drm/amdgpu: add ELM/BAF DCE11 configs (v2)

Dan Carpenter dan.carpenter at oracle.com
Tue May 10 12:02:46 UTC 2016 

Hello Alex Deucher,

The patch d525eb8d2e67: "drm/amdgpu: add ELM/BAF DCE11 configs (v2)"
from Oct 14, 2015, leads to the following static checker warning:

	drivers/gpu/drm/amd/amdgpu/dce_v11_0.c:1631 dce_v11_0_audio_init()
	error: buffer overflow 'pin_offsets' 7 <= 7

drivers/gpu/drm/amd/amdgpu/dce_v11_0.c
  1589  static const u32 pin_offsets[] =
  1590  {
  1591          AUD0_REGISTER_OFFSET,
  1592          AUD1_REGISTER_OFFSET,
  1593          AUD2_REGISTER_OFFSET,
  1594          AUD3_REGISTER_OFFSET,
  1595          AUD4_REGISTER_OFFSET,
  1596          AUD5_REGISTER_OFFSET,
  1597          AUD6_REGISTER_OFFSET,

This array always has 7 elements.


  1598  };
  1599  
  1600  static int dce_v11_0_audio_init(struct amdgpu_device *adev)
  1601  {
  1602          int i;
  1603  
  1604          if (!amdgpu_audio)
  1605                  return 0;
  1606  
  1607          adev->mode_info.audio.enabled = true;
  1608  
  1609          switch (adev->asic_type) {
  1610          case CHIP_CARRIZO:
  1611          case CHIP_STONEY:
  1612                  adev->mode_info.audio.num_pins = 7;
  1613                  break;
  1614          case CHIP_POLARIS10:
  1615                  adev->mode_info.audio.num_pins = 8;

We sometimes set num_pins to 8.

  1616                  break;
  1617          case CHIP_POLARIS11:
  1618                  adev->mode_info.audio.num_pins = 6;
  1619                  break;
  1620          default:
  1621                  return -EINVAL;
  1622          }
  1623  
  1624          for (i = 0; i < adev->mode_info.audio.num_pins; i++) {
  1625                  adev->mode_info.audio.pin[i].channels = -1;
  1626                  adev->mode_info.audio.pin[i].rate = -1;
  1627                  adev->mode_info.audio.pin[i].bits_per_sample = -1;
  1628                  adev->mode_info.audio.pin[i].status_bits = 0;
  1629                  adev->mode_info.audio.pin[i].category_code = 0;
  1630                  adev->mode_info.audio.pin[i].connected = false;
  1631                  adev->mode_info.audio.pin[i].offset = pin_offsets[i];
                                                              ^^^^^^^^^^^^^^
So we're reading one step beyond the end of the array.

  1632                  adev->mode_info.audio.pin[i].id = i;
  1633                  /* disable audio.  it will be set up later */
  1634                  /* XXX remove once we switch to ip funcs */
  1635                  dce_v11_0_audio_enable(adev, &adev->mode_info.audio.pin[i], false);
  1636          }
  1637  
  1638          return 0;
  1639  }

regards,
dan carpenter

More information about the dri-devel mailing list