From nobody Sun Jun 14 07:39:11 2026 Received: from mail-lf1-f48.google.com (mail-lf1-f48.google.com [209.85.167.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2BED636AB72 for ; Fri, 1 May 2026 11:32:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.48 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777635178; cv=none; b=Q1FwzCw752YqsxLt54GIZMOTsHqJUMU8kMagrncLza8/DZBiLA1HLiCx65iTf/Sfq7qNkrYkRIvJY2R3EjeR8D0lh5DJkriPTXJ8fgXcv7kpnaZK0Ed8ZpGnzXye+c2sL7vqFEqBoGuQZNRn9UpzU0lAu0mygHjP0I5LtWA7bVA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777635178; c=relaxed/simple; bh=ne42xYajKx8Kiea21amC61A8URblNNdzVSYQ5+DXQtM=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=RlcoKh5DNRmPlckk9cmE5V0AQR+wAks8bzfbFtztXYC12K+MhbAzHJr1fT6Dn3E+hQjZT15JhVLCtKlWVRbx9IjzkZbnl6mLMp+6pLA8N+hpDPbrgVbHIXfZI4q/Ta8LRVosyseIfk57tkGFAcUzNOJiUTesIdvpFv7wJfp4Iy8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=VYe5xrNt; arc=none smtp.client-ip=209.85.167.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="VYe5xrNt" Received: by mail-lf1-f48.google.com with SMTP id 2adb3069b0e04-5a3d42263e4so2628828e87.2 for ; Fri, 01 May 2026 04:32:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1777635175; x=1778239975; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=VgEZKNrl10DgxlH1xZQyC/yRD4psOac+PKsvu6TEYIs=; b=VYe5xrNt0XI9e//7P7x38cTiRrLOff/WLkVjcDQ0fxejZYn+SmFypCQl7Ef6PDEXEf nkO6+dQlvPnsXQ+5KFi6vIA6rA4Gf9CObBSx3hN9Rk3U4NrIZ39LEHbZCSGLX7KnmDG4 SU2gsHnTXOWJiFJ7y/cQbHAvzTED07Ynnor68= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777635175; x=1778239975; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=VgEZKNrl10DgxlH1xZQyC/yRD4psOac+PKsvu6TEYIs=; b=YlXHrOcqP0g5MAjDYgs+CKKVlMlWyayXHf2uLsYPJdH77j83d328SZk25dyTQqn84g 1FOPAysoOL1zqe7NTXOq91rrIY7vBWAJ1zQ9Dpm447tA7nUFkicF2ZmMt47vXNHE3YOU vnu6cmfaX1COKHvX9XqpNWpbyw+7ocK/ejQzIzFfuWoorZp1UTRe5slyPNJ3f2X3Cx4j XuNvOjq/jmzU56tUZO/ZV48IssAfmLuQ0YZB+tETZUqsWWfjI9nFwn26m4hReBc9DTcJ aofgfwlWrbKxOzg5uCeLKrrktCsEvC9B1/kr2+eaUbZD2i7Yr5J6fQmT5zHyVqKiJicP s5JA== X-Forwarded-Encrypted: i=1; AFNElJ+ptmL+GyK3gb7TQIoCzgsV0lWXj3j5oISySFdjnJfLns2U47cN6u074ezToLXZefIKU/GAZZ/aLRqosZs=@vger.kernel.org X-Gm-Message-State: AOJu0YzyDrGcnOFTzSJYAPbZm5rqlolIMMbuZyMVi9+OfeBOuRA6BxX/ f43Ch11HmLmlL+hk3Hb4laZ2CXVVKFC87ZOkdJpUtqTenn4h/0ldhtxNOi/WgEUp+g== X-Gm-Gg: AeBDieuG3B/lwzw+Va1MDKctjotKRoPmKngWNxxteecPfezWXu3HSexV6u0MdPVYnYh yaUMmfYoyDekGvei4gCnlQdcfGiIuqCYYZWVlPKCLmuGyagMm7CAvnyP9AJhjIKxqfyite0i2W5 6lGWdaP7YhJ4hbls+Nd2aTqs9FOdCKa2v8NqNSXP8IT+JDGjo+pzpZjdiycqADLlycxF1gCR40/ ukWOcAh99K9sIa0/bFTNH4Fgp9bchWpC2YYIr9SucqRwZjyMCtoSilv5g39gTOLZFR4HZr2JfEM FVvnanUBbqY+FwzTwBR7yeR/VfAcPbBI0ZA4H9BM01sIMRbaxFtjwaRBoIDetPbqdnZj8i1SB9i p3YYbReI0FAyfqOr8BBoV2A6hHlKoSZTWjlYWmkzNDgwoXm7aazaMQJbS8L/+A5KmJO+PmttR/R qJMLSjrWGBIOqGjp5HL2/8xxr+rUKpffINj0YvGblwl3bwa6lcLJkSYrdkfZiCffHi3ucRBfyXd u9QSchb0QH/RpuMGFur8XNs8w78 X-Received: by 2002:a05:6512:138e:b0:5a4:12db:d0f2 with SMTP id 2adb3069b0e04-5a8522d5ac0mr2843571e87.24.1777635175346; Fri, 01 May 2026 04:32:55 -0700 (PDT) Received: from ribalda.c.googlers.com (52.163.228.35.bc.googleusercontent.com. [35.228.163.52]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-5a85c346c02sm429166e87.74.2026.05.01.04.32.