[PATCH v3 0/4] Fix mediatek-drm coverity issues

[PATCH v3 0/4] Fix mediatek-drm coverity issues

[Jason-JH.Lin]

Add this patch series to fix some mediatek-drm coverity issues.

Change in v3:
1. swap Fixes and Signed tag.
2. change cast (__u64) to '=' then ' *='.

Change in v2:
1. remove kfree(pkt) in mtk_drm_crtc_create_pkt().
2. change the statement of cnt reach to MAX_CRTC.
3. drop the mtk_gem_obj initialized patch.
4. change casting from unsined long to __u64.
5. add 'int offset' for multiplier calculation.
6. drop the unrelavaent modification in dereference null check patch.

Jason-JH.Lin (4):
  drm/mediatek: Remove freeing not dynamic allocated memory
  drm/mediatek: Add cnt checking for coverity issue
  drm/mediatek: Add casting before assign
  drm/mediatek: Fix dereference before null check

 drivers/gpu/drm/mediatek/mtk_drm_crtc.c  |  7 ++----
 drivers/gpu/drm/mediatek/mtk_drm_drv.c   |  5 ++++-
 drivers/gpu/drm/mediatek/mtk_drm_gem.c   |  3 ++-
 drivers/gpu/drm/mediatek/mtk_drm_plane.c | 28 ++++++++++++------------
 4 files changed, 22 insertions(+), 21 deletions(-)

-- 
2.18.0

[PATCH v3 1/4] drm/mediatek: Remove freeing not dynamic allocated memory

[Jason-JH.Lin]

Fixing the coverity issue of:
mtk_drm_cmdq_pkt_destroy frees address of mtk_crtc->cmdq_handle

So remove the free function.

Fixes: 7627122fd1c0 ("drm/mediatek: Add cmdq_handle in mtk_crtc")
Signed-off-by: Jason-JH.Lin <jason-jh.lin@mediatek.com>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
---
 drivers/gpu/drm/mediatek/mtk_drm_crtc.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c
index d40142842f85..8d44f3df116f 100644
--- a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c
+++ b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c
@@ -116,10 +116,9 @@ static int mtk_drm_cmdq_pkt_create(struct cmdq_client *client, struct cmdq_pkt *
 	dma_addr_t dma_addr;
 
 	pkt->va_base = kzalloc(size, GFP_KERNEL);
-	if (!pkt->va_base) {
-		kfree(pkt);
+	if (!pkt->va_base)
 		return -ENOMEM;
-	}
+
 	pkt->buf_size = size;
 	pkt->cl = (void *)client;
 
@@ -129,7 +128,6 @@ static int mtk_drm_cmdq_pkt_create(struct cmdq_client *client, struct cmdq_pkt *
 	if (dma_mapping_error(dev, dma_addr)) {
 		dev_err(dev, "dma map failed, size=%u\n", (u32)(u64)size);
 		kfree(pkt->va_base);
-		kfree(pkt);
 		return -ENOMEM;
 	}
 
@@ -145,7 +143,6 @@ static void mtk_drm_cmdq_pkt_destroy(struct cmdq_pkt *pkt)
 	dma_unmap_single(client->chan->mbox->dev, pkt->pa_base, pkt->buf_size,
 			 DMA_TO_DEVICE);
 	kfree(pkt->va_base);
-	kfree(pkt);
 }
 #endif
 
-- 
2.18.0

[PATCH v3 2/4] drm/mediatek: Add cnt checking for coverity issue

[Jason-JH.Lin]

CERT-C Characters and Strings (CERT STR31-C)
all_drm_priv[cnt] evaluates to an address that could be at negative
offset of an array.

In mtk_drm_get_all_drm_priv():
Guarantee that storage for strings has sufficient space for character
data and the null terminator.

So change cnt to unsigned int and check its max value.

Fixes: 1ef7ed48356c ("drm/mediatek: Modify mediatek-drm for mt8195 multi mmsys support")
Signed-off-by: Jason-JH.Lin <jason-jh.lin@mediatek.com>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
---
 drivers/gpu/drm/mediatek/mtk_drm_drv.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
index 6dcb4ba2466c..fc217e0acd45 100644
--- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c
+++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
@@ -354,7 +354,7 @@ static bool mtk_drm_get_all_drm_priv(struct device *dev)
 	const struct of_device_id *of_id;
 	struct device_node *node;
 	struct device *drm_dev;
-	int cnt = 0;
+	unsigned int cnt = 0;
 	int i, j;
 
 	for_each_child_of_node(phandle->parent, node) {
@@ -375,6 +375,9 @@ static bool mtk_drm_get_all_drm_priv(struct device *dev)
 		all_drm_priv[cnt] = dev_get_drvdata(drm_dev);
 		if (all_drm_priv[cnt] && all_drm_priv[cnt]->mtk_drm_bound)
 			cnt++;
+
+		if (cnt == MAX_CRTC)
+			break;
 	}
 
 	if (drm_priv->data->mmsys_dev_num == cnt) {
-- 
2.18.0

[PATCH v3 3/4] drm/mediatek: Add casting before assign

[Jason-JH.Lin]

1. Add casting before assign to avoid the unintentional integer
   overflow or unintended sign extension.
2. Add a int varriable for multiplier calculation instead of calculating
   different types multiplier with dma_addr_t varriable directly.

