From nobody Wed Jun 17 02:57:53 2026 Received: from mail-lf1-f52.google.com (mail-lf1-f52.google.com [209.85.167.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 19003439005 for ; Tue, 28 Apr 2026 12:41:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.52 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777380090; cv=none; b=qlwTTc6wr/j8h1AbhRKYm44XVs0iedBJvbsPQJ5S6Fz2iHERZaXJ5oDHDLIBlmI5W/j7YEMNdiReqiFhuaFGJPAoQa49jFn9eE/xv7fPgMNJcaMjgMI0j2mhXzM6pXm/aAYTTkl9a5RIBISamSlmJYD6mALqr8p7aznDrJcoCKQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777380090; c=relaxed/simple; bh=rA2cAH4c08I4eYFoQkXikw8a3RxYr+50vjqp8bqfYW0=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=bK2Zk53YPxBE3njKYUxIbJsQM52t6IgHkte9FJOxl+OsyBQLC36KitI10R/y14sU2JQ7WtoOK3t/qIqYmrRryrPAp+76tAfncYsEQ6B661MrzPH5KW5O+auHLexD2/qcC0GyRyo40vVLUuf4ZU6EArj/A/otgC7a6qwmmhgHwdY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=Jy4BPZpa; arc=none smtp.client-ip=209.85.167.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="Jy4BPZpa" Received: by mail-lf1-f52.google.com with SMTP id 2adb3069b0e04-5a742b8b72eso2426728e87.1 for ; Tue, 28 Apr 2026 05:41:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1777380077; x=1777984877; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=44Ecn+W4C+vrdzWaq80Gi8dRi3bDDZ2ohPuSpOytRko=; b=Jy4BPZpa//NZzx27RSxIPu46OPCQJqrprq2K0TTLgizOFCl8hhtpk2ignYwiV7DE/Q ICH2vuW/Buf/5aOpkT5GZ3ZyiqG5gIff1G7uzi3UsNPjbVsxscB2Png73m035zFwXg9r jRNSLNbufqyK1Fs3BS33Wa2yrHIsvTeRj8sG8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777380077; x=1777984877; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=44Ecn+W4C+vrdzWaq80Gi8dRi3bDDZ2ohPuSpOytRko=; b=AGaqjFArN5teM/jipNIi1/uoIj7aEIfDle4kle3BYumhSmtslbfw4EYQ0838qzOaq7 7S3zm2j+kkhte3u5MWXYI+Fwl13gkShXV+md0BZw2Z9o4qFaPmA4M8Lp7HHY9OUNUzXN rjjdG+H2eKnBnfKV+PUri6oeWMCaz/FD3jXAz+3pCL/wKeAjB3mzHR+ZxrP8qjrWaRW0 VUk4yN1QaWoZXp1Y6VrhjewbIo3apAUFTTAp+SbZy710Y/W2er2FXFzRmouFi3WxS+QT vn65HeuHmRMt4Fn8B3XvIcLTB+XNM0KHHvcbXHDxClGdwrtz8c1dp3NUOxuBGN/O5ATp xmQQ== X-Forwarded-Encrypted: i=1; AFNElJ8Y9hBwJ2Faos5t/JhEmosT3DISMf5dyatt/Xak7p9VCk5fh0W8pubusygXHDPzHDvABBy2LuHAqrZKTKo=@vger.kernel.org X-Gm-Message-State: AOJu0Yz9OwpI+LQGB3gRKun9gKn1x2J9mPh2CApY5z0Via/OrIdbRkl1 GAFtRE5rj7FN3koTHaj4yPq7Z5BoBihwt8+ZG8T0fxH+d4WNw4iqiYB+a3AxZHxnsQ== X-Gm-Gg: AeBDiesKUTZXxHUgfoWy3sWz9nEYm48gSos+EzeqgtsjdVJ4NNcAVShzU9Ez0mu5dlJ 5ypRhw5HHjPCMtQUlJtGmThgyUCyNo4Bi8qktS59kEqdrKrtXNp1JhLiMrUwZeW9XPAqatv4m6c DShFqFkCF0BbS7j7curIXK/LfjzrjSVncNjpGWeR28sVnmD4xXqXwcSg4SgyJpa6kSU7lWBkMgQ C/I4UIAtjWUFmSw269fz92bJURe/Q4B3q0wGSsCaMaEZx5cTK2wvf5UdbQC/2faF+SGjgjrbLoN QcNkMEn9JhDCjsrdupUq2awsA7dIEDYUEibMcJ0F5XVol3X2UOwZ2JPA9bua+B7GrG/YIZ9ZJ5w gJiuuquSWkCd4whNknHjRc0ETzuyDlZ8PBmrSHWjz03cF/2IyhO6mPRCvH2rksuzudI6pxUSgR2 bYw56L7w1qkQk0yK/Q6ECo6Zo7edjDYUWgfyc39FBRnXNMPgMmV7Podlj5Oq8W2w2Kl3RkvrjsH dBcI82PzvI3iRQOcw== X-Received: by 2002:a05:6512:6c5:b0:5a4:ce9:11e with SMTP id 2adb3069b0e04-5a74662c3e8mr1235184e87.32.1777380077397; Tue, 28 Apr 2026 05:41:17 -0700 (PDT) Received: from ribalda.c.googlers.com (52.163.228.35.bc.googleusercontent.com. [35.228.163.52]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-5a7463f5fb5sm594617e87.38.2026.04.28.05.41.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Apr 2026 05:41:16 -0700 (PDT) From: Ricardo Ribalda Date: Tue, 28 Apr 2026 12:41:07 +0000 Subject: [PATCH 1/6] media: v4l2-dev: Add range check for vdev->minor Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260428-smatch-7-1-v1-1-46890dffb611@chromium.org> References: <20260428-smatch-7-1-v1-0-46890dffb611@chromium.org> In-Reply-To: <20260428-smatch-7-1-v1-0-46890dffb611@chromium.org> To: Mauro Carvalho Chehab , Laurent Pinchart , Sakari Ailus , Hans Verkuil , Nas Chung , Jackson Lee , Bingbu Cao , Tianshu Qiu , Greg Kroah-Hartman , Keke Li Cc: linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, linux-staging@lists.linux.dev, Ricardo Ribalda X-Mailer: b4 0.14.3 If the fixed minor ranges are not properly set we could end up in a situation where the calculated minor is invalid. Add a check for this in the code. This check also fixes the following smatch warning: drivers/media/v4l2-core/v4l2-dev.c:1036 __video_register_device() error: bu= ffer overflow 'video_devices' 256 <=3D 288 drivers/media/v4l2-core/v4l2-dev.c:1043 __video_register_device() error: bu= ffer overflow 'video_devices' 256 <=3D 288 drivers/media/v4l2-core/v4l2-dev.c:1101 __video_register_device() error: bu= ffer overflow 'video_devices' 256 <=3D 288 Signed-off-by: Ricardo Ribalda --- drivers/media/v4l2-core/v4l2-dev.