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 01 May 2026 04:32:53 -0700 (PDT) From: Ricardo Ribalda Date: Fri, 01 May 2026 11:32:46 +0000 Subject: [PATCH v2 1/6] media: v4l2-dev: Add range check for vdev->minor Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260501-smatch-7-1-v2-1-a2fcfb2531ac@chromium.org> References: <20260501-smatch-7-1-v2-0-a2fcfb2531ac@chromium.org> In-Reply-To: <20260501-smatch-7-1-v2-0-a2fcfb2531ac@chromium.org> To: Mauro Carvalho Chehab , Laurent Pinchart , Sakari Ailus , Hans Verkuil , Nas Chung , Jackson Lee , Bingbu Cao , Tianshu Qiu , Greg Kroah-Hartman , Keke Li , Yong Zhi , Jacopo Mondi Cc: linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, linux-staging@lists.linux.dev, Mauro Carvalho Chehab , Ricardo Ribalda X-Mailer: b4 0.14.3 If the fixed minor ranges are not properly set we could end up in a situation where the calculated minor is invalid. Add a check for this in the code to make it more robust. This check also fixes the following false positive smatch warning: drivers/media/v4l2-core/v4l2-dev.c:1036 __video_register_device() error: bu= ffer overflow 'video_devices' 256 <=3D 288 drivers/media/v4l2-core/v4l2-dev.c:1043 __video_register_device() error: bu= ffer overflow 'video_devices' 256 <=3D 288 drivers/media/v4l2-core/v4l2-dev.c:1101 __video_register_device() error: bu= ffer overflow 'video_devices' 256 <=3D 288 Signed-off-by: Ricardo Ribalda Reviewed-by: Sakari Ailus --- drivers/media/v4l2-core/v4l2-dev.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/media/v4l2-core/v4l2-dev.c b/drivers/media/v4l2-core/v= 4l2-dev.c index 6ce623a1245a..5516b2bbb08f 100644 --- a/drivers/media/v4l2-core/v4l2-dev.c +++ b/drivers/media/v4l2-core/v4l2-dev.c @@ -1032,6 +1032,11 @@ int __video_register_device(struct video_device *vde= v, vdev->minor =3D i + minor_offset; vdev->num =3D nr; =20 + if (WARN_ON(vdev->minor >=3D VIDEO_NUM_DEVICES)) { + mutex_unlock(&videodev_lock); + return -EINVAL; + } + /* Should not happen since we thought this minor was free */ if (WARN_ON(video_devices[vdev->minor])) { mutex_unlock(&videodev_lock); --=20 2.54.0.545.g6539524ca2-goog From nobody Sun Jun 14 07:39:11 2026 Received: from mail-lj1-f182.google.com (mail-lj1-f182.google.com [209.85.208.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 847C4376490 for ; Fri, 1 May 2026 11:32:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.182 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777635184; cv=none; b=mhBxtUDNiEiJ6dG7PyJQzGp2PU3xy9z2TYnQKecxyx+4rp/o5z0I4XH9IMc7wYLHsQzoamGjzUEbg1u97+vCEJN5zT16cA5o//uBNWUEDu8NXRF22sHEUnnBuKeWKMfuT2Yf2cDpp7xVfsKsn9RvbeVx97SYU98+AAIDNX4O3HQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777635184; c=relaxed/simple; bh=uyYaC1lTz0w/nk+wumPROnOpURb8EgSxj6J839JiKk4=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=hg4xPfI3ql5yG1X5eugK3O2YthiEUmP6nTgua9NsuN1JRlgsMnuXc7ngbsOYgjgjBydtJkv8j1iIWDh4QLFfQTI36L+fnQ8EJfsyykdXHZY6dhiMdyxtpQElrOHhKrci3IhOUDsJFoAWPxh4zKH4h6LxJ9dldKBErSxFks4qmSY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=PCDmSwbC; arc=none smtp.client-ip=209.85.208.