Fixes: 1a64a7aff8da ("drm/mediatek: Fix cursor plane no update")
Signed-off-by: Jason-JH.Lin <jason-jh.lin@mediatek.com>
---
 drivers/gpu/drm/mediatek/mtk_drm_gem.c   |  3 ++-
 drivers/gpu/drm/mediatek/mtk_drm_plane.c | 22 +++++++++++++---------
 2 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c b/drivers/gpu/drm/mediatek/mtk_drm_gem.c
index a25b28d3ee90..da087d74612d 100644
--- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c
+++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c
@@ -121,7 +121,8 @@ int mtk_drm_gem_dumb_create(struct drm_file *file_priv, struct drm_device *dev,
 	int ret;
 
 	args->pitch = DIV_ROUND_UP(args->width * args->bpp, 8);
-	args->size = args->pitch * args->height;
+	args->size = args->pitch;
+	args->size *= args->height;
 
 	mtk_gem = mtk_drm_gem_create(dev, args->size, false);
 	if (IS_ERR(mtk_gem))
diff --git a/drivers/gpu/drm/mediatek/mtk_drm_plane.c b/drivers/gpu/drm/mediatek/mtk_drm_plane.c
index 31f9420aff6f..1cd41454d545 100644
--- a/drivers/gpu/drm/mediatek/mtk_drm_plane.c
+++ b/drivers/gpu/drm/mediatek/mtk_drm_plane.c
@@ -145,6 +145,7 @@ static void mtk_plane_update_new_state(struct drm_plane_state *new_state,
 	dma_addr_t addr;
 	dma_addr_t hdr_addr = 0;
 	unsigned int hdr_pitch = 0;
+	int offset;
 
 	gem = fb->obj[0];
 	mtk_gem = to_mtk_gem_obj(gem);
@@ -154,8 +155,10 @@ static void mtk_plane_update_new_state(struct drm_plane_state *new_state,
 	modifier = fb->modifier;
 
 	if (modifier == DRM_FORMAT_MOD_LINEAR) {
-		addr += (new_state->src.x1 >> 16) * fb->format->cpp[0];
-		addr += (new_state->src.y1 >> 16) * pitch;
+		offset = (new_state->src.x1 >> 16) * fb->format->cpp[0];
+		addr += offset;
+		offset = (new_state->src.y1 >> 16) * pitch;
+		addr += offset;
 	} else {
 		int width_in_blocks = ALIGN(fb->width, AFBC_DATA_BLOCK_WIDTH)
 				      / AFBC_DATA_BLOCK_WIDTH;
@@ -163,21 +166,22 @@ static void mtk_plane_update_new_state(struct drm_plane_state *new_state,
 				       / AFBC_DATA_BLOCK_HEIGHT;
 		int x_offset_in_blocks = (new_state->src.x1 >> 16) / AFBC_DATA_BLOCK_WIDTH;
 		int y_offset_in_blocks = (new_state->src.y1 >> 16) / AFBC_DATA_BLOCK_HEIGHT;
-		int hdr_size;
+		int hdr_size, hdr_offset;
 
 		hdr_pitch = width_in_blocks * AFBC_HEADER_BLOCK_SIZE;
 		pitch = width_in_blocks * AFBC_DATA_BLOCK_WIDTH *
 			AFBC_DATA_BLOCK_HEIGHT * fb->format->cpp[0];
 
 		hdr_size = ALIGN(hdr_pitch * height_in_blocks, AFBC_HEADER_ALIGNMENT);
+		hdr_offset = hdr_pitch * y_offset_in_blocks +
+			AFBC_HEADER_BLOCK_SIZE * x_offset_in_blocks;
+		hdr_addr = addr + hdr_offset;
 
-		hdr_addr = addr + hdr_pitch * y_offset_in_blocks +
-			   AFBC_HEADER_BLOCK_SIZE * x_offset_in_blocks;
 		/* The data plane is offset by 1 additional block. */
-		addr = addr + hdr_size +
-		       pitch * y_offset_in_blocks +
-		       AFBC_DATA_BLOCK_WIDTH * AFBC_DATA_BLOCK_HEIGHT *
-		       fb->format->cpp[0] * (x_offset_in_blocks + 1);
+		offset = pitch * y_offset_in_blocks +
+			 AFBC_DATA_BLOCK_WIDTH * AFBC_DATA_BLOCK_HEIGHT *
+			 fb->format->cpp[0] * (x_offset_in_blocks + 1);
+		addr = addr + hdr_size + offset;
 	}
 
 	mtk_plane_state->pending.enable = true;
-- 
2.18.0

[PATCH v3 4/4] drm/mediatek: Fix dereference before null check

[Jason-JH.Lin]

Null-checking state suggests that it may be null, but it has already
been dereferenced on drm_atomic_get_new_plane_state(state, plane).

The parameter state will never be NULL currently, so just remove the
state is NULL flow in this function.

