1. Patchew
  2. linux
  3. View series

[PATCH] media: tegra-video: vi: validate format index before bitmap_set

Hungyu Lin posted 1 patch 2 months, 1 week ago 
drivers/staging/media/tegra-video/vi.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
[PATCH] media: tegra-video: vi: validate format index before bitmap_set
Posted by Hungyu Lin 2 months, 1 week ago 
tegra_get_format_idx_by_code() returns -1 when no matching format
is found. vi_tpg_fmts_bitmap_init() used the returned index directly
in bitmap_set(), which may lead to an out-of-bounds access when the
format is not present.

This can occur when TPG is enabled on SoCs whose video_formats[]
table does not include the requested media bus formats.

Validate the index before calling bitmap_set().

Signed-off-by: Hungyu Lin <dennylin0707@gmail.com>
---
 drivers/staging/media/tegra-video/vi.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/staging/media/tegra-video/vi.c b/drivers/staging/media/tegra-video/vi.c
index 9c0b38585d63..dd8911640d98 100644
--- a/drivers/staging/media/tegra-video/vi.c
+++ b/drivers/staging/media/tegra-video/vi.c
@@ -1020,12 +1020,14 @@ static void vi_tpg_fmts_bitmap_init(struct tegra_vi_channel *chan)
 
 	index = tegra_get_format_idx_by_code(chan->vi,
 					     MEDIA_BUS_FMT_SRGGB10_1X10, 0);
-	bitmap_set(chan->tpg_fmts_bitmap, index, 1);
+	if (index >= 0)
+		bitmap_set(chan->tpg_fmts_bitmap, index, 1);
 
 	index = tegra_get_format_idx_by_code(chan->vi,
 					     MEDIA_BUS_FMT_RGB888_1X32_PADHI,
 					     0);
-	bitmap_set(chan->tpg_fmts_bitmap, index, 1);
+	if (index >= 0)
+		bitmap_set(chan->tpg_fmts_bitmap, index, 1);
 }
 
 static int vi_fmts_bitmap_init(struct tegra_vi_channel *chan)
-- 
2.34.1
Re: [PATCH] media: tegra-video: vi: validate format index before bitmap_set
Posted by Dan Carpenter 2 months, 1 week ago 
On Sun, Apr 12, 2026 at 03:48:43PM +0000, Hungyu Lin wrote:
> tegra_get_format_idx_by_code() returns -1 when no matching format
> is found. vi_tpg_fmts_bitmap_init() used the returned index directly
> in bitmap_set(), which may lead to an out-of-bounds access when the
> format is not present.
> 
> This can occur when TPG is enabled on SoCs whose video_formats[]
> table does not include the requested media bus formats.
> 
> Validate the index before calling bitmap_set().
> 
> Signed-off-by: Hungyu Lin <dennylin0707@gmail.com>
> ---

This isn't a bug which can occur in real life since the index is
always found...  If there were really a bug, like say someone were
writing a new driver and messed up, then this would just paper over
the issue and make the bug harder to find, so in a way it makes the
code worse.

regards,
dan carpenter

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.