Re: [PATCH] drm/i915/display: Check source height is > 0

From: Juha-Pekka Heikkila
Date: Tue Jan 03 2023 - 05:43:17 EST

Next message: Daniel Lezcano: "Re: [PATCH v2 1/3] thermal/acpi: Add ACPI trip point routines"
Previous message: Ricardo Ribalda: "Re: [PATCH RESEND v2 1/2] media: uvcvideo: Limit power line control for Acer EasyCamera"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Drew,

this is good find. I went looking where the problem is in and saw what you probably also saw earlier.

I was wondering if diff below would be better fix? I assume this would end up with einval or erange in your case but code flow otherwise would stay as is while fixing all future callers for same issue:

diff --git a/drivers/gpu/drm/i915/display/intel_atomic_plane.c b/drivers/gpu/drm/i915/display/intel_atomic_plane.c
index 10e1fc9d0698..a9948e8d3543 100644
--- a/drivers/gpu/drm/i915/display/intel_atomic_plane.c
+++ b/drivers/gpu/drm/i915/display/intel_atomic_plane.c
@@ -144,7 +144,7 @@ unsigned int intel_adjusted_rate(const struct drm_rect *src,
const struct drm_rect *dst,
unsigned int rate)
{
- unsigned int src_w, src_h, dst_w, dst_h;
+ unsigned int src_w, src_h, dst_w, dst_h, dst_wh;

src_w = drm_rect_width(src) >> 16;
src_h = drm_rect_height(src) >> 16;
@@ -155,8 +155,10 @@ unsigned int intel_adjusted_rate(const struct drm_rect *src,
dst_w = min(src_w, dst_w);
dst_h = min(src_h, dst_h);

- return DIV_ROUND_UP_ULL(mul_u32_u32(rate, src_w * src_h),
- dst_w * dst_h);
+ /* in case src contained only fractional part */
+ dst_wh = max(dst_w * dst_h, (unsigned) 1);
+
+ return DIV_ROUND_UP_ULL(mul_u32_u32(rate, src_w * src_h), dst_wh);
}

unsigned int intel_plane_pixel_rate(const struct intel_crtc_state *crtc_state,

What do you think? I'll in any case come up with some test for this in igt.

/Juha-Pekka

On 27.12.2022 7.53, Drew Davenport wrote:

The error message suggests that the height of the src rect must be at
least 1. Reject source with height of 0.

Signed-off-by: Drew Davenport <ddavenport@xxxxxxxxxxxx>

---
I was investigating some divide-by-zero crash reports on ChromeOS which
pointed to the intel_adjusted_rate function. Further prodding showed
that I could reproduce this in a simple test program if I made src_h
some value less than 1 but greater than 0.

This seemed to be a sensible place to check that the source height is at
least 1. I tried to repro this issue on an amd device I had on hand, and
the configuration was rejected.

Would it make sense to add a check that source dimensions are at least 1
somewhere in core, like in drm_atomic_plane_check? Or is that a valid
use case on some devices, and thus any such check should be done on a
per-driver basis?

Thanks.

drivers/gpu/drm/i915/display/skl_universal_plane.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/i915/display/skl_universal_plane.c b/drivers/gpu/drm/i915/display/skl_universal_plane.c
index 4b79c2d2d6177..9b172a1e90deb 100644
--- a/drivers/gpu/drm/i915/display/skl_universal_plane.c
+++ b/drivers/gpu/drm/i915/display/skl_universal_plane.c
@@ -1627,7 +1627,7 @@ static int skl_check_main_surface(struct intel_plane_state *plane_state)
u32 offset;
int ret;
- if (w > max_width || w < min_width || h > max_height) {
+ if (w > max_width || w < min_width || h > max_height || h < 1) {
drm_dbg_kms(&dev_priv->drm,
"requested Y/RGB source size %dx%d outside limits (min: %dx1 max: %dx%d)\n",
w, h, min_width, max_width, max_height);

Next message: Daniel Lezcano: "Re: [PATCH v2 1/3] thermal/acpi: Add ACPI trip point routines"
Previous message: Ricardo Ribalda: "Re: [PATCH RESEND v2 1/2] media: uvcvideo: Limit power line control for Acer EasyCamera"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]