Hello Hyun Kwon,
The patch d76271d22694: "drm: xlnx: DRM/KMS driver for Xilinx ZynqMP DisplayPort Subsystem" from Jul 7, 2018, leads to the following static checker warning:
drivers/gpu/drm/xlnx/zynqmp_dp.c:594 zynqmp_dp_mode_configure() error: iterator underflow 'bws' (-1)-2
drivers/gpu/drm/xlnx/zynqmp_dp.c 566 static int zynqmp_dp_mode_configure(struct zynqmp_dp *dp, int pclock, 567 u8 current_bw) 568 { 569 int max_rate = dp->link_config.max_rate; 570 u8 bws[3] = { DP_LINK_BW_1_62, DP_LINK_BW_2_7, DP_LINK_BW_5_4 }; 571 u8 max_lanes = dp->link_config.max_lanes; 572 u8 max_link_rate_code = drm_dp_link_rate_to_bw_code(max_rate); 573 u8 bpp = dp->config.bpp; 574 u8 lane_cnt; 575 s8 i; 576 577 if (current_bw == DP_LINK_BW_1_62) { 578 dev_err(dp->dev, "can't downshift. already lowest link rate\n"); 579 return -EINVAL; 580 } 581 582 for (i = ARRAY_SIZE(bws) - 1; i >= 0; i--) { ^^^^^^ This exits with i == -1.
583 if (current_bw && bws[i] >= current_bw) 584 continue; 585 586 if (bws[i] <= max_link_rate_code) 587 break; 588 } 589 590 for (lane_cnt = 1; lane_cnt <= max_lanes; lane_cnt <<= 1) { 591 int bw; 592 u32 rate; 593 594 bw = drm_dp_bw_code_to_link_rate(bws[i]); ^^^^^^ Potential negative array offset.
595 rate = zynqmp_dp_max_rate(bw, lane_cnt, bpp); 596 if (pclock <= rate) { 597 dp->mode.bw_code = bws[i]; 598 dp->mode.lane_cnt = lane_cnt; 599 dp->mode.pclock = pclock; 600 return dp->mode.bw_code; 601 } 602 } 603 604 dev_err(dp->dev, "failed to configure link values\n"); 605 606 return -EINVAL; 607 }
regards, dan carpenter
Hi Dan,
Thanks for sharing.
On Mon, Jul 27, 2020 at 04:18:25AM -0700, dan.carpenter@oracle.com wrote:
Hello Hyun Kwon,
The patch d76271d22694: "drm: xlnx: DRM/KMS driver for Xilinx ZynqMP DisplayPort Subsystem" from Jul 7, 2018, leads to the following static checker warning:
drivers/gpu/drm/xlnx/zynqmp_dp.c:594 zynqmp_dp_mode_configure() error: iterator underflow 'bws' (-1)-2
drivers/gpu/drm/xlnx/zynqmp_dp.c 566 static int zynqmp_dp_mode_configure(struct zynqmp_dp *dp, int pclock, 567 u8 current_bw) 568 { 569 int max_rate = dp->link_config.max_rate; 570 u8 bws[3] = { DP_LINK_BW_1_62, DP_LINK_BW_2_7, DP_LINK_BW_5_4 }; 571 u8 max_lanes = dp->link_config.max_lanes; 572 u8 max_link_rate_code = drm_dp_link_rate_to_bw_code(max_rate); 573 u8 bpp = dp->config.bpp; 574 u8 lane_cnt; 575 s8 i; 576 577 if (current_bw == DP_LINK_BW_1_62) { 578 dev_err(dp->dev, "can't downshift. already lowest link rate\n"); 579 return -EINVAL; 580 }
There are checks like this that ensure the 'i' to be not negative, but I agree it should be made clearer. I've sumitted a fix for it [1].
[1] https://lists.freedesktop.org/archives/dri-devel/2020-July/274190.html
Thanks, -hyun
581 582 for (i = ARRAY_SIZE(bws) - 1; i >= 0; i--) { ^^^^^^ This exits with i == -1.
583 if (current_bw && bws[i] >= current_bw) 584 continue; 585 586 if (bws[i] <= max_link_rate_code) 587 break; 588 } 589 590 for (lane_cnt = 1; lane_cnt <= max_lanes; lane_cnt <<= 1) { 591 int bw; 592 u32 rate; 593 594 bw = drm_dp_bw_code_to_link_rate(bws[i]); ^^^^^^ Potential negative array offset.
595 rate = zynqmp_dp_max_rate(bw, lane_cnt, bpp); 596 if (pclock <= rate) { 597 dp->mode.bw_code = bws[i]; 598 dp->mode.lane_cnt = lane_cnt; 599 dp->mode.pclock = pclock; 600 return dp->mode.bw_code; 601 } 602 } 603 604 dev_err(dp->dev, "failed to configure link values\n"); 605 606 return -EINVAL; 607 }
regards, dan carpenter
dri-devel@lists.freedesktop.org
-
dan.carpenterļ¼ oracle.com -
Hyun Kwon