Re: [PATCH] drm/i915: Limit the for_each_set_bit() to the valid range

Chris Wilson <chris@xxxxxxxxxxxxxxxxxx> · Thu, 17 Jan 2019 15:13:14 +0000

Quoting Ville Syrjälä (2019-01-17 15:07:53)
> On Wed, Jan 16, 2019 at 03:54:21PM +0000, Chris Wilson wrote:
> > Let static analyzers (smatch) know that we are not going to wander off
> > the end of the array by providing a tight upper bound:
> > 
> > drivers/gpu/drm/i915/intel_display.c:9532 hsw_get_transcoder_state() error: buffer overflow 'dev_priv->__info.trans_offsets' 6 <= 31
> > 
> > References: 0716931a82b4 ("drm/i915/icl: fix transcoder state readout")
> > Signed-off-by: Chris Wilson <chris@xxxxxxxxxxxxxxxxxx>
> > Cc: Jani Nikula <jani.nikula@xxxxxxxxx>
> > Cc: Ville Syrjala <ville.syrjala@xxxxxxxxxxxxxxx>
> > Cc: Imre Deak <imre.deak@xxxxxxxxx>
> > Cc: Madhav Chauhan <madhav.chauhan@xxxxxxxxx>
> > ---
> >  drivers/gpu/drm/i915/intel_display.c | 4 +++-
> >  1 file changed, 3 insertions(+), 1 deletion(-)
> > 
> > diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
> > index 62d61fcad89c..b087ed285cc1 100644
> > --- a/drivers/gpu/drm/i915/intel_display.c
> > +++ b/drivers/gpu/drm/i915/intel_display.c
> > @@ -9526,7 +9526,9 @@ static bool hsw_get_transcoder_state(struct intel_crtc *crtc,
> >        * XXX: Do intel_display_power_get_if_enabled before reading this (for
> >        * consistency and less surprising code; it's in always on power).
> >        */
> > -     for_each_set_bit(panel_transcoder, &panel_transcoder_mask, 32) {
> > +     for_each_set_bit(panel_transcoder,
> > +                      &panel_transcoder_mask,
> > +                      ARRAY_SIZE(INTEL_INFO(dev_priv)->trans_offsets)) {
> 
> Or just I915_MAX_TRANSCODERS maybe? Doesn't really matter I suppose.

I don't know which would be better long term either.

trans_offset[] to match the TRANS_DDI_FUNC_CTL() closely,
or MAX_TRANSCODERS to match the panel bits closely.

I suppose MAX_TRANSCODERS here would at least cause smatch to complain
if MAX_TRANSCODERS was greater than trans_offset[] which might be
useful. (But I also think it will always remain trans_offsets[MAX_TRANSCODERS]).
-Chris
_______________________________________________
Intel-gfx mailing list
Intel-gfx@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/intel-gfx