Fixes: 5ddb0bd4ddc3 ("drm/atomic: Pass the full state to planes async atomic check and update")
Signed-off-by: Jason-JH.Lin <jason-jh.lin@mediatek.com>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
---
 drivers/gpu/drm/mediatek/mtk_drm_plane.c | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/drivers/gpu/drm/mediatek/mtk_drm_plane.c b/drivers/gpu/drm/mediatek/mtk_drm_plane.c
index 1cd41454d545..4828ffa75467 100644
--- a/drivers/gpu/drm/mediatek/mtk_drm_plane.c
+++ b/drivers/gpu/drm/mediatek/mtk_drm_plane.c
@@ -122,11 +122,7 @@ static int mtk_plane_atomic_async_check(struct drm_plane *plane,
 	if (ret)
 		return ret;
 
-	if (state)
-		crtc_state = drm_atomic_get_existing_crtc_state(state,
-								new_plane_state->crtc);
-	else /* Special case for asynchronous cursor updates. */
-		crtc_state = new_plane_state->crtc->state;
+	crtc_state = drm_atomic_get_existing_crtc_state(state, new_plane_state->crtc);
 
 	return drm_atomic_helper_check_plane_state(plane->state, crtc_state,
 						   DRM_PLANE_NO_SCALING,
-- 
2.18.0

Re: [PATCH v3 1/4] drm/mediatek: Remove freeing not dynamic allocated memory

[Alexandre Mergnat]

On 21/06/2023 12:22, Jason-JH.Lin wrote:
> Fixing the coverity issue of:
> mtk_drm_cmdq_pkt_destroy frees address of mtk_crtc->cmdq_handle
> 
> So remove the free function.

Reviewed-by: Alexandre Mergnat <amergnat@baylibre.com>

-- 
Regards,
Alexandre

Re: [PATCH v3 2/4] drm/mediatek: Add cnt checking for coverity issue

[Alexandre Mergnat]

On 21/06/2023 12:22, Jason-JH.Lin wrote:
> CERT-C Characters and Strings (CERT STR31-C)
> all_drm_priv[cnt] evaluates to an address that could be at negative
> offset of an array.
> 
> In mtk_drm_get_all_drm_priv():
> Guarantee that storage for strings has sufficient space for character
> data and the null terminator.
> 
> So change cnt to unsigned int and check its max value.

Reviewed-by: Alexandre Mergnat <amergnat@baylibre.com>

-- 
Regards,
Alexandre

Re: [PATCH v3 3/4] drm/mediatek: Add casting before assign

[Alexandre Mergnat]

On 21/06/2023 12:22, Jason-JH.Lin wrote:
> 1. Add casting before assign to avoid the unintentional integer
>     overflow or unintended sign extension.
> 2. Add a int varriable for multiplier calculation instead of calculating
>     different types multiplier with dma_addr_t varriable directly.
> 
> Fixes: 1a64a7aff8da ("drm/mediatek: Fix cursor plane no update")
> Signed-off-by: Jason-JH.Lin <jason-jh.lin@mediatek.com>
> ---
>   drivers/gpu/drm/mediatek/mtk_drm_gem.c   |  3 ++-
>   drivers/gpu/drm/mediatek/mtk_drm_plane.c | 22 +++++++++++++---------
>   2 files changed, 15 insertions(+), 10 deletions(-)
> 
> diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c b/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> index a25b28d3ee90..da087d74612d 100644
> --- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> +++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> @@ -121,7 +121,8 @@ int mtk_drm_gem_dumb_create(struct drm_file *file_priv, struct drm_device *dev,
>   	int ret;
>   
>   	args->pitch = DIV_ROUND_UP(args->width * args->bpp, 8);
> -	args->size = args->pitch * args->height;
> +	args->size = args->pitch;
> +	args->size *= args->height;
>   
>   	mtk_gem = mtk_drm_gem_create(dev, args->size, false);
>   	if (IS_ERR(mtk_gem))
> diff --git a/drivers/gpu/drm/mediatek/mtk_drm_plane.c b/drivers/gpu/drm/mediatek/mtk_drm_plane.c
> index 31f9420aff6f..1cd41454d545 100644
> --- a/drivers/gpu/drm/mediatek/mtk_drm_plane.c
> +++ b/drivers/gpu/drm/mediatek/mtk_drm_plane.c
> @@ -145,6 +145,7 @@ static void mtk_plane_update_new_state(struct drm_plane_state *new_state,
>   	dma_addr_t addr;
>   	dma_addr_t hdr_addr = 0;
>   	unsigned int hdr_pitch = 0;
> +	int offset;

I agree with Angelo, please set offset as unsigned.