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/media/v4l2-core/v4l2-dev.c b/drivers/media/v4l2-core/v= 4l2-dev.c index 6ce623a1245a..a731ffdb91ee 100644 --- a/drivers/media/v4l2-core/v4l2-dev.c +++ b/drivers/media/v4l2-core/v4l2-dev.c @@ -1032,6 +1032,12 @@ int __video_register_device(struct video_device *vde= v, vdev->minor =3D i + minor_offset; vdev->num =3D nr; =20 + if (WARN_ON(vdev->minor >=3D VIDEO_NUM_DEVICES)) { + mutex_unlock(&videodev_lock); + pr_err("invalid minor. Check ranges.\n"); + return -EINVAL; + } + /* Should not happen since we thought this minor was free */ if (WARN_ON(video_devices[vdev->minor])) { mutex_unlock(&videodev_lock); --=20 2.54.0.545.g6539524ca2-goog From nobody Wed Jun 17 02:57:53 2026 Received: from mail-lj1-f181.google.com (mail-lj1-f181.google.com [209.85.208.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A423E438FF0 for ; Tue, 28 Apr 2026 12:41:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.181 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777380089; cv=none; b=APlDQ87FxOTmG2Qq5+o+Wq9jsC1D/WeCMxvRS0XHZkxjdNyBdYmCHsbeICcdJA/nefveo4JYX3B4YWZqY0tE4BftpdjprQZCrLhFKyIUq12QzG6IMPRByd9rYen9BNdXXh961XyMWjRVgsWXGmog4BaPcZAzJopqJnv2dPppCpY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777380089; c=relaxed/simple; bh=uyYaC1lTz0w/nk+wumPROnOpURb8EgSxj6J839JiKk4=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=fBzBk9CiQF0BtRLK2Z6YVB16Bk7Ltuo7G9Kv4/0zPbnJd45r6LSl2OYdEVhiK7nAEvY1re4VLEepub6oydSEpJ3K2D4CGTq7NulJBVFCZ7jVnnfTHfr29+4uXgrSIkXpliS2ME+B9Nyt2li5Vmn5EwM1oS3qUjPzqI0pDgATX5o= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=N3zw933t; arc=none smtp.client-ip=209.85.208.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="N3zw933t" Received: by mail-lj1-f181.google.com with SMTP id 38308e7fff4ca-38e68e4389cso119410511fa.3 for ; Tue, 28 Apr 2026 05:41:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1777380079; x=1777984879; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=t8cx0IS1VAS+UenVXpVCneZJCK5BcfnnFJsArKfUIY4=; b=N3zw933tA+5IMCDbWTUtij/vFcdEI0343ib0uWE4/CUybiWjFZ+1r82JRiKr/S5KDs t41mu64/rkgztmAYWt+aGdLAqlz69qQAw5u4hlpIEeA9WYZGC5wJriii5zfaKuQk8g3c dLGmH0gYax2PXMGjr3G7Ubdmjz+ASidAIvtq0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777380079; x=1777984879; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=t8cx0IS1VAS+UenVXpVCneZJCK5BcfnnFJsArKfUIY4=; b=eejNygzwoJUvarrbOQjexKeF7svN2zXCNWP/qNfxzDjXwFiVn9UTetKwybEL1ID8fR J4nqpHZjYQTdGjW1FKSczjU5VnSC/HCOC+14OC17163ZN4dWMEZXwjfq0rUYHY+AAZYW PIe8dMIWtl4wJA7ZAWZQY7q8r92e3anY4fM0FF8cBc383eocnc0Hie0u0749yW6FrdCH F96YXvIYiZmC4bu6RDbfRLXGGzzflwAM8WjbZsmmC68WogNaxWdHrovGsEgjO1MV9FFH ifmlJ4RboLDBR1axDPm2J5PXKkfVdYEgbWe5fvMHk/k967aNmkJFj6o5G7r7+nWTCNOX 8qQQ== X-Forwarded-Encrypted: i=1; AFNElJ9ECoitRL3vIfS5K/iIHToilNMssT0jT84YlIUaQi9zb4i/e6EhKsO0gHd1b7EPkcKQcHAFJCNwmo4A4UA=@vger.kernel.org X-Gm-Message-State: AOJu0YxlMS3KkkDxXbBpi1DRdZEjWi+SBupyPq5AhuQ0LsZak0JH9Er1 lbM8l5jv+hrS9LnIyNemrIE4lD5CaOYH3pXtNbKF6avALnOOu9kVsm3QkuliPvBhog== X-Gm-Gg: AeBDiesekluvW6XNuO4t8qN8Xvu4mHGYZHAddbVekOzsMTyU415VSCo579BgQkplzDa UXI+T+SOG+VnajnEbJ4Klw8Tfxf0l2zEbPyfC+eXWvJy+BBxjml7PF2sCFPSeycUjgprrDQZTvT NnQmtM8vH3lEGwNwt6XDMy0NrlvzBAHzgSrNBoKac3AKgOr+uqnROVIa5omYBPteOoXdXAg1ehq GW7uXcmX7SLjHqruRZ4mMZmacTfgwH9xUST5gsnmQBuNNUl+eA0/+ToV4nofaoHburnq2JSUOLv ryN93R6mmAgs/OPXYF4Cd1zG1F8vraK19rY6iCfV7s9Kx7Wg/M4Pow+GTLdhCj76uP8+1wQigft KSItwPhQjpQdTgoZBeaMT+ZXSqNiM3QV38lP7xYFt47orUnz9wK/fmba+pqtUrLfpsDKeX67kan ZFi+jPqgyp6NUj3tpF9VdBXeD84dyigyidyAoJsfbCVWA/81NjeivQ53Ki1YjYQIw9VhrvMh45/ CrfaAtMAknNrkUBPg== X-Received: by 2002:a05:6512:2203:b0:5a3:cc81:efdb with SMTP id 2adb3069b0e04-5a7466234c2mr1158896e87.21.1777380079343; Tue, 28 Apr 2026 05:41:19 -0700 (PDT) Received: from ribalda.c.googlers.com (52.163.228.35.bc.googleusercontent.com. [35.228.163.52]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-5a7463f5fb5sm594617e87.38.2026.04.28.05.41.