFBC_HEADER_BLOCK_SIZE * x_offset_in_blocks;
+
+               /*
+                * Using dma_addr_t variable to calculate with multiplier of different types,
+                * for example: addr += hdr_pitch * y_offset_in_blocks;
+                * may cause coverity issue with unintentional overflow.
+                */
+               hdr_addr = addr + hdr_offset;
 
-               hdr_addr = addr + hdr_pitch * y_offset_in_blocks +
-                          AFBC_HEADER_BLOCK_SIZE * x_offset_in_blocks;
                /* The data plane is offset by 1 additional block. */
-               addr = addr + hdr_size +
-                      pitch * y_offset_in_blocks +
-                      AFBC_DATA_BLOCK_WIDTH * AFBC_DATA_BLOCK_HEIGHT *
-                      fb->format->cpp[0] * (x_offset_in_blocks + 1);
+               offset = pitch * y_offset_in_blocks +
+                        AFBC_DATA_BLOCK_WIDTH * AFBC_DATA_BLOCK_HEIGHT *
+                        fb->format->cpp[0] * (x_offset_in_blocks + 1);
+
+               /*
+                * Using dma_addr_t variable to calculate with multiplier of different types,
+                * for example: addr += pitch * y_offset_in_blocks;
+                * may cause coverity issue with unintentional overflow.
+                */
+               addr = addr + hdr_size + offset;
        }
 
        mtk_plane_state->pending.enable = true;