1. Patchew
  2. linux
  3. View series

[PATCH] media: atomisp: avoid ACPI package count underflow in gmin_cfg_get_dsm

Mohamed El Harake posted 1 patch 2 months ago 
drivers/staging/media/atomisp/pci/atomisp_csi2_bridge.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH] media: atomisp: avoid ACPI package count underflow in gmin_cfg_get_dsm
Posted by Mohamed El Harake 2 months ago 
From: Mohamad El Harake <mohamedharake2006@gmail.com>

gmin_cfg_get_dsm() iterates over ACPI _DSM package elements as
key/value pairs using obj->package.count - 1 as the loop bound.

If package.count is 0, the subtraction underflows and may lead
to out-of-bounds access.

Use i + 1 < obj->package.count instead.

Signed-off-by: Mohamad El Harake <mohamedharake2006@gmail.com>
---
 drivers/staging/media/atomisp/pci/atomisp_csi2_bridge.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/media/atomisp/pci/atomisp_csi2_bridge.c b/drivers/staging/media/atomisp/pci/atomisp_csi2_bridge.c
index ba61cc28fac1..cca91c6d71a5 100644
--- a/drivers/staging/media/atomisp/pci/atomisp_csi2_bridge.c
+++ b/drivers/staging/media/atomisp/pci/atomisp_csi2_bridge.c
@@ -113,7 +113,7 @@ static char *gmin_cfg_get_dsm(struct acpi_device *adev, const char *key)
 	if (!obj)
 		return NULL;
 
-	for (i = 0; i < obj->package.count - 1; i += 2) {
+	for (i = 0; i + 1 < obj->package.count; i += 2) {
 		key_el = &obj->package.elements[i + 0];
 		val_el = &obj->package.elements[i + 1];
 
-- 
2.43.0
Re: [PATCH] media: atomisp: avoid ACPI package count underflow in gmin_cfg_get_dsm
Posted by Hans de Goede 2 months ago 
Hi,

On 9-Apr-26 11:41 PM, Mohamed El Harake wrote:
> From: Mohamad El Harake <mohamedharake2006@gmail.com>
> 
> gmin_cfg_get_dsm() iterates over ACPI _DSM package elements as
> key/value pairs using obj->package.count - 1 as the loop bound.
> 
> If package.count is 0, the subtraction underflows and may lead
> to out-of-bounds access.
> 
> Use i + 1 < obj->package.count instead.
> 
> Signed-off-by: Mohamad El Harake <mohamedharake2006@gmail.com>

Thanks, patch looks good to me:

Reviewed-by: Hans de Goede <johannes.goede@oss.qualcomm.com>

Regards,

Hans



> ---
>  drivers/staging/media/atomisp/pci/atomisp_csi2_bridge.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/staging/media/atomisp/pci/atomisp_csi2_bridge.c b/drivers/staging/media/atomisp/pci/atomisp_csi2_bridge.c
> index ba61cc28fac1..cca91c6d71a5 100644
> --- a/drivers/staging/media/atomisp/pci/atomisp_csi2_bridge.c
> +++ b/drivers/staging/media/atomisp/pci/atomisp_csi2_bridge.c
> @@ -113,7 +113,7 @@ static char *gmin_cfg_get_dsm(struct acpi_device *adev, const char *key)
>  	if (!obj)
>  		return NULL;
>  
> -	for (i = 0; i < obj->package.count - 1; i += 2) {
> +	for (i = 0; i + 1 < obj->package.count; i += 2) {
>  		key_el = &obj->package.elements[i + 0];
>  		val_el = &obj->package.elements[i + 1];
>
Re: [PATCH] media: atomisp: avoid ACPI package count underflow in gmin_cfg_get_dsm
Posted by Jose A. Perez de Azpillaga 2 months ago 
On Fri, Apr 10, 2026 at 12:41:58AM +0300, Mohamed El Harake wrote:
> From: Mohamad El Harake <mohamedharake2006@gmail.com>
>
> gmin_cfg_get_dsm() iterates over ACPI _DSM package elements as
> key/value pairs using obj->package.count - 1 as the loop bound.
>
> If package.count is 0, the subtraction underflows and may lead
> to out-of-bounds access.
>
> Use i + 1 < obj->package.count instead.

how was this bug tested? and is there any way to reproduce this?

--
regards,
jose a. p-a

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.