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Apr 2026 05:41:17 -0700 (PDT) From: Ricardo Ribalda Date: Tue, 28 Apr 2026 12:41:08 +0000 Subject: [PATCH 2/6] media: i2c: mt9p031: Rewrite a bitwise mask Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260428-smatch-7-1-v1-2-46890dffb611@chromium.org> References: <20260428-smatch-7-1-v1-0-46890dffb611@chromium.org> In-Reply-To: <20260428-smatch-7-1-v1-0-46890dffb611@chromium.org> To: Mauro Carvalho Chehab , Laurent Pinchart , Sakari Ailus , Hans Verkuil , Nas Chung , Jackson Lee , Bingbu Cao , Tianshu Qiu , Greg Kroah-Hartman , Keke Li Cc: linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, linux-staging@lists.linux.dev, Ricardo Ribalda X-Mailer: b4 0.14.3 The current code makes smatch a bit uncomfortable: drivers/media/i2c/mt9p031.c:799 mt9p031_s_ctrl() warn: assigning (-1952) to= unsigned variable 'data' Probably because smatch is not clever enough (yet). Do a simple rewrite to make sure that smatch understands what we are doing here. Signed-off-by: Ricardo Ribalda --- drivers/media/i2c/mt9p031.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/i2c/mt9p031.c b/drivers/media/i2c/mt9p031.c index ea5d43d925ff..5c9dff030b4d 100644 --- a/drivers/media/i2c/mt9p031.c +++ b/drivers/media/i2c/mt9p031.c @@ -795,7 +795,7 @@ static int mt9p031_s_ctrl(struct v4l2_ctrl *ctrl) ctrl->val &=3D ~1; data =3D (1 << 6) | (ctrl->val >> 1); } else { - ctrl->val &=3D ~7; + ctrl->val -=3D ctrl->val % 8; data =3D ((ctrl->val - 64) << 5) | (1 << 6) | 32; } =20 --=20 2.54.0.545.g6539524ca2-goog From nobody Wed Jun 17 02:57:53 2026 Received: from mail-lf1-f43.google.com (mail-lf1-f43.google.com [209.85.167.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6C2F743C06F for ; Tue, 28 Apr 2026 12:41:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.43 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777380089; cv=none; b=kTiRwIfFScVZFWyb8sRULCc/OqGf7/HD6FDgNanMTODvGhBae0nI84SesEdd1wXyDBCAA5nH6ZFRK8ICdK8Bvlf+CQbIXdZkaCZcVBpMQVkjoXSBoTfX0qiRavIHKBVPfq16KIAT1hWT2yvqV6UKpGMgpABtX8LTS0+12j/O6AI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777380089; c=relaxed/simple; bh=pRgYAG7i71lCsBAZBdT5Yr8NlqJWs3vM/Vy7RE30WSc=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=F2uRo7HJdoJ1IcdTdAtnSJ4tnerShm3dPv/kpyf6rP/rDRTiI3Zs/eWA/yl/KpkXWbDvsr3hiyBSXFnoQYLybk63r5pM9bE/f668POjqMqk+E3rz+5pkmz10yd8h7fiRp7dyzEJOuvokrywD3OXQ24JUqOMwiatX3WXDtVQgt4c= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=McD+xzAg; arc=none smtp.client-ip=209.85.167.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="McD+xzAg" Received: by mail-lf1-f43.google.com with SMTP id 2adb3069b0e04-5a62f43b76aso5765329e87.3 for ; Tue, 28 Apr 2026 05:41:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1777380080; x=1777984880; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=YHggW5sbT0Gy3AFxkHr9GAwTW2JGfsyZeCtfl/8SYAw=; b=McD+xzAgBRtCB4ND99JtFPoLEfb1JEHrh5A9kxcphtxNJRwcwgKk9O8SKPpgaiUPc1 yT+a0c5R+vON2n2y91ZIyW5lKkBUKFE4qVdA6OM1EKq9JD9wzHxA2sSu8dH17XSFHeTh OVikRmOP+SG7aG9ezL1cDQLWTD4M7sOCWY29I= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777380080; x=1777984880; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=YHggW5sbT0Gy3AFxkHr9GAwTW2JGfsyZeCtfl/8SYAw=; b=o5VVVMqLtwbWq8qstP8U82OeOugN/2zVar3tUqbRHD9ztZ36VSDyT//Asja3hKCAQ/ fgUIC4AszJRfmsh13RXsk6DVVSmnd737n4kra+ZC2UF2OjqxAUbzg/mv6w3A6X6Qri57 JLaTPlBVJPj+z2ymRi1KZM+mQBFMw1brWeEJMaph3s1+JNnnBrHc2KMLXLvR40/kb4Eo k9W4fxImLWr46Cdr84TUhs1J45ADlK2jPl1f9espZbqFMPAIYoxJ+nNb+yKQZeMfBO/A