>   
>   	gem = fb->obj[0];
>   	mtk_gem = to_mtk_gem_obj(gem);
> @@ -154,8 +155,10 @@ static void mtk_plane_update_new_state(struct drm_plane_state *new_state,
>   	modifier = fb->modifier;
>   
>   	if (modifier == DRM_FORMAT_MOD_LINEAR) {
> -		addr += (new_state->src.x1 >> 16) * fb->format->cpp[0];
> -		addr += (new_state->src.y1 >> 16) * pitch;
> +		offset = (new_state->src.x1 >> 16) * fb->format->cpp[0];
> +		addr += offset;
> +		offset = (new_state->src.y1 >> 16) * pitch;
> +		addr += offset;
>   	} else {
>   		int width_in_blocks = ALIGN(fb->width, AFBC_DATA_BLOCK_WIDTH)
>   				      / AFBC_DATA_BLOCK_WIDTH;
> @@ -163,21 +166,22 @@ static void mtk_plane_update_new_state(struct drm_plane_state *new_state,
>   				       / AFBC_DATA_BLOCK_HEIGHT;
>   		int x_offset_in_blocks = (new_state->src.x1 >> 16) / AFBC_DATA_BLOCK_WIDTH;
>   		int y_offset_in_blocks = (new_state->src.y1 >> 16) / AFBC_DATA_BLOCK_HEIGHT;
> -		int hdr_size;
> +		int hdr_size, hdr_offset;
>   
>   		hdr_pitch = width_in_blocks * AFBC_HEADER_BLOCK_SIZE;
>   		pitch = width_in_blocks * AFBC_DATA_BLOCK_WIDTH *
>   			AFBC_DATA_BLOCK_HEIGHT * fb->format->cpp[0];
>   
>   		hdr_size = ALIGN(hdr_pitch * height_in_blocks, AFBC_HEADER_ALIGNMENT);
> +		hdr_offset = hdr_pitch * y_offset_in_blocks +
> +			AFBC_HEADER_BLOCK_SIZE * x_offset_in_blocks;
> +		hdr_addr = addr + hdr_offset;
>   
> -		hdr_addr = addr + hdr_pitch * y_offset_in_blocks +
> -			   AFBC_HEADER_BLOCK_SIZE * x_offset_in_blocks;
>   		/* The data plane is offset by 1 additional block. */
> -		addr = addr + hdr_size +
> -		       pitch * y_offset_in_blocks +
> -		       AFBC_DATA_BLOCK_WIDTH * AFBC_DATA_BLOCK_HEIGHT *
> -		       fb->format->cpp[0] * (x_offset_in_blocks + 1);
> +		offset = pitch * y_offset_in_blocks +
> +			 AFBC_DATA_BLOCK_WIDTH * AFBC_DATA_BLOCK_HEIGHT *
> +			 fb->format->cpp[0] * (x_offset_in_blocks + 1);
> +		addr = addr + hdr_size + offset;
>   	}
>   
>   	mtk_plane_state->pending.enable = true;

-- 
Regards,
Alexandre

Re: [PATCH v3 4/4] drm/mediatek: Fix dereference before null check

[Alexandre Mergnat]

On 21/06/2023 12:22, Jason-JH.Lin wrote:
> Null-checking state suggests that it may be null, but it has already
> been dereferenced on drm_atomic_get_new_plane_state(state, plane).
> 
> The parameter state will never be NULL currently, so just remove the
> state is NULL flow in this function.

Reviewed-by: Alexandre Mergnat <amergnat@baylibre.com>

-- 
Regards,
Alexandre

Re: [PATCH v3 3/4] drm/mediatek: Add casting before assign

[Jason-JH Lin (林睿祥)]

[-- Attachment #1: Type: text/html, Size: 5775 bytes --]

[-- Attachment #2: Type: text/plain, Size: 2843 bytes --]

Hi Alexandre,

Thanks for the reviews.

On Wed, 2023-06-21 at 14:34 +0200, Alexandre Mergnat wrote:
>  	 
> External email : Please do not click links or open attachments until
> you have verified the sender or the content.
>  
> 
> On 21/06/2023 12:22, Jason-JH.Lin wrote:
> > 1. Add casting before assign to avoid the unintentional integer
> >     overflow or unintended sign extension.
> > 2. Add a int varriable for multiplier calculation instead of
> calculating
> >     different types multiplier with dma_addr_t varriable directly.
> > 
> > Fixes: 1a64a7aff8da ("drm/mediatek: Fix cursor plane no update")
> > Signed-off-by: Jason-JH.Lin <jason-jh.lin@mediatek.com>
> > ---
> >   drivers/gpu/drm/mediatek/mtk_drm_gem.c   |  3 ++-
> >   drivers/gpu/drm/mediatek/mtk_drm_plane.c | 22 +++++++++++++----
> -----
> >   2 files changed, 15 insertions(+), 10 deletions(-)
> > 
> > diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> b/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> > index a25b28d3ee90..da087d74612d 100644
> > --- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> > +++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> > @@ -121,7 +121,8 @@ int mtk_drm_gem_dumb_create(struct drm_file
> *file_priv, struct drm_device *dev,
> >   int ret;
> >   
> >   args->pitch = DIV_ROUND_UP(args->width * args->bpp, 8);
> > -args->size = args->pitch * args->height;
> > +args->size = args->pitch;
> > +args->size *= args->height;
> >   
> >   mtk_gem = mtk_drm_gem_create(dev, args->size, false);
> >   if (IS_ERR(mtk_gem))
> > diff --git a/drivers/gpu/drm/mediatek/mtk_drm_plane.c
> b/drivers/gpu/drm/mediatek/mtk_drm_plane.c
> > index 31f9420aff6f..1cd41454d545 100644
> > --- a/drivers/gpu/drm/mediatek/mtk_drm_plane.c
> > +++ b/drivers/gpu/drm/mediatek/mtk_drm_plane.c
> > @@ -145,6 +145,7 @@ static void mtk_plane_update_new_state(struct
> drm_plane_state *new_state,
> >   dma_addr_t addr;
> >   dma_addr_t hdr_addr = 0;
> >   unsigned int hdr_pitch = 0;
> > +int offset;
> 
> I agree with Angelo, please set offset as unsigned.
> 
I think offset should be unsigned, but since src.x1 and src.y1 are
'int'. That means 'unsigned int' offset will be very big when src.x1 or
src.y1 is negative.
So I just use 'int' for offset here.