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="PCDmSwbC" Received: by mail-lj1-f182.google.com with SMTP id 38308e7fff4ca-38dd9f0fdc6so33224481fa.0 for ; Fri, 01 May 2026 04:32:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1777635178; x=1778239978; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=t8cx0IS1VAS+UenVXpVCneZJCK5BcfnnFJsArKfUIY4=; b=PCDmSwbCWhAGyVSPuTpr2Ub9I5xgn6RbyRfO02vW3yTYQ7/7J6lzF/6AkOl0lreXu2 C7YJXoveVTKGvmd/gxTlLvoZRCsv4E/ERrLZ7CAqkUXuL68XDURvZQ9HvuzZgTYocGJB dNl1TZ5C/+gxGEroATa7aNoUkddfblq5ooMYk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777635178; x=1778239978; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=t8cx0IS1VAS+UenVXpVCneZJCK5BcfnnFJsArKfUIY4=; b=NlFFgDpuJN906p+G5Vi31BYEDbimeNEacdJ0Bvgi2zVm+xSziL/OzHrv7zXeegWkFF 2CDdOpis3f3CTWc73o2+mVXOGnza+6lqZP1dOVt4lelhTsoIqxCPeq1IixwmRTvqmEES 3JmNrhfeiQc1BhkoHVTk8cgV9OY8pLmf51GLH/JQeT2gjvTXeX2cexenivkv15ZZTOzQ b6nMPnslqMpj/2mZMAdSIud3MUyEKBhrAxMRqeUrfmjMeoSG18/oY56EF+EG6Zxb2YR+ FsAILsWwUTvkVSPUogpCo2YVjGM2ZQVTCmCHnAO5Ul1bkrgTy/Yh2ZQJ0O1cr4dkFb8Y yQSw== X-Forwarded-Encrypted: i=1; AFNElJ9DrMwVTgmgnqZD157LBZYZv6hPMcjGp14p53IlRKYeeDSxWvL6PW776zjwuPg3lI5KVN5HrRS8OTbHwlE=@vger.kernel.org X-Gm-Message-State: AOJu0YwvxPpP6bztwMsDvTNRhizdUJHI60K9ZwAWX0FwaOv4RoTqBH6y n93hNPhe3eUKGhF6Wtv2cL7QIBrRO1pXPvLITZy95OGfGVZ5pXON8521/+yporuRyw== X-Gm-Gg: AeBDiesu0BA0dGvOyFz/NkM42Hp0nawrDBEMbyPqB4Fr96ikwGLKwKWtjf6wSxGgO/W sZM0wbDY0rXxjazVWPOvFpoRwEJ4v2hEqi4cQxBDGq4RgcZ/7vKEWI6JPiTEY3ef+mBMFQCIs4u vKgZxpZOx13i3/xae30N9ZQrSHecU+PQ8R3N9NwIG9i0Qw2d07vOCtWq3StY4jBcp58ahclM3x4 WjcWI3XfQB9Yg7450x+GjMk+nwRt1BuNrPOi+q6AGBHwonEU0fRjxEre02d3RmVd0DU4hZYCtHJ 5yM8tyDI8YGWtN36QkcMGuhecA2vThHHRNvzVAIaHnGhOScZ5zfxDJ1lQwYNYTCJzRNkiGBm1lI IzmDxjy/7kdoR3EYvT9OgZKKosHDNQEn/MaLvKaRiauAfyPAnTfwdRiqcphiYaUCoOrXYBibdGZ mLagvzQX5sbmvpf6OjEkKg0IYnMruIWLS6ZjZNaxywaPvhO9/FR+r9JRyieyTMSb1lPVLBBy/+D mcGWN08RJJbQqP1RQ== X-Received: by 2002:a05:6512:3b0e:b0:5a2:c0b8:270 with SMTP id 2adb3069b0e04-5a85274573fmr2057007e87.22.1777635177764; Fri, 01 May 2026 04:32:57 -0700 (PDT) Received: from ribalda.c.googlers.com (52.163.228.35.bc.googleusercontent.com. [35.228.163.52]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-5a85c346c02sm429166e87.74.2026.05.01.04.32.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 01 May 2026 04:32:55 -0700 (PDT) From: Ricardo Ribalda Date: Fri, 01 May 2026 11:32:47 +0000 Subject: [PATCH v2 2/6] media: i2c: mt9p031: Rewrite a bitwise mask Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260501-smatch-7-1-v2-2-a2fcfb2531ac@chromium.org> References: <20260501-smatch-7-1-v2-0-a2fcfb2531ac@chromium.org> In-Reply-To: <20260501-smatch-7-1-v2-0-a2fcfb2531ac@chromium.org> To: Mauro Carvalho Chehab , Laurent Pinchart , Sakari Ailus , Hans Verkuil , Nas Chung , Jackson Lee , Bingbu Cao , Tianshu Qiu , Greg Kroah-Hartman , Keke Li , Yong Zhi , Jacopo Mondi Cc: linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, linux-staging@lists.linux.dev, Mauro Carvalho Chehab , Ricardo Ribalda X-Mailer: b4 0.14.3 The current code makes smatch a bit uncomfortable: drivers/media/i2c/mt9p031.c:799 mt9p031_s_ctrl() warn: assigning (-1952) to= unsigned variable 'data' Probably because smatch is not clever enough (yet). Do a simple rewrite to make sure that smatch understands what we are doing here. Signed-off-by: Ricardo Ribalda --- drivers/media/i2c/mt9p031.