xhM64Et3u8YNLfpOjpEbE9RyN3VAkuW1PyuU7W/Tea8vADXMIXHDfJquvIYOBRyrWl+c +J3g== X-Forwarded-Encrypted: i=1; AFNElJ+fqOrw6Mg3AiCslpiK/WNDKyQ/1czGAsZqCAqU4EfFHsyZOOGkMrmXgh695TbuTkP9I+IW8Uk2OcegduU=@vger.kernel.org X-Gm-Message-State: AOJu0Yyh/3YCWr5iqIwS1eD/5sNY+kjxKM8zDprRCBnDq7qiikx7FE3w ES86YVL93E+0/SiWkS4cA7j+CwwkhhFiVbB3llBTY9/ANEVeoU723Q22sR3AQPZPrxSD4Sg/uuD rRJwEtgWD X-Gm-Gg: AeBDiesKxOJB6RK0pmsxiF98Rsb3rpnYhKrpC9rpkKhjcNkIgSkR1rTU8OgsMQPxm0o UgQHNFqd+iDNM/KG+MAyB9DBYTO1PB6ztTQWOkHT+DKeYv4NXicaBZxWbqhl8hb+aNW8tnjbiR4 KvnXzLBhK64midRuMMtB2fa3WIfBvS/+dmYsh0HRkR8ur3g2wHijaIuIlLcmZiy8OOg+qPlKmIv X9AwR2MUGRDCmFy+1kRrJ38tJc0EvG3zP/f4qDAqb35WmZTHeAX2NK9E76+ycsNrMSsHDD2OQ3I Xdqc+EsgpNW1c/cQ9AcsEv9CQjDf7Kzn8I4JxZE5x/MteJdyr1t+SAhuhZ38n1aBFkNWI1k8H7T cJjYv1663Q6gBKED1Cwz+urkgXlojkO29bLWokrQCsfb7Q7/SPVlkLo4KYMk203JkNsEAm7KnxI oSUu1NZ9WunAg8NYMiBEUz1oOYjBWcEsg8vuUhvz9J8YzHRPbwl0ZIA6aK2rnTKesoI4GzivPPs QOCQEB9vLEBDstpcg== X-Received: by 2002:a05:6512:1594:b0:5a2:c0f1:17d2 with SMTP id 2adb3069b0e04-5a74640b7ffmr1010015e87.10.1777380080486; Tue, 28 Apr 2026 05:41:20 -0700 (PDT) Received: from ribalda.c.googlers.com (52.163.228.35.bc.googleusercontent.com. [35.228.163.52]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-5a7463f5fb5sm594617e87.38.2026.04.28.05.41.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Apr 2026 05:41:19 -0700 (PDT) From: Ricardo Ribalda Date: Tue, 28 Apr 2026 12:41:09 +0000 Subject: [PATCH 3/6] media: i2c: adv7604: Add range checks for chip info Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260428-smatch-7-1-v1-3-46890dffb611@chromium.org> References: <20260428-smatch-7-1-v1-0-46890dffb611@chromium.org> In-Reply-To: <20260428-smatch-7-1-v1-0-46890dffb611@chromium.org> To: Mauro Carvalho Chehab , Laurent Pinchart , Sakari Ailus , Hans Verkuil , Nas Chung , Jackson Lee , Bingbu Cao , Tianshu Qiu , Greg Kroah-Hartman , Keke Li Cc: linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, linux-staging@lists.linux.dev, Ricardo Ribalda X-Mailer: b4 0.14.3 If the driver's chip information is invalid we can end up accessing an invalid memory region. This fixes the following smatch errors: drivers/media/i2c/adv7604.c:3672 adv76xx_probe() error: buffer overflow 'st= ate->pads' 7 <=3D 4294967294 drivers/media/i2c/adv7604.c:3673 adv76xx_probe() error: buffer overflow 'st= ate->pads' 7 <=3D u32max Signed-off-by: Ricardo Ribalda Reviewed-by: Hans Verkuil --- drivers/media/i2c/adv7604.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/media/i2c/adv7604.c b/drivers/media/i2c/adv7604.c index 67116a4ef134..ae75982fb514 100644 --- a/drivers/media/i2c/adv7604.c +++ b/drivers/media/i2c/adv7604.c @@ -3668,6 +3668,12 @@ static int adv76xx_probe(struct i2c_client *client) =20 state->source_pad =3D state->info->num_dv_ports + (state->info->has_afe ? 2 : 0); + if (WARN_ON(state->source_pad >=3D ADV76XX_PAD_MAX)) { + err =3D -EINVAL; + v4l2_err(sd, "invalid chip info\n"); + goto err_i2c; + } + for (i =3D 0; i < state->source_pad; ++i) state->pads[i].flags =3D MEDIA_PAD_FL_SINK; state->pads[state->source_pad].flags =3D MEDIA_PAD_FL_SOURCE; --=20 2.54.0.545.g6539524ca2-goog From nobody Wed Jun 17 02:57:53 2026 Received: from mail-lj1-f172.google.com (mail-lj1-f172.google.com [209.85.208.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id ADB0F42DFE0 for ; Tue, 28 Apr 2026 12:41:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.172 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777380092; cv=none; b=LtYGbSLY5BeLEtoU7HzXcyVzY4ABQDbIQfZx9Hy3Ks25b9lyFgEv6Z3Zbf575ePWCnII8wu55W0J+8CY9qdMHfXgsNfbtWAhirgOnAeIhuGxgP0RHiCLSO0slyBnVz25qmqK1d1X+Bguu0oYgEVVasL+J3yOrTRzCNitKSwLErs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777380092; c=relaxed/simple; bh=fM+EOez8tTjZWMaKaiEYlL+/TS0+1cDYerp5pGjy9hQ=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=cawcdMrNMoq2vqWQiPLvR5w02dKVYgJKi63VmfoLBacRn2mVNDjzvKN+wVrtIBPBrAgJ+vIhKnAQlKwjflkfcxW+UpdTc76Y/PUyYIHiNqZAfuPGgY4XB6LRp18hVFZLK+/drmxFJXaleqN3tq6mZqXdtilbuSLU3Hw7cUTIVSM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=EIZegf7q; arc=none smtp.client-ip=209.85.208.