[bug report] drm/amd/display: use FB pitch to fill dc_cursor_attributes

[bug report] drm/amd/display: use FB pitch to fill dc_cursor_attributes

[Dan Carpenter]

Hello Simon Ser,

The patch 03a663673063: "drm/amd/display: use FB pitch to fill
dc_cursor_attributes" from Dec 2, 2020, leads to the following Smatch
static checker warning:

	drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_plane.c:1271 handle_cursor_update()
	error: we previously assumed 'afb' could be null (see line 1230)

drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_plane.c
    1222 void handle_cursor_update(struct drm_plane *plane,
    1223                                  struct drm_plane_state *old_plane_state)
    1224 {
    1225         struct amdgpu_device *adev = drm_to_adev(plane->dev);
    1226         struct amdgpu_framebuffer *afb = to_amdgpu_framebuffer(plane->state->fb);
    1227         struct drm_crtc *crtc = afb ? plane->state->crtc : old_plane_state->crtc;

afb is container_of() but it's basically a cast in this case.  I would
always prefer to check "plane->state->fb" for NULL instead of the
container_of(), but that's sort of a style debate, I guess.  Some people
really like checking the returned pointer and add build time asserts to
ensure that the container_of() is a no-op.

    1228         struct dm_crtc_state *crtc_state = crtc ? to_dm_crtc_state(crtc->state) : NULL;
    1229         struct amdgpu_crtc *amdgpu_crtc = to_amdgpu_crtc(crtc);
    1230         uint64_t address = afb ? afb->address : 0;
    1231         struct dc_cursor_position position = {0};
    1232         struct dc_cursor_attributes attributes;
    1233         int ret;
    1234 
    1235         if (!plane->state->fb && !old_plane_state->fb)
    1236                 return;
    1237 
    1238         DC_LOG_CURSOR("%s: crtc_id=%d with size %d to %d\n",
    1239                       __func__,
    1240                       amdgpu_crtc->crtc_id,
    1241                       plane->state->crtc_w,
    1242                       plane->state->crtc_h);
    1243 
    1244         ret = get_cursor_position(plane, crtc, &position);
    1245         if (ret)
    1246                 return;
    1247 
    1248         if (!position.enable) {
    1249                 /* turn off cursor */
    1250                 if (crtc_state && crtc_state->stream) {
    1251                         mutex_lock(&adev->dm.dc_lock);
    1252                         dc_stream_set_cursor_position(crtc_state->stream,
    1253                                                       &position);
    1254                         mutex_unlock(&adev->dm.dc_lock);
    1255                 }
    1256                 return;
    1257         }
    1258 
    1259         amdgpu_crtc->cursor_width = plane->state->crtc_w;
    1260         amdgpu_crtc->cursor_height = plane->state->crtc_h;
    1261 
    1262         memset(&attributes, 0, sizeof(attributes));
    1263         attributes.address.high_part = upper_32_bits(address);
    1264         attributes.address.low_part  = lower_32_bits(address);
    1265         attributes.width             = plane->state->crtc_w;
    1266         attributes.height            = plane->state->crtc_h;
    1267         attributes.color_format      = CURSOR_MODE_COLOR_PRE_MULTIPLIED_ALPHA;
    1268         attributes.rotation_angle    = 0;
    1269         attributes.attribute_flags.value = 0;
    1270 
--> 1271         attributes.pitch = afb->base.pitches[0] / afb->base.format->cpp[0];
                                    ^^^^^                  ^^^^^
Unchecked dereferences.

    1272 
    1273         if (crtc_state->stream) {
    1274                 mutex_lock(&adev->dm.dc_lock);
    1275                 if (!dc_stream_set_cursor_attributes(crtc_state->stream,
    1276                                                          &attributes))
    1277                         DRM_ERROR("DC failed to set cursor attributes\n");
    1278 
    1279                 if (!dc_stream_set_cursor_position(crtc_state->stream,
    1280                                                    &position))
    1281                         DRM_ERROR("DC failed to set cursor position\n");
    1282                 mutex_unlock(&adev->dm.dc_lock);
    1283         }
    1284 }

regards,
dan carpenter

Re: [bug report] drm/amd/display: use FB pitch to fill dc_cursor_attributes

[Simon Ser]

Hi,

plane->state->fb is NULL iff afb is NULL. There is an early return to
make sure the dereferences don't cause a segfault.

Simon

Re: [bug report] drm/amd/display: use FB pitch to fill dc_cursor_attributes

[Dan Carpenter]

On Tue, Jul 26, 2022 at 03:27:54PM +0000, Simon Ser wrote:
> Hi,
> 
> plane->state->fb is NULL iff afb is NULL. There is an early return to
> make sure the dereferences don't cause a segfault.
> 

Are you talking about this:

	if (!plane->state->fb && !old_plane_state->fb)
		return;

Should the && be ||?

regards,
dan carpenter

Re: [bug report] drm/amd/display: use FB pitch to fill dc_cursor_attributes

[Simon Ser]

On Tuesday, July 26th, 2022 at 17:47, Dan Carpenter <dan.carpenter@oracle.com> wrote:

> On Tue, Jul 26, 2022 at 03:27:54PM +0000, Simon Ser wrote:
>
> > plane->state->fb is NULL iff afb is NULL. There is an early return to
> > make sure the dereferences don't cause a segfault.
>
>
> Are you talking about this:
>
> if (!plane->state->fb && !old_plane_state->fb)
>
> return;
>
> Should the && be ||?