Regards,
Jason-JH.Lin

> >   
> >   gem = fb->obj[0];
> >   mtk_gem = to_mtk_gem_obj(gem);
> > @@ -154,8 +155,10 @@ static void mtk_plane_update_new_state(struct
> drm_plane_state *new_state,
> >   modifier = fb->modifier;
> >   
> >   if (modifier == DRM_FORMAT_MOD_LINEAR) {
> > -addr += (new_state->src.x1 >> 16) * fb->format->cpp[0];
> > -addr += (new_state->src.y1 >> 16) * pitch;
> > +offset = (new_state->src.x1 >> 16) * fb->format->cpp[0];
> > +addr += offset;
> > +offset = (new_state->src.y1 >> 16) * pitch;
> > +addr += offset;
> 

Re: [PATCH v3 1/4] drm/mediatek: Remove freeing not dynamic allocated memory

[CK Hu (胡俊光)]

[-- Attachment #1: Type: text/html, Size: 3562 bytes --]

[-- Attachment #2: Type: text/plain, Size: 1737 bytes --]

Hi, Jason:

On Wed, 2023-06-21 at 18:22 +0800, Jason-JH.Lin wrote:
> Fixing the coverity issue of:
> mtk_drm_cmdq_pkt_destroy frees address of mtk_crtc->cmdq_handle
> 
> So remove the free function.

Reviewed-by: CK Hu <ck.hu@mediatek.com>

> 
> Fixes: 7627122fd1c0 ("drm/mediatek: Add cmdq_handle in mtk_crtc")
> Signed-off-by: Jason-JH.Lin <jason-jh.lin@mediatek.com>
> Reviewed-by: AngeloGioacchino Del Regno <
> angelogioacchino.delregno@collabora.com>
> ---
>  drivers/gpu/drm/mediatek/mtk_drm_crtc.c | 7 ++-----
>  1 file changed, 2 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c
> b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c
> index d40142842f85..8d44f3df116f 100644
> --- a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c
> +++ b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c
> @@ -116,10 +116,9 @@ static int mtk_drm_cmdq_pkt_create(struct
> cmdq_client *client, struct cmdq_pkt *
>  	dma_addr_t dma_addr;
>  
>  	pkt->va_base = kzalloc(size, GFP_KERNEL);
> -	if (!pkt->va_base) {
> -		kfree(pkt);
> +	if (!pkt->va_base)
>  		return -ENOMEM;
> -	}
> +
>  	pkt->buf_size = size;
>  	pkt->cl = (void *)client;
>  
> @@ -129,7 +128,6 @@ static int mtk_drm_cmdq_pkt_create(struct
> cmdq_client *client, struct cmdq_pkt *
>  	if (dma_mapping_error(dev, dma_addr)) {
>  		dev_err(dev, "dma map failed, size=%u\n",
> (u32)(u64)size);
>  		kfree(pkt->va_base);
> -		kfree(pkt);
>  		return -ENOMEM;
>  	}
>  
> @@ -145,7 +143,6 @@ static void mtk_drm_cmdq_pkt_destroy(struct
> cmdq_pkt *pkt)
>  	dma_unmap_single(client->chan->mbox->dev, pkt->pa_base, pkt-
> >buf_size,
>  			 DMA_TO_DEVICE);
>  	kfree(pkt->va_base);
> -	kfree(pkt);
>  }
>  #endif
>  

Re: [PATCH v3 2/4] drm/mediatek: Add cnt checking for coverity issue

[CK Hu (胡俊光)]

[-- Attachment #1: Type: text/html, Size: 3512 bytes --]

[-- Attachment #2: Type: text/plain, Size: 1688 bytes --]

Hi, Jason:

On Wed, 2023-06-21 at 18:22 +0800, Jason-JH.Lin wrote:
> CERT-C Characters and Strings (CERT STR31-C)
> all_drm_priv[cnt] evaluates to an address that could be at negative
> offset of an array.
> 
> In mtk_drm_get_all_drm_priv():
> Guarantee that storage for strings has sufficient space for character
> data and the null terminator.
> 
> So change cnt to unsigned int and check its max value.