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="EIZegf7q" Received: by mail-lj1-f172.google.com with SMTP id 38308e7fff4ca-38dd9f11a09so101437811fa.2 for ; Tue, 28 Apr 2026 05:41:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1777380084; x=1777984884; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=iu0V+UWGhKofbsqLMuK6FkwiFliyODBO+j8A2mvjt3M=; b=EIZegf7qUXVSCVNOIi2RFaJf15o3XoEJTtqPMhpgbVM9u3dhO/sepleGrANicgjib0 b2AyeCMBO0ve8tvdE7GvVAFe+RP+DKxVcBqJlw7BxbZJQs97oFr1tsV9rYxNRDIALVL4 k7n1LSgq2sglwpsdknQZdLLlv7tNP6shw+PH8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777380084; x=1777984884; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=iu0V+UWGhKofbsqLMuK6FkwiFliyODBO+j8A2mvjt3M=; b=sZ2sdR0s8dGKrMdSJk2IdXFYJWH46cqmBaVx4fI1zI4cAfdc6kvVzXMrFAGznK5+iQ B9YNnYyXntHgUYuJnAXmGlyVXiOgj2c/243x+dxiQoFto5vvH0XVKNPdoeLUeJAtl7lK 0I6Fr/ZaZXHabD25ALrrJkjPadmYn7jh7ugjxN3blBHXHwnMdY9vhsh5Sy0YqbZL/HsF OU3jNqPL5GV88Tp7LFnlrwZGYSE/vBZDdvghDySnIgGV6nGDaVKHLL1Mz8nT8YBe0w1X W0xgExpxenuaQLS5TmFYm4ZEdA5ZApVRNDF9tFVUppAEB0OwbqA1SzALd4560gYQMHTT HdVQ== X-Forwarded-Encrypted: i=1; AFNElJ8W/hrok0a25ZeJKgyrQmYhwN+DRH3AQTgaF+AFFr0g6WCi7/tg4Xj+tvCOH7hg39KHzcFMsiNHM8/mHgQ=@vger.kernel.org X-Gm-Message-State: AOJu0Ywxh9tQCBTccvsFG9Qaw2La4XeQltOBn0SL04V659C86ZnqHG8z uYbiyuSoT+ANE8Z86YhtfYrJvQuXjQoo9O5veOUgPAOPd7QzUYdCOGKLx07AzzN5zg== X-Gm-Gg: AeBDieu4BU08Y4E9ytU2/UKw/AeIuFwPMwVrD+iZxS1PiokbihXXbOYroohJXBVXNs9 QqFcD0e6Uya0ec975n3GbPFIdEJJL0SeJYCmZaD5dJfdy/sv7tWKmH029GJcySXHBFJVIqDr8q4 /uovxIjkbFmMIHN276RLGD5J2StQ9UyBUOuT6rsep/FKTmWmBiLaiEy8S46gAoKCLDT9LasddDS VskXhyfmalh8B0H3YVexK/Ng+UPVs3TK4aIB46VrDi5WFxksDFbN+uM97HCIi1j4dky20t6BBW9 YUb6Z4KQW/sa5Vu7Lh85SuGltAK49npvDUI/UE4+rCj933qpRrVomoZDN2HuPuhcy7DulIIhpOP lhbaTyNqXD0Fsa2eDIvZ0Y5jGkDVbASXv+71NQ0FKbdhLorwlcmMorupBvy8R9SpbzHeb57rfHT C6r1iHt6eSo9/Lb4xzBKTvRBYsUkBKB7LIBG3JzBownn+cWepWEycSbGIRtwfpmd0IDQ0l+Ng4b e6ya6NtX9slL4g0CA== X-Received: by 2002:a05:6512:3d1e:b0:5a4:1672:59d6 with SMTP id 2adb3069b0e04-5a746416040mr1270829e87.15.1777380083740; Tue, 28 Apr 2026 05:41:23 -0700 (PDT) Received: from ribalda.c.googlers.com (52.163.228.35.bc.googleusercontent.com. [35.228.163.52]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-5a7463f5fb5sm594617e87.38.2026.04.28.05.41.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Apr 2026 05:41:22 -0700 (PDT) From: Ricardo Ribalda Date: Tue, 28 Apr 2026 12:41:10 +0000 Subject: [PATCH 4/6] media: chips-media: wave5: Add range checks for dec_output_info Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260428-smatch-7-1-v1-4-46890dffb611@chromium.org> References: <20260428-smatch-7-1-v1-0-46890dffb611@chromium.org> In-Reply-To: <20260428-smatch-7-1-v1-0-46890dffb611@chromium.org> To: Mauro Carvalho Chehab , Laurent Pinchart , Sakari Ailus , Hans Verkuil , Nas Chung , Jackson Lee , Bingbu Cao , Tianshu Qiu , Greg Kroah-Hartman , Keke Li Cc: linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, linux-staging@lists.linux.dev, Ricardo Ribalda X-Mailer: b4 0.14.3 If the driver's dec_output_info contains invalid data the driver can write in invalid memory. Add a range check for that. This fixes this smatch error: drivers/media/platform/chips-media/wave5/wave5-vpuapi.c:588 wave5_vpu_dec_g= et_output_info() error: buffer overflow 'inst->frame_buf' 64 <=3D 127 Signed-off-by: Ricardo Ribalda --- drivers/media/platform/chips-media/wave5/wave5-vpuapi.