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/i2c/mt9p031.c b/drivers/media/i2c/mt9p031.c index ea5d43d925ff..5c9dff030b4d 100644 --- a/drivers/media/i2c/mt9p031.c +++ b/drivers/media/i2c/mt9p031.c @@ -795,7 +795,7 @@ static int mt9p031_s_ctrl(struct v4l2_ctrl *ctrl) ctrl->val &=3D ~1; data =3D (1 << 6) | (ctrl->val >> 1); } else { - ctrl->val &=3D ~7; + ctrl->val -=3D ctrl->val % 8; data =3D ((ctrl->val - 64) << 5) | (1 << 6) | 32; } =20 --=20 2.54.0.545.g6539524ca2-goog From nobody Sun Jun 14 07:39:11 2026 Received: from mail-lf1-f52.google.com (mail-lf1-f52.google.com [209.85.167.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D2CFC33A71A for ; Fri, 1 May 2026 11:33:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.52 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777635184; cv=none; b=jozwTMQvu6+BKeRLdFeeFt8Y8Ce/DDl4fZOPyw87WZGri/cbVENOvFeFFg2oGhJIyWc5wf5serDkIZ8pwE1rnplAsGV86/pvNosKso5//tZ5W6nKaEaKJv7GzX2VROLuEzn50MSqKO/KeQ053bcY8GT3FM1J/xeRuKrj1CpIThs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777635184; c=relaxed/simple; bh=1ZSaYK9KkfV5+GCoFqf+X0v1Q+Y+dHjA70Bg+RMm57U=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=EMqlz4EMMyWMCnd6fQ6K66b423IZ6MPw6fisfvDuKtSC7zo4Y75HItrUeYXSqQj96ewvS+YayG9IjYRhESAKEy+c4OyxdQO66MHT1Eh3I99aSmTldQDwfvz+VaY4q4WIpeG8LYg/Bo1D2DbBmNruO8oOzmimmK3Qbtt3925w3EU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=iWSW1Sak; arc=none smtp.client-ip=209.85.167.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="iWSW1Sak" Received: by mail-lf1-f52.google.com with SMTP id 2adb3069b0e04-59dea72099eso1998640e87.0 for ; Fri, 01 May 2026 04:33:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1777635179; x=1778239979; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=BnXlL3KzWzfPtDefDXKY2+uDbjeKnEfIYOtp4pEQbxI=; b=iWSW1SakPtcqlRtJ9/IUNdFCE+zw/6MBiH5kaYoEmPJJwt5ug8p5LFr2i85gkTSUtc hU2Str6N6aBFJ4ErPQysjOEn9I1qpeq/XPpnFXvBqDvqrBPTcaJdYcA8wSwCv7MjkHTC L4lYVSxs5xFjKnU626ohoKW4HxR+NNo7sADg4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777635179; x=1778239979; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=BnXlL3KzWzfPtDefDXKY2+uDbjeKnEfIYOtp4pEQbxI=; b=VXqzkuGnMiiuu8a3xKCvVV9Nww+JLOAGF2IrjY39MH9mPFVnW2u9c9buxJ2t6t1RBh GYLmGEninoG5SZ2lcInUxcbF+1HExkZo6hHwIHiZdJ93wkWxSxpCg63hwXLv/fz3LZw6 uBhZ7KqOCJIM+d2RG0j36whlXHEvIpWk2Q42kXH/+UmncRMCMQEz74B+25jDrTSvoBAl k5S7GRCVnCBPU7rFm4z8L0A52Ur3d1nMHA2Eoz+VqIy0nEiIyxMsM9jwXaoBGrgcvHW4 3GEoJdYTty8Q1YeL7LRGxESvnWjWucVgH7Scmgau+9rs9UPLlrRtgbA1+pTH/gK4En6r HDBg== X-Forwarded-Encrypted: i=1; AFNElJ/+6EF/Jjzbb3qLfKxeYhlQvzsu+OJv7yYjnt/d1BHPx+QInMm9mN/opoMM55R7YprmtRF782srT98cWM4=@vger.kernel.org X-Gm-Message-State: AOJu0YysyPnA5fbKPk3SI78hesxEsG7xJwKqYDFAv/pmj/6RnyKxBrvV QHRmk7HdzoU26yyyLIFRqjxuceTA8OxtYrgJ6qJxSxVGIZ93f8lfP3q56wpLSvPPiw== X-Gm-Gg: AeBDietWCfAFBP9RoYgW65rmJ6likPS7BX0W/Ljf+EGYV7Uf7FYZ20LZhiHKd8Hkll/ F0XTjsm77LTrXI12giXiU7QkiLqyIxJD5plo4liKt9fKWH14zLau6b0ejoisN9yngDblS9ZLmDW 1mm478pcabyE5Nhc2DhLobyRu+pOCDjbQToXfuXitsTtWog216hfoSmL2UgO2C1DyJFzkmuvW+C VD2li6cOa2dAAtWNN9ebwDhNkoUs0C5LEWMlCodM114ATnjAsql3gwgQKDB0IEbbnjWS7hV38Vd PQ5OTmvDPf4n0Bs85kJsrS4/emrrfgOiVHGmh9P6tkOK3lQPS6JiI+ZMGXjNfyRvvh6b3kt0uwZ 3RyJeEHxhQXgTfVyq9/S8v+DOFwKnqYt6dke/NO/Bg+ZN12tkKI1o0r5TtCyvn5vJu9obLq5TM6 3bQK1e03ZAVXD13z6myhErUvkEyntYieqBzKHt3UBXkt0ECnUmHEJFzx1+5XK8c1uu2t4RcYism Y6PLHKsEOWnsRHlIg== X-Received: by 2002:a05:6512:1092:b0:5a3:cebc:65ca with SMTP id 2adb3069b0e04-5a8522b1196mr2252516e87.7.1777635179035; Fri, 01 May 2026 04:32:59 -0700 (PDT) Received: from ribalda.c.googlers.com (52.163.228.35.bc.googleusercontent.com. [35.228.163.52]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-5a85c346c02sm429166e87.74.2026.05.01.04.32.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 01 May 2026 04:32:58 -0700 (PDT) From: Ricardo Ribalda Date: Fri, 01 May 2026 11:32:48 +0000 Subject: [PATCH v2 3/6] media: i2c: adv7604: Add range checks for chip info Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260501-smatch-7-1-v2-3-a2fcfb2531ac@chromium.org> References: <20260501-smatch-7-1-v2-0-a2fcfb2531ac@chromium.org> In-Reply-To: <20260501-smatch-7-1-v2-0-a2fcfb2531ac@chromium.org> To: Mauro Carvalho Chehab , Laurent Pinchart , Sakari Ailus , Hans Verkuil , Nas Chung , Jackson Lee , Bingbu Cao , Tianshu Qiu , Greg Kroah-Hartman , Keke Li , Yong Zhi , Jacopo Mondi Cc: linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, linux-staging@lists.linux.dev, Mauro Carvalho Chehab , Ricardo Ribalda , Hans Verkuil X-Mailer: b4 0.14.3 If the driver's chip information is invalid we can end up accessing an invalid memory region. This fixes the following false positive smatch errors: drivers/media/i2c/adv7604.c:3672 adv76xx_probe() error: buffer overflow 'st= ate->pads' 7 <=3D 4294967294 drivers/media/i2c/adv7604.c:3673 adv76xx_probe() error: buffer overflow 'st= ate->pads' 7 <=3D u32max Reviewed-by: Hans Verkuil Signed-off-by: Ricardo Ribalda --- drivers/media/i2c/adv7604.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/media/i2c/adv7604.c b/drivers/media/i2c/adv7604.c index 67116a4ef134..ae75982fb514 100644 --- a/drivers/media/i2c/adv7604.c +++ b/drivers/media/i2c/adv7604.c @@ -3668,6 +3668,12 @@ static int adv76xx_probe(struct i2c_client *client) =20 state->source_pad =3D state->info->num_dv_ports + (state->info->has_afe ? 2 : 0); + if (WARN_ON(state->source_pad >=3D ADV76XX_PAD_MAX)) { + err =3D -EINVAL; + v4l2_err(sd, "invalid chip info\n"); + goto err_i2c; + } + for (i =3D 0; i < state->source_pad; ++i) state->pads[i].flags =3D MEDIA_PAD_FL_SINK; state->pads[state->source_pad].flags =3D MEDIA_PAD_FL_SOURCE; --=20 2.54.0.545.g6539524ca2-goog From nobody Sun Jun 14 07:39:11 2026 Received: from mail-lf1-f51.google.com (mail-lf1-f51.google.com [209.85.167.