Reviewed-by: CK Hu <ck.hu@mediatek.com>

> 
> Fixes: 1ef7ed48356c ("drm/mediatek: Modify mediatek-drm for mt8195
> multi mmsys support")
> Signed-off-by: Jason-JH.Lin <jason-jh.lin@mediatek.com>
> Reviewed-by: AngeloGioacchino Del Regno <
> angelogioacchino.delregno@collabora.com>
> ---
>  drivers/gpu/drm/mediatek/mtk_drm_drv.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c
> b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
> index 6dcb4ba2466c..fc217e0acd45 100644
> --- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c
> +++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
> @@ -354,7 +354,7 @@ static bool mtk_drm_get_all_drm_priv(struct
> device *dev)
>  	const struct of_device_id *of_id;
>  	struct device_node *node;
>  	struct device *drm_dev;
> -	int cnt = 0;
> +	unsigned int cnt = 0;
>  	int i, j;
>  
>  	for_each_child_of_node(phandle->parent, node) {
> @@ -375,6 +375,9 @@ static bool mtk_drm_get_all_drm_priv(struct
> device *dev)
>  		all_drm_priv[cnt] = dev_get_drvdata(drm_dev);
>  		if (all_drm_priv[cnt] && all_drm_priv[cnt]-
> >mtk_drm_bound)
>  			cnt++;
> +
> +		if (cnt == MAX_CRTC)
> +			break;
>  	}
>  
>  	if (drm_priv->data->mmsys_dev_num == cnt) {

Re: [PATCH v3 3/4] drm/mediatek: Add casting before assign

[Alexandre Mergnat]

On 22/06/2023 10:02, Jason-JH Lin (林睿祥) wrote:
>> drm_plane_state *new_state,
>> >   dma_addr_t addr;
>> >   dma_addr_t hdr_addr = 0;
>> >   unsigned int hdr_pitch = 0;
>> > +int offset;
>> 
>> I agree with Angelo, please set offset as unsigned.
>> 
> I think offset should be unsigned, but since src.x1 and src.y1 are
> 'int'. That means 'unsigned int' offset will be very big when src.x1 or
> src.y1 is negative.
> So I just use 'int' for offset here.

Ok

Reviewed-by: Alexandre Mergnat <amergnat@baylibre.com>

-- 
Regards,
Alexandre

Re: [PATCH v3 3/4] drm/mediatek: Add casting before assign

[CK Hu (胡俊光)]

[-- Attachment #1: Type: text/html, Size: 6938 bytes --]

[-- Attachment #2: Type: text/plain, Size: 3861 bytes --]

Hi, Jason:

On Wed, 2023-06-21 at 18:22 +0800, Jason-JH.Lin wrote:
> 1. Add casting before assign to avoid the unintentional integer
>    overflow or unintended sign extension.
> 2. Add a int varriable for multiplier calculation instead of
> calculating
>    different types multiplier with dma_addr_t varriable directly.

I agree with these modification, but the title does not match the
modification.

Regards,
CK

> 
> Fixes: 1a64a7aff8da ("drm/mediatek: Fix cursor plane no update")
> Signed-off-by: Jason-JH.Lin <jason-jh.lin@mediatek.com>
> ---
>  drivers/gpu/drm/mediatek/mtk_drm_gem.c   |  3 ++-
>  drivers/gpu/drm/mediatek/mtk_drm_plane.c | 22 +++++++++++++---------
>  2 files changed, 15 insertions(+), 10 deletions(-)
> 
> diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> b/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> index a25b28d3ee90..da087d74612d 100644
> --- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> +++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> @@ -121,7 +121,8 @@ int mtk_drm_gem_dumb_create(struct drm_file
> *file_priv, struct drm_device *dev,
>  	int ret;
>  
>  	args->pitch = DIV_ROUND_UP(args->width * args->bpp, 8);
> -	args->size = args->pitch * args->height;
> +	args->size = args->pitch;
> +	args->size *= args->height;
>  
>  	mtk_gem = mtk_drm_gem_create(dev, args->size, false);
>  	if (IS_ERR(mtk_gem))
> diff --git a/drivers/gpu/drm/mediatek/mtk_drm_plane.c
> b/drivers/gpu/drm/mediatek/mtk_drm_plane.c
> index 31f9420aff6f..1cd41454d545 100644
> --- a/drivers/gpu/drm/mediatek/mtk_drm_plane.c
> +++ b/drivers/gpu/drm/mediatek/mtk_drm_plane.c
> @@ -145,6 +145,7 @@ static void mtk_plane_update_new_state(struct
> drm_plane_state *new_state,
>  	dma_addr_t addr;
>  	dma_addr_t hdr_addr = 0;
>  	unsigned int hdr_pitch = 0;
> +	int offset;
>  
>  	gem = fb->obj[0];
>  	mtk_gem = to_mtk_gem_obj(gem);
> @@ -154,8 +155,10 @@ static void mtk_plane_update_new_state(struct
> drm_plane_state *new_state,
>  	modifier = fb->modifier;
>  
>  	if (modifier == DRM_FORMAT_MOD_LINEAR) {
> -		addr += (new_state->src.x1 >> 16) * fb->format->cpp[0];
> -		addr += (new_state->src.y1 >> 16) * pitch;
> +		offset = (new_state->src.x1 >> 16) * fb->format-
> >cpp[0];
> +		addr += offset;
> +		offset = (new_state->src.y1 >> 16) * pitch;
> +		addr += offset;
>  	} else {
>  		int width_in_blocks = ALIGN(fb->width,
> AFBC_DATA_BLOCK_WIDTH)
>  				      / AFBC_DATA_BLOCK_WIDTH;
> @@ -163,21 +166,22 @@ static void mtk_plane_update_new_state(struct
> drm_plane_state *new_state,
>  				       / AFBC_DATA_BLOCK_HEIGHT;
>  		int x_offset_in_blocks = (new_state->src.x1 >> 16) /
> AFBC_DATA_BLOCK_WIDTH;
>  		int y_offset_in_blocks = (new_state->src.y1 >> 16) /
> AFBC_DATA_BLOCK_HEIGHT;
> -		int hdr_size;
> +		int hdr_size, hdr_offset;
>  
>  		hdr_pitch = width_in_blocks * AFBC_HEADER_BLOCK_SIZE;
>  		pitch = width_in_blocks * AFBC_DATA_BLOCK_WIDTH *
>  			AFBC_DATA_BLOCK_HEIGHT * fb->format->cpp[0];
>  
>  		hdr_size = ALIGN(hdr_pitch * height_in_blocks,
> AFBC_HEADER_ALIGNMENT);
> +		hdr_offset = hdr_pitch * y_offset_in_blocks +
> +			AFBC_HEADER_BLOCK_SIZE * x_offset_in_blocks;
> +		hdr_addr = addr + hdr_offset;
>  
> -		hdr_addr = addr + hdr_pitch * y_offset_in_blocks +
> -			   AFBC_HEADER_BLOCK_SIZE * x_offset_in_blocks;
>  		/* The data plane is offset by 1 additional block. */
> -		addr = addr + hdr_size +
> -		       pitch * y_offset_in_blocks +
> -		       AFBC_DATA_BLOCK_WIDTH * AFBC_DATA_BLOCK_HEIGHT *
> -		       fb->format->cpp[0] * (x_offset_in_blocks + 1);
> +		offset = pitch * y_offset_in_blocks +
> +			 AFBC_DATA_BLOCK_WIDTH * AFBC_DATA_BLOCK_HEIGHT
> *
> +			 fb->format->cpp[0] * (x_offset_in_blocks + 1);
> +		addr = addr + hdr_size + offset;
>  	}
>  
>  	mtk_plane_state->pending.enable = true;