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/media/platform/chips-media/wave5/wave5-vpuapi.c b/driv= ers/media/platform/chips-media/wave5/wave5-vpuapi.c index d26ffc942219..f77abd5e122a 100644 --- a/drivers/media/platform/chips-media/wave5/wave5-vpuapi.c +++ b/drivers/media/platform/chips-media/wave5/wave5-vpuapi.c @@ -584,8 +584,15 @@ int wave5_vpu_dec_get_output_info(struct vpu_instance = *inst, struct dec_output_i p_dec_info->num_of_decoding_fbs : p_dec_info->num_of_display_fbs; =20 if (info->index_frame_display >=3D 0 && - info->index_frame_display < (int)max_dec_index) - info->disp_frame =3D inst->frame_buf[val + info->index_frame_display]; + info->index_frame_display < (int)max_dec_index) { + u32 idx =3D val + info->index_frame_display; + + if (WARN_ON(idx >=3D MAX_REG_FRAME)) { + ret =3D -EINVAL; + goto err_out; + } + info->disp_frame =3D inst->frame_buf[idx]; + } =20 info->rd_ptr =3D p_dec_info->stream_rd_ptr; info->wr_ptr =3D p_dec_info->stream_wr_ptr; --=20 2.54.0.545.g6539524ca2-goog From nobody Wed Jun 17 02:57:53 2026 Received: from mail-lj1-f182.google.com (mail-lj1-f182.google.com [209.85.208.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 47D1542EED6 for ; Tue, 28 Apr 2026 12:41:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.182 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777380096; cv=none; b=V2/3deEECFIX3t82PGrlFHEwRGY4khkKqPuj4cgynqdaRYL2fh97O2O9cpKJ+dlnVqd3TOeTbmAeEoCrjDj1NaV3ImcQ28hukrI605Le9LQVaMHgBsoyNZjgrwjeWOoMoXHENhwrX6TLoJx7iJ/SU4pDiSmd/p/Oss9b3BVtMcc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777380096; c=relaxed/simple; bh=hCPBwrO7oEPx4oAfnxuwrKTDAkZAjcnkILOS9aX1IJM=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=hgnrIhJY8Sxc/UIQeBs81+7yzIUjftfAgH29DhgBTuPoOKEGvRzkGo0A5AkP72yUl9lrapGua8VJ9MQR/NoAdRauaYN0sHNcahDfPBcGiAY3tL5nXvG//wlFCDxgsYphjJA9GE/VbIm3xgltZLxqeZ6w76aQo3CnP3TaG75qCOw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=b1ZcT20v; arc=none smtp.client-ip=209.85.208.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="b1ZcT20v" Received: by mail-lj1-f182.google.com with SMTP id 38308e7fff4ca-38dd9f0fdc6so127554491fa.0 for ; Tue, 28 Apr 2026 05:41:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1777380086; x=1777984886; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=zJpnDr7u/wKl3rrXJo90bPq9ktWJpQktU2t3Cy7i01Y=; b=b1ZcT20vy5OLr9QrXkY/DwH/VnLXp+8ZHulAnnQ9nP8l2ipUjFjgwpEE9l8vcGDDxK oSkKUL1IRvXdLGRSHxhfcwIjiT3hybI2y5dph7XxAyEKwrdmgJBkeQ9sHBUD4LthC+6/ isXJ3lzwP4rakZeZjg+KEJpfjD1crokb8Bkxg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777380086; x=1777984886; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=zJpnDr7u/wKl3rrXJo90bPq9ktWJpQktU2t3Cy7i01Y=; b=J3Qwdl8lu+hD+fdVTieVirYRCq0O4g5Kq+hqHB75HUnXlYD6l0PeLM59moKyY5rmAB bTtkFdunsUvwWGvMLf4677qvS8Qmk3KIo+U7SI1RjpSAacz+WifgADwIVsaGN09YrLMi nJ0AdI2nZnBp8qTYf3NqnvS8KsafKRF0tWc0Iv8B5MAarEvXT3bNKlhI+1u1tJXZ+gDo WvY2gTF23yfubVzCCrCUAz+Jr/6ZI1zunaOUhQA2LKkY0Gb/go3/NOcL2/55s11IhZF4 Dn+JMCx3ZlFAiFD2zF3oLvJIK6+gtL8l37061hdTMKMcSQBomsAYfhGiba08vAfiichQ ndlw== X-Forwarded-Encrypted: i=1; AFNElJ/ZV3rEw8P0CRcz6OgcXjlr3xgk3f193HqgUpO++NGMH+cMzKowX2gcbBfuIZ4uBBjPvv0K/gnGMNjTDE0=@vger.kernel.org X-Gm-Message-State: AOJu0Yxno9xV/HQw2BpECD9kkmLI5rVlAd3SAcogb07fUjfShgbKlUD8 S6og3dxUjSyNiMTScTZbiO/jDPdxDm1rr1aTIHLG1K8psRt7AIFUb8MhiIAHuwdDZw== X-Gm-Gg: AeBDieun1VlQjcJUkOwxbg1VZ/R1Djwz1To2/Ba9bZbtn35cDn2cGhVN2+ufcUQf1pA COiiPor/WSsRcENgzcZV9kH7V0KHQyiBevP0WErJBOxzr/xSfbyKHchE4rGQkeOTd/7COfAxus0 1f/Jj6s8itwnKmoW4H7cf7jLRKc0mu9As36QgElh6EQizYnLcj+J1qlGCVLthoCC4LkJJA+Fz3U TEK+rZ8H68COvZ33xMOPSxNhQTbetbskCSZVXlnZZWcPcS6EHxw3rH7bVVOz7Bxn2kaxKhuLTZa kYW4BOv8Hb/EsxvgPdhFIlh5rEFYprKbTxuKJM7adbWt3L7jz1ea2ixuHLAf+UOogWlsm8wGOHM yHyWj4cwVV5G2IN93aqy1RgtqDp4uDZm7CBiC5kYu9JJtGduq/fl9kOYGo0oTIcQ+3R49O2oux7 ctohyBDvHefwf1duNUsMAb8Ira9MYhqSVm7SsRCe+6pATqWYMoZDqLgXF1Vk0FqhrESOU0LrsRN 4hsxbbxkE5/5JXO5yoSrUaN/e8p X-Received: by 2002:a05:6512:1323:b0:5a2:b86b:56c2 with SMTP id 2adb3069b0e04-5a7466896f5mr950419e87.21.1777380085786; Tue, 28 Apr 2026 05:41:25 -0700 (PDT) Received: from ribalda.c.googlers.com (52.163.228.35.bc.googleusercontent.com. [35.228.163.52]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-5a7463f5fb5sm594617e87.38.2026.04.28.05.41.