From: Jani Nikula <jani.nikula@linux.intel.com>
To: Krzysztof Karas <krzysztof.karas@intel.com>,
intel-gfx@lists.freedesktop.org
Cc: "Thomas Zimmermann" <tzimmermann@suse.de>,
"Noralf Trønnes" <noralf@tronnes.org>,
"Simona Vetter" <simona.vetter@ffwll.ch>,
"Andi Shyti" <andi.shyti@linux.intel.com>,
"Sebastian Brzezinka" <sebastian.brzezinka@intel.com>,
"Krzysztof Niemiec" <krzysztof.niemiec@intel.com>,
"Krzysztof Karas" <krzysztof.karas@intel.com>
Subject: Re: [PATCH 6/6] drm: Avoid undefined behavior on u16 multiplication
Date: Mon, 08 Sep 2025 12:44:56 +0300 [thread overview]
Message-ID: <bc353160d0c3d7f662f66edd8b33ecee2b851b67@intel.com> (raw)
In-Reply-To: <9a7a56a1a958f7aa0389bb5732f4b716bf2be0f6.1756995162.git.krzysztof.karas@intel.com>
On Mon, 08 Sep 2025, Krzysztof Karas <krzysztof.karas@intel.com> wrote:
> Fields hdiplay and vdisplay are defined as u16. Their
> multiplication causes implicit promotion to signed 32-bit value,
> which may overflow and cause undefined behavior.
>
> The same goes for vpos, which is multiplied by signed integer.
>
> Prevent possible undefined behavior by explicitly casting one of
> the operands to (unsigned int) type.
>
> Fixes: 3ed4351a83ca ("drm: Extract drm_vblank.[hc]")
> Fixes: cc4312127108 ("drm/tinydrm/mipi-dbi: Add mipi_dbi_init_with_formats()")
> Fixes: 80f7c3f77697 ("drm/vram: Add helpers to validate a display mode's memory requirements")
> Cc: Thomas Zimmermann <tzimmermann@suse.de>
> Cc: Noralf Trønnes <noralf@tronnes.org>
> Cc: Simona Vetter <simona.vetter@ffwll.ch>
> Cc: <stable@vger.kernel.org> # v4.13+
> Cc: <stable@vger.kernel.org> # v5.4+
> Cc: <stable@vger.kernel.org> # v5.7+
The multitude of files, Fixes and subsequent Cc: stables with different
target kernels is just an indication this should be three separate
patches.
The cause may be the same, but they're still unrelated fixes.
Moreover, imagine the consequences of one of these fixes ending up being
incorrect, and you have to revert or fix it. It's a logistics PITA.
BR,
Jani.
> Signed-off-by: Krzysztof Karas <krzysztof.karas@intel.com>
> ---
> drivers/gpu/drm/drm_gem_vram_helper.c | 2 +-
> drivers/gpu/drm/drm_mipi_dbi.c | 2 +-
> drivers/gpu/drm/drm_vblank.c | 2 +-
> 3 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/gpu/drm/drm_gem_vram_helper.c b/drivers/gpu/drm/drm_gem_vram_helper.c
> index b04cde4a60e7..4b144e9603b8 100644
> --- a/drivers/gpu/drm/drm_gem_vram_helper.c
> +++ b/drivers/gpu/drm/drm_gem_vram_helper.c
> @@ -967,7 +967,7 @@ drm_vram_helper_mode_valid_internal(struct drm_device *dev,
>
> max_fbpages = (vmm->vram_size / 2) >> PAGE_SHIFT;
>
> - fbsize = mode->hdisplay * mode->vdisplay * max_bpp;
> + fbsize = (unsigned int)mode->hdisplay * mode->vdisplay * max_bpp;
> fbpages = DIV_ROUND_UP(fbsize, PAGE_SIZE);
>
> if (fbpages > max_fbpages)
> diff --git a/drivers/gpu/drm/drm_mipi_dbi.c b/drivers/gpu/drm/drm_mipi_dbi.c