Re: [PATCH v3 4/4] drm/mediatek: Fix dereference before null check

[CK Hu (胡俊光)]

[-- Attachment #1: Type: text/html, Size: 3213 bytes --]

[-- Attachment #2: Type: text/plain, Size: 1558 bytes --]

Hi, Jason:

On Wed, 2023-06-21 at 18:22 +0800, Jason-JH.Lin wrote:
> Null-checking state suggests that it may be null, but it has already
> been dereferenced on drm_atomic_get_new_plane_state(state, plane).
> 
> The parameter state will never be NULL currently, so just remove the
> state is NULL flow in this function.

Reviewed-by: CK Hu <ck.hu@mediatek.com>


> 
> Fixes: 5ddb0bd4ddc3 ("drm/atomic: Pass the full state to planes async
> atomic check and update")
> Signed-off-by: Jason-JH.Lin <jason-jh.lin@mediatek.com>
> Reviewed-by: AngeloGioacchino Del Regno <
> angelogioacchino.delregno@collabora.com>
> ---
>  drivers/gpu/drm/mediatek/mtk_drm_plane.c | 6 +-----
>  1 file changed, 1 insertion(+), 5 deletions(-)
> 
> diff --git a/drivers/gpu/drm/mediatek/mtk_drm_plane.c
> b/drivers/gpu/drm/mediatek/mtk_drm_plane.c
> index 1cd41454d545..4828ffa75467 100644
> --- a/drivers/gpu/drm/mediatek/mtk_drm_plane.c
> +++ b/drivers/gpu/drm/mediatek/mtk_drm_plane.c
> @@ -122,11 +122,7 @@ static int mtk_plane_atomic_async_check(struct
> drm_plane *plane,
>  	if (ret)
>  		return ret;
>  
> -	if (state)
> -		crtc_state = drm_atomic_get_existing_crtc_state(state,
> -								new_pla
> ne_state->crtc);
> -	else /* Special case for asynchronous cursor updates. */
> -		crtc_state = new_plane_state->crtc->state;
> +	crtc_state = drm_atomic_get_existing_crtc_state(state,
> new_plane_state->crtc);
>  
>  	return drm_atomic_helper_check_plane_state(plane->state,
> crtc_state,
>  						   DRM_PLANE_NO_SCALING
> ,

Re: [PATCH v3 3/4] drm/mediatek: Add casting before assign

[Jason-JH Lin (林睿祥)]

[-- Attachment #1: Type: text/html, Size: 2575 bytes --]

[-- Attachment #2: Type: text/plain, Size: 1013 bytes --]

Hi CK,

Thanks for the reviews.

On Fri, 2023-07-14 at 05:45 +0000, CK Hu (胡俊光) wrote:
> Hi, Jason:
> 
> On Wed, 2023-06-21 at 18:22 +0800, Jason-JH.Lin wrote:
> > 1. Add casting before assign to avoid the unintentional integer
> >    overflow or unintended sign extension.
> > 2. Add a int varriable for multiplier calculation instead of
> > calculating
> >    different types multiplier with dma_addr_t varriable directly.
> 
> I agree with these modification, but the title does not match the
> modification.
> 
> Regards,
> CK

I'll change the title and commit msg at the next version below:

Fix unintentional integer overflow in multiplying different types

1. Instead of multiplying 2 variable of different types. Change to
assign a value of one variable and then multiply the other variable.