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7055F33DEDD for ; Fri, 1 May 2026 11:33:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.51 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777635184; cv=none; b=WvDqlf12FNVcd5JQG50IW1ZhXf48EuPDDUPHVu/2PNwBC7aZIiALh9T/xeZ4YM1pW+kynfhU6cKsWdT7BxphQPpc1O192ISEIq5Uu/Cj/NuAKSzGBJ8TCVAmOeHVABvnxAgNaixPpFFiqOlaUw+FCF9zM5aH3OMwFZ8Z3UiD++Q= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777635184; c=relaxed/simple; bh=fM+EOez8tTjZWMaKaiEYlL+/TS0+1cDYerp5pGjy9hQ=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=bLpltPA9uhQAMXbZLT5k29RfiZ7fwhKgvPOgXhd9Fe1f3lkNnwFEX6QjNPcUCGHoeesVBtwDPoP4QDj6vcSZgmCXosxNHKYFyW/8U5AbLY88KvsdfKvuV1gia1VHS8E5W/ybbgEAbrPk8demW1J3GLzpafiNNPKl9q4gIJv38zo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=ZzF4goPK; arc=none smtp.client-ip=209.85.167.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="ZzF4goPK" Received: by mail-lf1-f51.google.com with SMTP id 2adb3069b0e04-5a3cee3a271so1869922e87.3 for ; Fri, 01 May 2026 04:33:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1777635182; x=1778239982; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=iu0V+UWGhKofbsqLMuK6FkwiFliyODBO+j8A2mvjt3M=; b=ZzF4goPKyUy/0bSMls5ANB0AyTYE4cEUEQ9I9u5ve4tIvXLQXNQGpgtzbQQ4HHniqC W1nhmy6DsNbSTmUkO6k1Q+A20tPMK6cvE91tYr4eLO5RDTDH0VwXQgGPs3TzpxvGU/ol 1eXwL6dd8njY3kM1UyOcnXEHiqqg4di8wJFHI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777635182; x=1778239982; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=iu0V+UWGhKofbsqLMuK6FkwiFliyODBO+j8A2mvjt3M=; b=gFKtfQKpobF/90FFgoUFv8/OqAQIVFKb0AvGkw+NCHC747KfdWK+QTArzUkWyCNovT 1bY3fO8C544rknslgb4/gVzkPqj6yTl8Lzvb5mYfxsDSG8tUs6szqg7Lgp9MeC4xsqTq Q9VC9pt2Z6BSu3UmIRJZqsbMbgoHxsvGsZQe0xrviAVNWVQDItQ2iCViGrSM8K9uUceG g4uber2UyDF6Nn2dlY2KsMf9bMGoTIFrIVLvPZan1pa6U1mpQghdqK+oOClPIHSlLVfV 5OHAJl8ZiaOy8MfJbQAYZjH8rLHeAgHrIqc2/PmKCk5zZL9wtBUS6a7cuUBW81JydkDG 0qvQ== X-Forwarded-Encrypted: i=1; AFNElJ/VI1aEKUtcb7GzPm7oUsAX42naOuuEpOwZgOHMBSI18axB5e6KAIWoWnULkwe9Uj2Ts9QmejLo4eevNkE=@vger.kernel.org X-Gm-Message-State: AOJu0YybdrkmfLraCuaAjtiJdLhpheuMhOpRYEk+Gv/ygYoOL6p2H0O2 BVvLxtQ8iMmtKlS77ZdMrbR5PEcDcW+Z4IzOt4bbcqFwWyc6aVP7dy8GRfsNleJ/Ag== X-Gm-Gg: AeBDiescjthUNQmWFIiJDJ08W8XiuU8A2B8l5YdRABOfkJvdODXmLRpzOZQ/39QwujM EC5B1TSnjHZS8Nqnrj2HocB1Z1FETy2iGYjZnahrwbKEkw6tnJYNxj4Sh3R3xHxib5MR1bNSOG1 fxEMmDoHaj3CJy6V5ogmuTyJdkCsSxffBJd4vsw4QmCHX5twHL3513amq7sD8CuJbxTlwgd1xGb NGeWqc6bFg4GeCWdwZ8Q/oQEYr3szEwOX16BMk0hzdLdeiJ1bDnkWmf0vOwVy2nleUrZBnrCJVL Kko6n3DM0fbXqeeCCpqy0pdd+STZLm1GOMfHNE42WWlYETSE2VnXvqHhbvlg+qXQkHqeos4Ei34 xjStXeYhhPNZEgFbju0waehgeKIRY+4mzced7dwsBv/TxQn4cxg1sr/g42vdc6t2iaRBdho568A FoswJnxcvjsDIe42Ve1FsZO1zduumzZsWFkYaqlb0Ujq+YuKp5g1wojyYWOwB4og4zNq8kPV7zH lZRJcJGdwTegjl1FQ== X-Received: by 2002:a05:6512:1095:b0:5a4:1add:c56f with SMTP id 2adb3069b0e04-5a85aeabc17mr915710e87.36.1777635181622; Fri, 01 May 2026 04:33:01 -0700 (PDT) Received: from ribalda.c.googlers.com (52.163.228.35.bc.googleusercontent.com. [35.228.163.52]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-5a85c346c02sm429166e87.74.2026.05.01.04.32.