[v3] drm/imx: imx-ldb: fix out of bounds array access warning

Message ID 20210324164750.3833773-1-arnd@kernel.org
State New
Headers show
Series
  • [v3] drm/imx: imx-ldb: fix out of bounds array access warning
Related show

Commit Message

Arnd Bergmann March 24, 2021, 4:47 p.m.
From: Arnd Bergmann <arnd@arndb.de>


When CONFIG_OF is disabled, building with 'make W=1' produces warnings
about out of bounds array access:

drivers/gpu/drm/imx/imx-ldb.c: In function 'imx_ldb_set_clock.constprop':
drivers/gpu/drm/imx/imx-ldb.c:186:8: error: array subscript -22 is below array bounds of 'struct clk *[4]' [-Werror=array-bounds]

Add an error check before the index is used, which helps with the
warning, as well as any possible other error condition that may be
triggered at runtime.

The warning could be fixed by adding a Kconfig depedency on CONFIG_OF,
but Liu Ying points out that the driver may hit the out-of-bounds
problem at runtime anyway.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>

---
v3: fix build regression from v2
v2: fix subject line
    expand patch description
    print mux number
    check upper bound as well
---
 drivers/gpu/drm/imx/imx-ldb.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

-- 
2.29.2

_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel

Comments

Liu Ying March 25, 2021, 2:03 a.m. | #1
On Wed, 2021-03-24 at 17:47 +0100, Arnd Bergmann wrote:
> From: Arnd Bergmann <arnd@arndb.de>

> 

> When CONFIG_OF is disabled, building with 'make W=1' produces warnings

> about out of bounds array access:

> 

> drivers/gpu/drm/imx/imx-ldb.c: In function 'imx_ldb_set_clock.constprop':

> drivers/gpu/drm/imx/imx-ldb.c:186:8: error: array subscript -22 is below array bounds of 'struct clk *[4]' [-Werror=array-bounds]

> 

> Add an error check before the index is used, which helps with the

> warning, as well as any possible other error condition that may be

> triggered at runtime.

> 

> The warning could be fixed by adding a Kconfig depedency on CONFIG_OF,

> but Liu Ying points out that the driver may hit the out-of-bounds

> problem at runtime anyway.


Almost impossible to hit the out-of-bounds problem at runtime, unless
something wrong happens and makes unexpected parameters(node and/or
encoder) be handed over to drm_of_encoder_active_port_id(). Anyway, an
error check on return value from drm_of_encoder_active_port_id() looks
ok to me.

> 

> Signed-off-by: Arnd Bergmann <arnd@arndb.de>


Reviewed-by: Liu Ying <victor.liu@nxp.com>


Thanks,
Liu Ying

> ---

> v3: fix build regression from v2

> v2: fix subject line

>     expand patch description

>     print mux number

>     check upper bound as well

> ---

>  drivers/gpu/drm/imx/imx-ldb.c | 10 ++++++++++

>  1 file changed, 10 insertions(+)

> 

> diff --git a/drivers/gpu/drm/imx/imx-ldb.c b/drivers/gpu/drm/imx/imx-ldb.c

> index dbfe39e2f7f6..565482e2b816 100644

> --- a/drivers/gpu/drm/imx/imx-ldb.c

> +++ b/drivers/gpu/drm/imx/imx-ldb.c

> @@ -197,6 +197,11 @@ static void imx_ldb_encoder_enable(struct drm_encoder *encoder)

>  	int dual = ldb->ldb_ctrl & LDB_SPLIT_MODE_EN;

>  	int mux = drm_of_encoder_active_port_id(imx_ldb_ch->child, encoder);

>  

> +	if (mux < 0 || mux >= ARRAY_SIZE(ldb->clk_sel)) {

> +		dev_warn(ldb->dev, "%s: invalid mux %d\n", __func__, mux);

> +		return;

> +	}

> +

>  	drm_panel_prepare(imx_ldb_ch->panel);

>  

>  	if (dual) {

> @@ -255,6 +260,11 @@ imx_ldb_encoder_atomic_mode_set(struct drm_encoder *encoder,

>  	int mux = drm_of_encoder_active_port_id(imx_ldb_ch->child, encoder);

>  	u32 bus_format = imx_ldb_ch->bus_format;

>  

> +	if (mux < 0 || mux >= ARRAY_SIZE(ldb->clk_sel)) {

> +		dev_warn(ldb->dev, "%s: invalid mux %d\n", __func__, mux);

> +		return;

> +	}

> +

>  	if (mode->clock > 170000) {

>  		dev_warn(ldb->dev,

>  			 "%s: mode exceeds 170 MHz pixel clock\n", __func__);


_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
Philipp Zabel March 25, 2021, 7:08 a.m. | #2
On Thu, Mar 25, 2021 at 10:03:23AM +0800, Liu Ying wrote:
> On Wed, 2021-03-24 at 17:47 +0100, Arnd Bergmann wrote:

> > From: Arnd Bergmann <arnd@arndb.de>

> > 

> > When CONFIG_OF is disabled, building with 'make W=1' produces warnings

> > about out of bounds array access:

> > 

> > drivers/gpu/drm/imx/imx-ldb.c: In function 'imx_ldb_set_clock.constprop':

> > drivers/gpu/drm/imx/imx-ldb.c:186:8: error: array subscript -22 is below array bounds of 'struct clk *[4]' [-Werror=array-bounds]

> > 

> > Add an error check before the index is used, which helps with the

> > warning, as well as any possible other error condition that may be

> > triggered at runtime.

> > 

> > The warning could be fixed by adding a Kconfig depedency on CONFIG_OF,

> > but Liu Ying points out that the driver may hit the out-of-bounds

> > problem at runtime anyway.

> > 

> > Signed-off-by: Arnd Bergmann <arnd@arndb.de>

> Reviewed-by: Liu Ying <victor.liu@nxp.com>


Thank you, applied to imx-drm/fixes.

regards
Philipp
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel

Patch

diff --git a/drivers/gpu/drm/imx/imx-ldb.c b/drivers/gpu/drm/imx/imx-ldb.c
index dbfe39e2f7f6..565482e2b816 100644
--- a/drivers/gpu/drm/imx/imx-ldb.c
+++ b/drivers/gpu/drm/imx/imx-ldb.c
@@ -197,6 +197,11 @@  static void imx_ldb_encoder_enable(struct drm_encoder *encoder)
 	int dual = ldb->ldb_ctrl & LDB_SPLIT_MODE_EN;
 	int mux = drm_of_encoder_active_port_id(imx_ldb_ch->child, encoder);
 
+	if (mux < 0 || mux >= ARRAY_SIZE(ldb->clk_sel)) {
+		dev_warn(ldb->dev, "%s: invalid mux %d\n", __func__, mux);
+		return;
+	}
+
 	drm_panel_prepare(imx_ldb_ch->panel);
 
 	if (dual) {
@@ -255,6 +260,11 @@  imx_ldb_encoder_atomic_mode_set(struct drm_encoder *encoder,
 	int mux = drm_of_encoder_active_port_id(imx_ldb_ch->child, encoder);
 	u32 bus_format = imx_ldb_ch->bus_format;
 
+	if (mux < 0 || mux >= ARRAY_SIZE(ldb->clk_sel)) {
+		dev_warn(ldb->dev, "%s: invalid mux %d\n", __func__, mux);
+		return;
+	}
+
 	if (mode->clock > 170000) {
 		dev_warn(ldb->dev,
 			 "%s: mode exceeds 170 MHz pixel clock\n", __func__);