2. Add a int variable for multiplier calculation instead of calculating
different types multiplier with dma_addr_t variable directly.


Thanks!

Regards,
Jason-JH.Lin
> 

RE: [PATCH v3 3/4] drm/mediatek: Add casting before assign

[David Laight]

From: Jason-JH Lin
> Sent: 14 July 2023 07:46
> 
> Hi CK,
> 
> Thanks for the reviews.
> 
> On Fri, 2023-07-14 at 05:45 +0000, CK Hu (胡俊光) wrote:
> > Hi, Jason:
> >
> > On Wed, 2023-06-21 at 18:22 +0800, Jason-JH.Lin wrote:
> > > 1. Add casting before assign to avoid the unintentional integer
> > >    overflow or unintended sign extension.
> > > 2. Add a int varriable for multiplier calculation instead of
> > > calculating
> > >    different types multiplier with dma_addr_t varriable directly.
> >
> > I agree with these modification, but the title does not match the
> > modification.
> >
> > Regards,
> > CK
> 
> I'll change the title and commit msg at the next version below:
> 
> Fix unintentional integer overflow in multiplying different types
> 
> 1. Instead of multiplying 2 variable of different types. Change to
> assign a value of one variable and then multiply the other variable.
> 
> 2. Add a int variable for multiplier calculation instead of calculating
> different types multiplier with dma_addr_t variable directly.

I'm pretty sure the patch makes absolutely no difference.
In C all arithmetic is done with char/short (inc. unsigned)
promoted to int.

So the only likely overflow is if the values exceed 2^31.
Since the temporaries you are using are 'int' this isn't true.

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

Re: [PATCH v3 3/4] drm/mediatek: Add casting before assign

[Jason-JH Lin (林睿祥)]

[-- Attachment #1: Type: text/html, Size: 6680 bytes --]

[-- Attachment #2: Type: text/plain, Size: 3041 bytes --]

Hi David,

Thanks for the reviews.

On Mon, 2023-07-17 at 13:17 +0000, David Laight wrote:
>  	 
> External email : Please do not click links or open attachments until
> you have verified the sender or the content.
>  From: Jason-JH Lin
> > Sent: 14 July 2023 07:46
> > 
> > Hi CK,
> > 
> > Thanks for the reviews.
> > 
> > On Fri, 2023-07-14 at 05:45 +0000, CK Hu (胡俊光) wrote:
> > > Hi, Jason:
> > >
> > > On Wed, 2023-06-21 at 18:22 +0800, Jason-JH.Lin wrote:
> > > > 1. Add casting before assign to avoid the unintentional integer
> > > >    overflow or unintended sign extension.
> > > > 2. Add a int varriable for multiplier calculation instead of
> > > > calculating
> > > >    different types multiplier with dma_addr_t varriable
> directly.
> > >
> > > I agree with these modification, but the title does not match the
> > > modification.
> > >
> > > Regards,
> > > CK
> > 
> > I'll change the title and commit msg at the next version below:
> > 
> > Fix unintentional integer overflow in multiplying different types
> > 
> > 1. Instead of multiplying 2 variable of different types. Change to
> > assign a value of one variable and then multiply the other
> variable.
> > 
> > 2. Add a int variable for multiplier calculation instead of
> calculating
> > different types multiplier with dma_addr_t variable directly.
> 
> I'm pretty sure the patch makes absolutely no difference.
> In C all arithmetic is done with char/short (inc. unsigned)
> promoted to int.

`char/short promoted to int` could you give me an example or more
detail for this?
I can't really understand about that. Thanks~

> 
> So the only likely overflow is if the values exceed 2^31.
> Since the temporaries you are using are 'int' this isn't true.
> 

According to the modification:

+     int offset;
...
-             addr += (new_state->src.x1 >> 16) * fb->format->cpp[0];
-             addr += (new_state->src.y1 >> 16) * pitch;
+             offset = (new_state->src.x1 >> 16) * fb->format->cpp[0];
+             addr += offset;
+             offset = (new_state->src.y1 >> 16) * pitch;
+             addr += offset;


The main reasons why I use `int offset` here is that

src.x1 and src.y1 are `32bits int` defined in

struct drm_rect {
       int x1, y1, x2, y2;
};

We know that the values of `x1 * cpp` and `y1 * pitch` would never
cause 32bits overflow actually.

So I just add the same type `int offset` as a 32bits variable to avoid
Coverity checker catching the unintentional overflow of
`64bits addr += 32bits x1 * 8bits cpp` and
`64bits addr += 32bits y1 * 32bits pitch`.

Another reason is that using `unsined int offset` to store the
calculation result of negative x1 and y1, offset may be a very big
number because of overflow of `negative int`.

Do you agree with that?

Regards,
Jason-JH.Lin


> David
> 
> -
> Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes,
> MK1 1PT, UK
> Registration No: 1397386 (Wales)
>