[PATCH] drm/xe/display: fix potential overflow when multiplying 2 u32
Ville Syrjälä
ville.syrjala at linux.intel.com
Tue Mar 12 16:48:56 UTC 2024
On Tue, Mar 12, 2024 at 03:24:41PM +0530, Arun R Murthy wrote:
> Multiplying XE_PAGE_SIZE with another u32 and the product stored in
> u64 can potentially lead to overflow. Change one of the value to u64 so
> as to perform 64 bit arithmetic operation as the product is u64.
These should never get that big.
>
> Signed-off-by: Arun R Murthy <arun.r.murthy at intel.com>
> ---
> drivers/gpu/drm/xe/display/xe_fb_pin.c | 10 +++++-----
> 1 file changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/gpu/drm/xe/display/xe_fb_pin.c b/drivers/gpu/drm/xe/display/xe_fb_pin.c
> index 722c84a56607..c9d26345ae6e 100644
> --- a/drivers/gpu/drm/xe/display/xe_fb_pin.c
> +++ b/drivers/gpu/drm/xe/display/xe_fb_pin.c
> @@ -29,7 +29,7 @@ write_dpt_rotated(struct xe_bo *bo, struct iosys_map *map, u32 *dpt_ofs, u32 bo_
> u32 src_idx = src_stride * (height - 1) + column + bo_ofs;
>
> for (row = 0; row < height; row++) {
> - u64 pte = ggtt->pt_ops->pte_encode_bo(bo, src_idx * XE_PAGE_SIZE,
> + u64 pte = ggtt->pt_ops->pte_encode_bo(bo, src_idx * (u64)XE_PAGE_SIZE,
mul_u32_u32() may generate better code due to compiler fails.
> xe->pat.idx[XE_CACHE_WB]);
Rather surprising to see WB in any display code.
Is this stuff actually working?
>
> iosys_map_wr(map, *dpt_ofs, u64, pte);
> @@ -61,7 +61,7 @@ write_dpt_remapped(struct xe_bo *bo, struct iosys_map *map, u32 *dpt_ofs,
>
> for (column = 0; column < width; column++) {
> iosys_map_wr(map, *dpt_ofs, u64,
> - pte_encode_bo(bo, src_idx * XE_PAGE_SIZE,
> + pte_encode_bo(bo, src_idx * (u64)XE_PAGE_SIZE,
> xe->pat.idx[XE_CACHE_WB]));
>
> *dpt_ofs += 8;
> @@ -118,7 +118,7 @@ static int __xe_pin_fb_vma_dpt(struct intel_framebuffer *fb,
> u32 x;
>
> for (x = 0; x < size / XE_PAGE_SIZE; x++) {
> - u64 pte = ggtt->pt_ops->pte_encode_bo(bo, x * XE_PAGE_SIZE,
> + u64 pte = ggtt->pt_ops->pte_encode_bo(bo, x * (u64)XE_PAGE_SIZE,
> xe->pat.idx[XE_CACHE_WB]);
>
> iosys_map_wr(&dpt->vmap, x * 8, u64, pte);
> @@ -164,7 +164,7 @@ write_ggtt_rotated(struct xe_bo *bo, struct xe_ggtt *ggtt, u32 *ggtt_ofs, u32 bo
> u32 src_idx = src_stride * (height - 1) + column + bo_ofs;
>
> for (row = 0; row < height; row++) {
> - u64 pte = ggtt->pt_ops->pte_encode_bo(bo, src_idx * XE_PAGE_SIZE,
> + u64 pte = ggtt->pt_ops->pte_encode_bo(bo, src_idx * (u64)XE_PAGE_SIZE,
> xe->pat.idx[XE_CACHE_WB]);
>
> xe_ggtt_set_pte(ggtt, *ggtt_ofs, pte);
> @@ -381,4 +381,4 @@ struct i915_address_space *intel_dpt_create(struct intel_framebuffer *fb)
> void intel_dpt_destroy(struct i915_address_space *vm)
> {
> return;
> -}
> \ No newline at end of file
> +}
> --
> 2.25.1
--
Ville Syrjälä
Intel
More information about the Intel-gfx
mailing list