Ah, sorry, the reason why this doesn't segfault is different:
get_cursor_position() will leave position.enable = false if there is no
FB, and we have an early return for that. This also guards crtc_state.

Re: [bug report] drm/amd/display: use FB pitch to fill dc_cursor_attributes

[Dan Carpenter]

On Mon, Dec 07, 2020 at 02:53:28PM +0000, Simon Ser wrote:
> Hi,
> 
> On Monday, December 7th, 2020 at 3:51 PM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
> 
> > The patch adds some new unchecked dereferences.
> 
> The `if (!position.enable)` check above should ensure the dereference
> isn't unchecked.

Yeah.  You're correct.  Thanks, for looking into this.

regards,
dan carpenter

_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx

Re: [bug report] drm/amd/display: use FB pitch to fill dc_cursor_attributes

[Simon Ser]

Hi,

On Monday, December 7th, 2020 at 3:51 PM, Dan Carpenter <dan.carpenter@oracle.com> wrote:

> The patch adds some new unchecked dereferences.

The `if (!position.enable)` check above should ensure the dereference
isn't unchecked.

Simon
_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx

[bug report] drm/amd/display: use FB pitch to fill dc_cursor_attributes

[Dan Carpenter]

Hello Simon Ser,

This is a semi-automatic email about new static checker warnings.

The patch 03a663673063: "drm/amd/display: use FB pitch to fill 
dc_cursor_attributes" from Dec 2, 2020, leads to the following Smatch 
complaint:

    drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm.c:7438 handle_cursor_update()
    error: we previously assumed 'afb' could be null (see line 7397)

drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm.c
  7389  static void handle_cursor_update(struct drm_plane *plane,
  7390                                   struct drm_plane_state *old_plane_state)
  7391  {
  7392          struct amdgpu_device *adev = drm_to_adev(plane->dev);
  7393          struct amdgpu_framebuffer *afb = to_amdgpu_framebuffer(plane->state->fb);
                                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
If "plane->state->fb" is NULL then "afb" is NULL.


  7394          struct drm_crtc *crtc = afb ? plane->state->crtc : old_plane_state->crtc;
                                        ^^^
Checked for NULL.

  7395          struct dm_crtc_state *crtc_state = crtc ? to_dm_crtc_state(crtc->state) : NULL;
  7396		struct amdgpu_crtc *amdgpu_crtc = to_amdgpu_crtc(crtc);
  7397		uint64_t address = afb ? afb->address : 0;
  7398		struct dc_cursor_position position;
  7399		struct dc_cursor_attributes attributes;
  7400		int ret;
  7401	
  7402		if (!plane->state->fb && !old_plane_state->fb)
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
These aren't allow to be both NULL

  7403			return;
  7404	
  7405		DRM_DEBUG_DRIVER("%s: crtc_id=%d with size %d to %d\n",
  7406				 __func__,
  7407				 amdgpu_crtc->crtc_id,
  7408				 plane->state->crtc_w,
  7409				 plane->state->crtc_h);
  7410	
  7411		ret = get_cursor_position(plane, crtc, &position);
  7412		if (ret)
  7413			return;
  7414	
  7415		if (!position.enable) {
  7416			/* turn off cursor */
  7417			if (crtc_state && crtc_state->stream) {
  7418				mutex_lock(&adev->dm.dc_lock);
  7419				dc_stream_set_cursor_position(crtc_state->stream,
  7420							      &position);
  7421				mutex_unlock(&adev->dm.dc_lock);
  7422			}
  7423			return;
  7424		}
  7425	
  7426		amdgpu_crtc->cursor_width = plane->state->crtc_w;
  7427		amdgpu_crtc->cursor_height = plane->state->crtc_h;
  7428	
  7429		memset(&attributes, 0, sizeof(attributes));
  7430		attributes.address.high_part = upper_32_bits(address);
  7431		attributes.address.low_part  = lower_32_bits(address);
  7432		attributes.width             = plane->state->crtc_w;
  7433		attributes.height            = plane->state->crtc_h;
  7434		attributes.color_format      = CURSOR_MODE_COLOR_PRE_MULTIPLIED_ALPHA;
  7435		attributes.rotation_angle    = 0;
  7436		attributes.attribute_flags.value = 0;
  7437	
  7438		attributes.pitch = afb->base.pitches[0] / afb->base.format->cpp[0];
                                   ^^^^^                  ^^^^^
The patch adds some new unchecked dereferences.

  7439	
  7440		if (crtc_state->stream) {

regards,
dan carpenter
_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx