* [PATCH] drm: Shift wrap bug in create_in_format_blob()
@ 2017-08-09 11:19 Dan Carpenter
2017-08-09 14:36 ` Sean Paul
0 siblings, 1 reply; 4+ messages in thread
From: Dan Carpenter @ 2017-08-09 11:19 UTC (permalink / raw)
To: Daniel Vetter, Ben Widawsky
Cc: Jani Nikula, Sean Paul, David Airlie, dri-devel, kernel-janitors
"plane->format_count" can go up to 64. (It's capped in
drm_universal_plane_init().) So we should be using ULL type instead of
int here to prevent shift wrapping.
Fixes: db1689aa61bd ("drm: Create a format/modifier blob")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/gpu/drm/drm_plane.c b/drivers/gpu/drm/drm_plane.c
index 5c14beee52ff..85ab1eec73e5 100644
--- a/drivers/gpu/drm/drm_plane.c
+++ b/drivers/gpu/drm/drm_plane.c
@@ -126,7 +126,7 @@ static int create_in_format_blob(struct drm_device *dev, struct drm_plane *plane
plane->format_types[j],
plane->modifiers[i])) {
- mod->formats |= 1 << j;
+ mod->formats |= 1ULL << j;
}
}
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] drm: Shift wrap bug in create_in_format_blob()
2017-08-09 11:19 [PATCH] drm: Shift wrap bug in create_in_format_blob() Dan Carpenter
@ 2017-08-09 14:36 ` Sean Paul
2017-08-09 14:38 ` Daniel Stone
0 siblings, 1 reply; 4+ messages in thread
From: Sean Paul @ 2017-08-09 14:36 UTC (permalink / raw)
To: Dan Carpenter; +Cc: Ben Widawsky, kernel-janitors, dri-devel, Daniel Vetter
On Wed, Aug 09, 2017 at 02:19:06PM +0300, Dan Carpenter wrote:
> "plane->format_count" can go up to 64. (It's capped in
> drm_universal_plane_init().) So we should be using ULL type instead of
> int here to prevent shift wrapping.
>
> Fixes: db1689aa61bd ("drm: Create a format/modifier blob")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Thank you for the fix, Dan.
I've applied it to drm-misc-next.
Sean
>
> diff --git a/drivers/gpu/drm/drm_plane.c b/drivers/gpu/drm/drm_plane.c
> index 5c14beee52ff..85ab1eec73e5 100644
> --- a/drivers/gpu/drm/drm_plane.c
> +++ b/drivers/gpu/drm/drm_plane.c
> @@ -126,7 +126,7 @@ static int create_in_format_blob(struct drm_device *dev, struct drm_plane *plane
> plane->format_types[j],
> plane->modifiers[i])) {
>
> - mod->formats |= 1 << j;
> + mod->formats |= 1ULL << j;
> }
> }
>
--
Sean Paul, Software Engineer, Google / Chromium OS
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] drm: Shift wrap bug in create_in_format_blob()
2017-08-09 14:36 ` Sean Paul
@ 2017-08-09 14:38 ` Daniel Stone
2017-08-10 20:21 ` Dan Carpenter
0 siblings, 1 reply; 4+ messages in thread
From: Daniel Stone @ 2017-08-09 14:38 UTC (permalink / raw)
To: Sean Paul
Cc: Dan Carpenter, Ben Widawsky, kernel-janitors, dri-devel, Daniel Vetter
On 9 August 2017 at 15:36, Sean Paul <seanpaul@chromium.org> wrote:
> On Wed, Aug 09, 2017 at 02:19:06PM +0300, Dan Carpenter wrote:
>> "plane->format_count" can go up to 64. (It's capped in
>> drm_universal_plane_init().) So we should be using ULL type instead of
>> int here to prevent shift wrapping.
>>
>> Fixes: db1689aa61bd ("drm: Create a format/modifier blob")
>> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> Thank you for the fix, Dan.
>
> I've applied it to drm-misc-next.
Yes, thanks Dan!
Out of interest, how was this found? With sparse?
Cheers,
Daniel
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] drm: Shift wrap bug in create_in_format_blob()
2017-08-09 14:38 ` Daniel Stone
@ 2017-08-10 20:21 ` Dan Carpenter
0 siblings, 0 replies; 4+ messages in thread
From: Dan Carpenter @ 2017-08-10 20:21 UTC (permalink / raw)
To: Daniel Stone
Cc: Sean Paul, Ben Widawsky, kernel-janitors, dri-devel, Daniel Vetter
On Wed, Aug 09, 2017 at 03:38:33PM +0100, Daniel Stone wrote:
> On 9 August 2017 at 15:36, Sean Paul <seanpaul@chromium.org> wrote:
> > On Wed, Aug 09, 2017 at 02:19:06PM +0300, Dan Carpenter wrote:
> >> "plane->format_count" can go up to 64. (It's capped in
> >> drm_universal_plane_init().) So we should be using ULL type instead of
> >> int here to prevent shift wrapping.
> >>
> >> Fixes: db1689aa61bd ("drm: Create a format/modifier blob")
> >> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> >
> > Thank you for the fix, Dan.
> >
> > I've applied it to drm-misc-next.
>
> Yes, thanks Dan!
>
> Out of interest, how was this found? With sparse?
>
These are Smatch checks that I haven't totally cleaned up enough to
publish yet. I have a couple versions of this check. This one is doing
cross function analysis so it knows that ->format_count can go up to 64
bits.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-08-10 20:21 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-08-09 11:19 [PATCH] drm: Shift wrap bug in create_in_format_blob() Dan Carpenter
2017-08-09 14:36 ` Sean Paul
2017-08-09 14:38 ` Daniel Stone
2017-08-10 20:21 ` Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).