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Apr 2026 05:41:24 -0700 (PDT) From: Ricardo Ribalda Date: Tue, 28 Apr 2026 12:41:11 +0000 Subject: [PATCH 5/6] media: staging: ipu3-imgu: Add range check for imgu_css_cfg_acc_stripe Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260428-smatch-7-1-v1-5-46890dffb611@chromium.org> References: <20260428-smatch-7-1-v1-0-46890dffb611@chromium.org> In-Reply-To: <20260428-smatch-7-1-v1-0-46890dffb611@chromium.org> To: Mauro Carvalho Chehab , Laurent Pinchart , Sakari Ailus , Hans Verkuil , Nas Chung , Jackson Lee , Bingbu Cao , Tianshu Qiu , Greg Kroah-Hartman , Keke Li Cc: linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, linux-staging@lists.linux.dev, Ricardo Ribalda X-Mailer: b4 0.14.3 If the driver's stripe information is invalid it can result in an integer overflow. Add a range check with a WARN_ON to expose this kind of error. This patch fixes the following smatch error: drivers/staging/media/ipu3/ipu3-css-params.c:1792 imgu_css_cfg_acc_stripe()= warn: 'acc->stripe.bds_out_stripes[0]->width - 2 * f' 4294967168 can't fit= into 65535 'acc->stripe.bds_out_stripes[1]->offset' Signed-off-by: Ricardo Ribalda --- drivers/staging/media/ipu3/ipu3-css-params.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/staging/media/ipu3/ipu3-css-params.c b/drivers/staging= /media/ipu3/ipu3-css-params.c index 2c48d57a3180..6ed23c7a0c3f 100644 --- a/drivers/staging/media/ipu3/ipu3-css-params.c +++ b/drivers/staging/media/ipu3/ipu3-css-params.c @@ -1770,6 +1770,8 @@ static int imgu_css_cfg_acc_stripe(struct imgu_css *c= ss, unsigned int pipe, acc->stripe.bds_out_stripes[0].width =3D ALIGN(css_pipe->rect[IPU3_CSS_RECT_BDS].width, f); } else { + u32 offset; + /* Image processing is divided into two stripes */ acc->stripe.bds_out_stripes[0].width =3D acc->stripe.bds_out_stripes[1].width =3D @@ -1788,8 +1790,10 @@ static int imgu_css_cfg_acc_stripe(struct imgu_css *= css, unsigned int pipe, acc->stripe.bds_out_stripes[1].width +=3D f; } /* Overlap between stripes is IPU3_UAPI_ISP_VEC_ELEMS * 4 */ - acc->stripe.bds_out_stripes[1].offset =3D - acc->stripe.bds_out_stripes[0].width - 2 * f; + offset =3D acc->stripe.bds_out_stripes[0].width - 2 * f; + if (WARN_ON(offset > 65535)) + return -EINVAL; + acc->stripe.bds_out_stripes[1].offset =3D offset; } =20 acc->stripe.effective_stripes[0].height =3D --=20 2.54.0.545.g6539524ca2-goog From nobody Wed Jun 17 02:57:53 2026 Received: from mail-lf1-f42.google.com (mail-lf1-f42.google.com [209.85.167.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 25C3543C06B for ; Tue, 28 Apr 2026 12:41:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.42 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777380098; cv=none; b=Ng9XcfaefmvkAs5yjVebIxOW1NeqLJtDGYJgfWHsHaYkBivfaVr/Ixq0YTuqWKFOhEvEzvfIm7sTKbot/P/R6WpmmUKDvK9WJRncan2h3Six7UFG4DOlL935c588R02Z1fzklsJkGyPEOe9qXQQQloZCj2Y2e0qO5jWt6LdPCc4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777380098; c=relaxed/simple; bh=GwGpe5Wt4f65zgUFFPN3Xc69ChmANQfroRnFxnuMqXY=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=gPC6iOslhJt4uukwIXIYgUYlSM6HBkgQh4UhWX3/uhIv4Dv2FFVBzine2eNU0WnmgiHKtpVm8oEZ9BiAHxcBk06ICd3vQa0DoYeHCgTvF2CAEnBjJzKV0Y0lXwkGj0ov/4DStGt+VxjtRZjRoFh4pLATzu64YUVMAPUoxkHIi+I= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=laPv0bTZ; arc=none smtp.client-ip=209.85.167.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="laPv0bTZ" Received: by mail-lf1-f42.google.com with SMTP id 2adb3069b0e04-5a2c7427ad9so11065374e87.1 for ; Tue, 28 Apr 2026 05:41:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1777380088; x=1777984888; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=7jNyWZOzTH0keZ+Or/bxi1/4rkv0VzTqmw2qXTfXKYk=; b=laPv0bTZsWTSUHsKrdkt8BEtSKsLDd6r/8OU07m8YbR5fD9r97wyRcvG+U3v1fLzgY SGqe/xwPIVlMC1e697jZDDeRJn0KMICvVp8vWcsDHPZrPDdDlC4X/ybSyKjyNy6+j4KR ew1stgf+KvUbsQAN2dG2ObtyH1QLqybTeHv3g= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777380088; x=1777984888; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=7jNyWZOzTH0keZ+Or/bxi1/4rkv0VzTqmw2qXTfXKYk=; b=DTdj07qge57nX9e931ieEWCv9rDNmXA0KNHERSak5ostawMFIiX73SGZZ4l/qFX5nZ M9Mc1slm3gdUfkerd7BILmLH+pEwOjaE57lIVPmHmFZ9TRtoQpA0gUcMwCvHo5MBk6sW