> index e33c78fc8fbd..536741dd7690 100644
> --- a/drivers/gpu/drm/drm_mipi_dbi.c
> +++ b/drivers/gpu/drm/drm_mipi_dbi.c
> @@ -691,7 +691,7 @@ int mipi_dbi_dev_init(struct mipi_dbi_dev *dbidev,
> const struct drm_simple_display_pipe_funcs *funcs,
> const struct drm_display_mode *mode, unsigned int rotation)
> {
> - size_t bufsize = mode->vdisplay * mode->hdisplay * sizeof(u16);
> + size_t bufsize = (unsigned int)mode->vdisplay * mode->hdisplay * sizeof(u16);
>
> dbidev->drm.mode_config.preferred_depth = 16;
>
> diff --git a/drivers/gpu/drm/drm_vblank.c b/drivers/gpu/drm/drm_vblank.c
> index 46f59883183d..8a3a82962494 100644
> --- a/drivers/gpu/drm/drm_vblank.c
> +++ b/drivers/gpu/drm/drm_vblank.c
> @@ -779,7 +779,7 @@ drm_crtc_vblank_helper_get_vblank_timestamp_internal(
> * since start of scanout at first display scanline. delta_ns
> * can be negative if start of scanout hasn't happened yet.
> */
> - delta_ns = div_s64(1000000LL * (vpos * mode->crtc_htotal + hpos),
> + delta_ns = div_s64(1000000LL * ((unsigned int)vpos * mode->crtc_htotal + hpos),
> mode->crtc_clock);
>
> /* Subtract time delta from raw timestamp to get final
--
Jani Nikula, Intel
next prev parent reply other threads:[~2025-09-08 9:45 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-08 9:22 [PATCH 0/6] drm: Miscellaneous fixes in drm code Krzysztof Karas
2025-09-08 9:23 ` [PATCH 1/6] drm/i915/gem: Avoid accessing uninitialized context in emit_rpcs_query() Krzysztof Karas
2025-09-08 10:54 ` Andi Shyti
2025-09-08 11:02 ` Sebastian Brzezinka
2025-09-08 9:23 ` [PATCH 2/6] drm/i915: Add default case for the switch in igt_smoke_tiling() Krzysztof Karas
2025-09-08 11:03 ` Andi Shyti
2025-09-09 6:16 ` Krzysztof Karas
2025-09-08 9:24 ` [PATCH 3/6] drm: Remove drm_modeset_backoff() return code Krzysztof Karas
2025-09-08 11:06 ` Andi Shyti
2025-09-09 6:11 ` Krzysztof Karas
2025-09-08 9:25 ` [PATCH 4/6] drm: Avoid suspicious operations in drm_fb_dma_get_gem_addr() Krzysztof Karas
2025-09-08 11:25 ` Sebastian Brzezinka
2025-09-08 9:26 ` [PATCH 5/6] drm: Do not attempt to round_up() zeros in drm_suballoc_try_alloc() Krzysztof Karas
2025-09-08 9:27 ` [PATCH 6/6] drm: Avoid undefined behavior on u16 multiplication Krzysztof Karas
2025-09-08 9:44 ` Jani Nikula [this message]
2025-09-08 11:39 ` Jani Nikula
2025-09-09 6:07 ` Krzysztof Karas
2025-09-08 9:39 ` [PATCH 0/6] drm: Miscellaneous fixes in drm code Jani Nikula
2025-09-08 17:48 ` ✗ i915.CI.BAT: failure for " Patchwork
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bc353160d0c3d7f662f66edd8b33ecee2b851b67@intel.com \
--to=jani.nikula@linux.intel.com \
--cc=andi.shyti@linux.intel.com \
--cc=intel-gfx@lists.freedesktop.org \
--cc=krzysztof.karas@intel.com \
--cc=krzysztof.niemiec@intel.com \
--cc=noralf@tronnes.org \
--cc=sebastian.brzezinka@intel.com \
--cc=simona.vetter@ffwll.ch \
--cc=tzimmermann@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.