[PATCH] drm/i915/display: Check source height is > 0
Juha-Pekka Heikkila
juhapekka.heikkila at gmail.com
Tue Jan 3 10:42:43 UTC 2023
Hi Drew,
this is good find. I went looking where the problem is in and saw what
you probably also saw earlier.
I was wondering if diff below would be better fix? I assume this would
end up with einval or erange in your case but code flow otherwise would
stay as is while fixing all future callers for same issue:
diff --git a/drivers/gpu/drm/i915/display/intel_atomic_plane.c
b/drivers/gpu/drm/i915/display/intel_atomic_plane.c
index 10e1fc9d0698..a9948e8d3543 100644
--- a/drivers/gpu/drm/i915/display/intel_atomic_plane.c
+++ b/drivers/gpu/drm/i915/display/intel_atomic_plane.c
@@ -144,7 +144,7 @@ unsigned int intel_adjusted_rate(const struct
drm_rect *src,
const struct drm_rect *dst,
unsigned int rate)
{
- unsigned int src_w, src_h, dst_w, dst_h;
+ unsigned int src_w, src_h, dst_w, dst_h, dst_wh;
src_w = drm_rect_width(src) >> 16;
src_h = drm_rect_height(src) >> 16;
@@ -155,8 +155,10 @@ unsigned int intel_adjusted_rate(const struct
drm_rect *src,
dst_w = min(src_w, dst_w);
dst_h = min(src_h, dst_h);
- return DIV_ROUND_UP_ULL(mul_u32_u32(rate, src_w * src_h),
- dst_w * dst_h);
+ /* in case src contained only fractional part */
+ dst_wh = max(dst_w * dst_h, (unsigned) 1);
+
+ return DIV_ROUND_UP_ULL(mul_u32_u32(rate, src_w * src_h), dst_wh);
}
unsigned int intel_plane_pixel_rate(const struct intel_crtc_state
*crtc_state,
What do you think? I'll in any case come up with some test for this in igt.
/Juha-Pekka
On 27.12.2022 7.53, Drew Davenport wrote:
> The error message suggests that the height of the src rect must be at
> least 1. Reject source with height of 0.
>
> Signed-off-by: Drew Davenport <ddavenport at chromium.org>
>
> ---
> I was investigating some divide-by-zero crash reports on ChromeOS which
> pointed to the intel_adjusted_rate function. Further prodding showed
> that I could reproduce this in a simple test program if I made src_h
> some value less than 1 but greater than 0.
>
> This seemed to be a sensible place to check that the source height is at
> least 1. I tried to repro this issue on an amd device I had on hand, and
> the configuration was rejected.
>
> Would it make sense to add a check that source dimensions are at least 1
> somewhere in core, like in drm_atomic_plane_check? Or is that a valid
> use case on some devices, and thus any such check should be done on a
> per-driver basis?
>
> Thanks.
>
> drivers/gpu/drm/i915/display/skl_universal_plane.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/i915/display/skl_universal_plane.c b/drivers/gpu/drm/i915/display/skl_universal_plane.c
> index 4b79c2d2d6177..9b172a1e90deb 100644
> --- a/drivers/gpu/drm/i915/display/skl_universal_plane.c
> +++ b/drivers/gpu/drm/i915/display/skl_universal_plane.c
> @@ -1627,7 +1627,7 @@ static int skl_check_main_surface(struct intel_plane_state *plane_state)
> u32 offset;
> int ret;
>
> - if (w > max_width || w < min_width || h > max_height) {
> + if (w > max_width || w < min_width || h > max_height || h < 1) {
> drm_dbg_kms(&dev_priv->drm,
> "requested Y/RGB source size %dx%d outside limits (min: %dx1 max: %dx%d)\n",
> w, h, min_width, max_width, max_height);
More information about the dri-devel
mailing list