lmgzDdT23UrRhsVHrK5/aDyOiiWy7UmBQXA9VvzNgnaS8TFgOsb7AYwQ7NAstXr/R6J9 X5Hpqb3EoqX/0RxpXMNAq3wklt98vHuDUUvlJ+/0SP32DDxiKieE7kz8azjqGRok23a4 yK+SRzHma73+PT+o6XOS7Nos9QfDt0YRdvVsL1VOqru1YOWvzaWsi6wnNAxGGBsdFHaY DSJg== X-Forwarded-Encrypted: i=1; AFNElJ+PdZDnAnVKdY7S886vLJ+ZEqxb9MrepgyBVEei0cxZEjpXPdAX6X2gB/jDZfEx28kImTnXBZAF+xSO2IE=@vger.kernel.org X-Gm-Message-State: AOJu0Yy5BY9wTCXoPxQpR1R3mc7egqldOkoaaoO8XVGgEpUaI3K2Ft5i EjfNXPDkhbtND9DKXEL3GE/6T+O+DVD/RJPfs3ipyic/vak9TIjhbyzE3CXkfQynBQ== X-Gm-Gg: AeBDiesVlTg3j4kBq/BCeyRvBso/Bam97hFcqmKYWk18wkLfyyTlMKxmKXv9FPF5Mcr qrKbyHhw8UHBvF7nS5XW5olKIQlUkDUVTJlIsHMcIIIujt1+6Ntqnw6ur1brUX1KjBS/8EXlDST CV3Cv4H+WNEirSHDSyBiu87vSp8hIADkrRwthD8iGW6Bzx8jnhPeWHqNAYdDs8kt/Qc5duaMW3V OSBujm1++FQ8wJtIz2/lmNMtO54BSzqj78nUwy/q32As3iui4wgPCS8A5HOUt682Sf2fQsTvw7/ LkvgnIT1PSWIfJsz6MCILWC/r+16WvPFmOpwOZPfazsa41Q3xsI4pYcRXycY5zNeF4nws3OcQO5 sc3euqh6KWA/T6cJVVGvbie/gZm4aAlNfsH6STjEnbuDw4VFhSwa1kfmzfrTiIXgUouVDGaTl5P pylO5XxOBP3rXKYEH0U63xFmTtlTF7ARQkSqotMIO0CCRcEGnYVkSItfsjHgTtUFxLsJ1UjyzmX WaQs7ZPH0+ufZa+QA== X-Received: by 2002:a05:6512:3502:b0:5a2:86a3:709f with SMTP id 2adb3069b0e04-5a74660cd3amr1254340e87.17.1777380087720; Tue, 28 Apr 2026 05:41:27 -0700 (PDT) Received: from ribalda.c.googlers.com (52.163.228.35.bc.googleusercontent.com. [35.228.163.52]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-5a7463f5fb5sm594617e87.38.2026.04.28.05.41.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Apr 2026 05:41:26 -0700 (PDT) From: Ricardo Ribalda Date: Tue, 28 Apr 2026 12:41:12 +0000 Subject: [PATCH 6/6] media: amlogic-c3: Add validations for ae and awb config Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260428-smatch-7-1-v1-6-46890dffb611@chromium.org> References: <20260428-smatch-7-1-v1-0-46890dffb611@chromium.org> In-Reply-To: <20260428-smatch-7-1-v1-0-46890dffb611@chromium.org> To: Mauro Carvalho Chehab , Laurent Pinchart , Sakari Ailus , Hans Verkuil , Nas Chung , Jackson Lee , Bingbu Cao , Tianshu Qiu , Greg Kroah-Hartman , Keke Li Cc: linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, linux-staging@lists.linux.dev, Ricardo Ribalda X-Mailer: b4 0.14.3 Avoid invalid memory access if the zones_num is bigger than zone_weight. This patch fixes the following smatch errors: drivers/media/platform/amlogic/c3/isp/c3-isp-params.c:111 c3_isp_params_awb= _wt() error: buffer overflow 'cfg->zone_weight' 768 <=3D u32max drivers/media/platform/amlogic/c3/isp/c3-isp-params.c:111 c3_isp_params_awb= _wt() error: buffer overflow 'cfg->zone_weight' 768 <=3D u32max drivers/media/platform/amlogic/c3/isp/c3-isp-params.c:227 c3_isp_params_ae_= wt() error: buffer overflow 'cfg->zone_weight' 255 <=3D u32max drivers/media/platform/amlogic/c3/isp/c3-isp-params.c:227 c3_isp_params_ae_= wt() error: buffer overflow 'cfg->zone_weight' 255 <=3D u32max Signed-off-by: Ricardo Ribalda --- drivers/media/platform/amlogic/c3/isp/c3-isp-params.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/media/platform/amlogic/c3/isp/c3-isp-params.c b/driver= s/media/platform/amlogic/c3/isp/c3-isp-params.c index 6f9ca7a7dd88..42d780f684d1 100644 --- a/drivers/media/platform/amlogic/c3/isp/c3-isp-params.c +++ b/drivers/media/platform/amlogic/c3/isp/c3-isp-params.c @@ -104,6 +104,8 @@ static void c3_isp_params_awb_wt(struct c3_isp_device *= isp, c3_isp_write(isp, ISP_AWB_BLK_WT_ADDR, 0); =20 zones_num =3D cfg->horiz_zones_num * cfg->vert_zones_num; + if (WARN_ON(zones_num > C3_ISP_AWB_MAX_ZONES)) + zones_num =3D C3_ISP_AWB_MAX_ZONES; =20 /* Need to write 8 weights at once */ for (i =3D 0; i < zones_num / 8; i++) { @@ -220,6 +222,8 @@ static void c3_isp_params_ae_wt(struct c3_isp_device *i= sp, c3_isp_write(isp, ISP_AE_BLK_WT_ADDR, 0); =20 zones_num =3D cfg->horiz_zones_num * cfg->vert_zones_num; + if (WARN_ON(zones_num > C3_ISP_AE_MAX_ZONES)) + zones_num =3D C3_ISP_AE_MAX_ZONES; =20 /* Need to write 8 weights at once */ for (i =3D 0; i < zones_num / 8; i++) { --=20 2.54.0.545.g6539524ca2-goog