[PATCH v3 2/9] drm/mipi-dsi: Fix theoretical int overflow in mipi_dsi_generic_write_seq()

[Neil Armstrong]

On 01/05/2024 17:41, Douglas Anderson wrote:
> The mipi_dsi_generic_write_seq() macro makes a call to
> mipi_dsi_generic_write() which returns a type ssize_t. The macro then
> stores it in an int and checks to see if it's negative. This could
> theoretically be a problem if "ssize_t" is larger than "int".
> 
> To see the issue, imagine that "ssize_t" is 32-bits and "int" is
> 16-bits, you could see a problem if there was some code out there that
> looked like:
> 
>    mipi_dsi_generic_write_seq(dsi, <32768 bytes as arguments>);
> 
> ...since we'd get back that 32768 bytes were transferred and 32768
> stored in a 16-bit int would look negative.
> 
> Though there are no callsites where we'd actually hit this (even if
> "int" was only 16-bit), it's cleaner to make the types match so let's
> fix it.
> 
> Fixes: a9015ce59320 ("drm/mipi-dsi: Add a mipi_dsi_dcs_write_seq() macro")
> Signed-off-by: Douglas Anderson <dianders at chromium.org>
> ---
> 
> Changes in v3:
> - Use %zd in print instead of casting errors to int.
> 
> Changes in v2:
> - New
> 
>   include/drm/drm_mipi_dsi.h | 22 +++++++++++-----------
>   1 file changed, 11 insertions(+), 11 deletions(-)
> 
> diff --git a/include/drm/drm_mipi_dsi.h b/include/drm/drm_mipi_dsi.h
> index 70ce0b8cbc68..e0f56564bf97 100644
> --- a/include/drm/drm_mipi_dsi.h
> +++ b/include/drm/drm_mipi_dsi.h
> @@ -314,17 +314,17 @@ int mipi_dsi_dcs_get_display_brightness_large(struct mipi_dsi_device *dsi,
>    * @dsi: DSI peripheral device
>    * @seq: buffer containing the payload
>    */
> -#define mipi_dsi_generic_write_seq(dsi, seq...)                                \
> -	do {                                                                   \
> -		static const u8 d[] = { seq };                                 \
> -		struct device *dev = &dsi->dev;                                \
> -		int ret;                                                       \
> -		ret = mipi_dsi_generic_write(dsi, d, ARRAY_SIZE(d));           \
> -		if (ret < 0) {                                                 \
> -			dev_err_ratelimited(dev, "transmit data failed: %d\n", \
> -					    ret);                              \
> -			return ret;                                            \
> -		}                                                              \
> +#define mipi_dsi_generic_write_seq(dsi, seq...)                                 \
> +	do {                                                                    \
> +		static const u8 d[] = { seq };                                  \
> +		struct device *dev = &dsi->dev;                                 \
> +		ssize_t ret;                                                    \
> +		ret = mipi_dsi_generic_write(dsi, d, ARRAY_SIZE(d));            \
> +		if (ret < 0) {                                                  \
> +			dev_err_ratelimited(dev, "transmit data failed: %zd\n", \
> +					    ret);                               \
> +			return ret;                                             \
> +		}                                                               \
>   	} while (0)
>   
>   /**

Reviewed-by: Neil Armstrong <neil.armstrong at linaro.org>