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 01 May 2026 04:33:00 -0700 (PDT) From: Ricardo Ribalda Date: Fri, 01 May 2026 11:32:49 +0000 Subject: [PATCH v2 4/6] media: chips-media: wave5: Add range checks for dec_output_info Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260501-smatch-7-1-v2-4-a2fcfb2531ac@chromium.org> References: <20260501-smatch-7-1-v2-0-a2fcfb2531ac@chromium.org> In-Reply-To: <20260501-smatch-7-1-v2-0-a2fcfb2531ac@chromium.org> To: Mauro Carvalho Chehab , Laurent Pinchart , Sakari Ailus , Hans Verkuil , Nas Chung , Jackson Lee , Bingbu Cao , Tianshu Qiu , Greg Kroah-Hartman , Keke Li , Yong Zhi , Jacopo Mondi Cc: linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, linux-staging@lists.linux.dev, Mauro Carvalho Chehab , Ricardo Ribalda X-Mailer: b4 0.14.3 If the driver's dec_output_info contains invalid data the driver can write in invalid memory. Add a range check for that. This fixes this smatch error: drivers/media/platform/chips-media/wave5/wave5-vpuapi.c:588 wave5_vpu_dec_g= et_output_info() error: buffer overflow 'inst->frame_buf' 64 <=3D 127 Signed-off-by: Ricardo Ribalda --- drivers/media/platform/chips-media/wave5/wave5-vpuapi.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/media/platform/chips-media/wave5/wave5-vpuapi.c b/driv= ers/media/platform/chips-media/wave5/wave5-vpuapi.c index d26ffc942219..f77abd5e122a 100644 --- a/drivers/media/platform/chips-media/wave5/wave5-vpuapi.c +++ b/drivers/media/platform/chips-media/wave5/wave5-vpuapi.c @@ -584,8 +584,15 @@ int wave5_vpu_dec_get_output_info(struct vpu_instance = *inst, struct dec_output_i p_dec_info->num_of_decoding_fbs : p_dec_info->num_of_display_fbs; =20 if (info->index_frame_display >=3D 0 && - info->index_frame_display < (int)max_dec_index) - info->disp_frame =3D inst->frame_buf[val + info->index_frame_display]; + info->index_frame_display < (int)max_dec_index) { + u32 idx =3D val + info->index_frame_display; + + if (WARN_ON(idx >=3D MAX_REG_FRAME)) { + ret =3D -EINVAL; + goto err_out; + } + info->disp_frame =3D inst->frame_buf[idx]; + } =20 info->rd_ptr =3D p_dec_info->stream_rd_ptr; info->wr_ptr =3D p_dec_info->stream_wr_ptr; --=20 2.54.0.545.g6539524ca2-goog From nobody Sun Jun 14 07:39:11 2026 Received: from mail-lf1-f44.google.com (mail-lf1-f44.google.com [209.85.167.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8DF75392C40 for ; Fri, 1 May 2026 11:33:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.44 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777635187; cv=none; b=lQPaNHFsOI5ualImeDGJcdP1NxMdx7l3sb/FkgaoCg1ucwEvYAWgRmHw1Q4x9c0kKMtjeBtlD5Qcj3bJq0uDSU8NBwVnmNqfbHn0GCuqzB1COelcA2Tfd2hPHhQHGfBgUaHVBdDYdITmImCmWb9DG0viWQih9d3lENdgHkZAHP4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777635187; c=relaxed/simple; bh=1hqe5xk6q8A/JJ7IgDYxkmD8c7CkAOuEyy57fGoNOLA=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=jxsR3baK5C39IpKoEJQgqmxqLVuYlgcYJ4Y4aaak4NCuPbc6xH0+Q9E5Ax7b0juPnMaP03QiqNL/LA7UDgep3MuLNLvpqNCFQ8BCE12gw/TlhM3WAvL3agcu/xjphGokdrW5xa0kfT6/xWv5OjUmszhO3FjxssWAnK1hPqD2+tI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=F7deDkVs; arc=none smtp.client-ip=209.85.167.44 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="F7deDkVs" Received: by mail-lf1-f44.google.com with SMTP id 2adb3069b0e04-59dcdf60427so1667018e87.3 for ; Fri, 01 May 2026 