From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 273881170E for ; Mon, 11 Sep 2023 14:07:06 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9A7A1C433C7; Mon, 11 Sep 2023 14:07:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1694441226; bh=lF/NazABTk6h5wktyneg8+VhxzPi3Oa3WdUUuWnpMqQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Gwt5zU4hndK8o0Xg/ak58g2/gnMuBvw89saY96+uGS4iyhCmtHffHcjOrvFiCFMvv IcAIqkD/cPbeiyTgmxO8vN8A8g7Bs6vt06ntGW+gRvpVsTkou2hxUmnwco/5jzr6sD 8yVt+Th4mgwNv35i7bsbQIBlu/qRsFd3fMCqVaJM= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, "Jason-JH.Lin" , AngeloGioacchino Del Regno , CK Hu , Alexandre Mergnat , Chun-Kuang Hu , Sasha Levin Subject: [PATCH 6.5 338/739] drm/mediatek: Add cnt checking for coverity issue Date: Mon, 11 Sep 2023 15:42:17 +0200 Message-ID: <20230911134700.544644172@linuxfoundation.org> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20230911134650.921299741@linuxfoundation.org> References: <20230911134650.921299741@linuxfoundation.org> User-Agent: quilt/0.67 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.5-stable review patch. If anyone has any objections, please let me know. ------------------ From: Jason-JH.Lin [ Upstream commit d761b9450e31e5abd212f0085d424ed32760de5a ] CERT-C Characters and Strings (CERT STR31-C) all_drm_priv[cnt] evaluates to an address that could be at negative offset of an array. In mtk_drm_get_all_drm_priv(): Guarantee that storage for strings has sufficient space for character data and the null terminator. So change cnt to unsigned int and check its max value. Fixes: 1ef7ed48356c ("drm/mediatek: Modify mediatek-drm for mt8195 multi mmsys support") Signed-off-by: Jason-JH.Lin Reviewed-by: AngeloGioacchino Del Regno Reviewed-by: CK Hu Reviewed-by: Alexandre Mergnat Link: https://patchwork.kernel.org/project/dri-devel/patch/20230714094908.13087-3-jason-jh.lin@mediatek.com/ Signed-off-by: Chun-Kuang Hu Signed-off-by: Sasha Levin --- drivers/gpu/drm/mediatek/mtk_drm_drv.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c index 6dcb4ba2466c0..fc217e0acd45d 100644 --- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c +++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c @@ -354,7 +354,7 @@ static bool mtk_drm_get_all_drm_priv(struct device *dev) const struct of_device_id *of_id; struct device_node *node; struct device *drm_dev; - int cnt = 0; + unsigned int cnt = 0; int i, j; for_each_child_of_node(phandle->parent, node) { @@ -375,6 +375,9 @@ static bool mtk_drm_get_all_drm_priv(struct device *dev) all_drm_priv[cnt] = dev_get_drvdata(drm_dev); if (all_drm_priv[cnt] && all_drm_priv[cnt]->mtk_drm_bound) cnt++; + + if (cnt == MAX_CRTC) + break; } if (drm_priv->data->mmsys_dev_num == cnt) { -- 2.40.1