04:33:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1777635184; x=1778239984; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=84cmq9M5CJzu1gj8OcFfHRDpQSy+05+lbM8dfJHx98c=; b=F7deDkVsXqiV7VzVL9yQgZPjyOxsgZoMzoZKevlFDi1TcZpvBUp3CX23UcMcu/aCip WEbWJQJIcfpylAcKpPQH0hr07dQfKKqOCbdB3k07XobCDRvOdN1rSBdA/mcuURpwgt0+ ISNECkOGqoXwwpSrWsqe9AWtx0iwDaZ7rJM4o= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777635184; x=1778239984; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=84cmq9M5CJzu1gj8OcFfHRDpQSy+05+lbM8dfJHx98c=; b=ntRir0b9AzkyTGK5Pn7owRoR9cjUw2ea4ceEdWz4LSYqPk5uFjZOis/zF7aT7TuE1r u80HNzYeCEHLZ0yauwRHwvpxavNlBetuK4hLJEWOZdXlQSTtfFuVP7bdv+HJL4YbSa9A SSrU03wZvsAtEQBtKqEcyH0MvXWb/ZBYdL6ckv+y+nKCp6aXeswq1FLh1R//qok7UP6E CRdbHvUbjOguXyvxu8vdrTsp4EgI3R5riDHLL/e6p3laXeT96+92DZqMJiMPq42uFHcL 2aWQwjuUW3D9+2XeEIu3tDM4wv3CuLyc7pWStIY2MH0wlP5rkyd0pNeV1JyTXggten0q b/zA== X-Forwarded-Encrypted: i=1; AFNElJ/+A0Ocga1/kN3me4SfBMi5XFcSXrSCTWIbf/b6s2QpQUEodtuEhu5Vzldntf3QmCk25h9w5Jos0Ped6oY=@vger.kernel.org X-Gm-Message-State: AOJu0Yx7YA91nvj5FeBGQ9rTN9A9UjqHHYKuhaeYweox6Z++vzhD6IqI OHyv/mfSa6pYt0ikT/2QaID+inilzxSkT2IuIkhT7wtlA33a8iQzdCrnTE4j/hXdgA== X-Gm-Gg: AeBDietYzZ2Ut+rrJ84rcu7JB0YMMzybBoXoUsZTbTAcoOXFVstsd9FNRwxXD56/VY9 idR8n/DUHsTh7RxGzjG6cNET22ryuV+1c1M6zRDzoeoCEQ4Tk6iVyvCOejxCr4jn3MVMymd9xqL P1H2RQ/Y1Kyxo/4bvn/7vnL6SqWTQsb+bO+UMdGg9hhkPM1ocHc/tS3NuvOp0gRO3cnjRCEywCt 68n5W/REFrihWr68X2d27nULQ9GfpBVJyVKSJkR5G5k6e9oURwYrl8pGLcqXS4UIjGM+FMLj2lH Pqi8Bll4kn60qDI+vd9Ei2FewOklCZ3J8IaRuvJMJwY4bKUD1/eRt0WMBinI+0fldQhLMYfUnu/ FLxRQzREdPv1GncYVS9bKc8BknFRRJdNB/9VNaltCaSzEgP8+rw8jplI8TxGXVXvA4VsvmlItqg 5PVCVo61+7Fhz6WlzBNgbNL4oDeskiNG97tWChQ6j9Al+xyXDtXSNwXCbHjKeE5Wdh4dh51tNbg x9LiqT0oHX5zaANMLDYdszwxY89 X-Received: by 2002:a05:6512:1288:b0:5a7:46e6:74c4 with SMTP id 2adb3069b0e04-5a8522bbeb8mr2381457e87.9.1777635183776; Fri, 01 May 2026 04:33:03 -0700 (PDT) Received: from ribalda.c.googlers.com (52.163.228.35.bc.googleusercontent.com. [35.228.163.52]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-5a85c346c02sm429166e87.74.2026.05.01.04.33.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 01 May 2026 04:33:03 -0700 (PDT) From: Ricardo Ribalda Date: Fri, 01 May 2026 11:32:50 +0000 Subject: [PATCH v2 5/6] media: staging: ipu3-imgu: Add range check for imgu_css_cfg_acc_stripe Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260501-smatch-7-1-v2-5-a2fcfb2531ac@chromium.org> References: <20260501-smatch-7-1-v2-0-a2fcfb2531ac@chromium.org> In-Reply-To: <20260501-smatch-7-1-v2-0-a2fcfb2531ac@chromium.org> To: Mauro Carvalho Chehab , Laurent Pinchart , Sakari Ailus , Hans Verkuil , Nas Chung , Jackson Lee , Bingbu Cao , Tianshu Qiu , Greg Kroah-Hartman , Keke Li , Yong Zhi , Jacopo Mondi Cc: linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, linux-staging@lists.linux.dev, Mauro Carvalho Chehab , Ricardo Ribalda , stable@vger.kernel.org X-Mailer: b4 0.14.3 If the driver's stripe information is invalid it can result in an integer overflow. Add a range check with a WARN_ON to expose this kind of error. This patch fixes the following smatch error: drivers/staging/media/ipu3/ipu3-css-params.c:1792 imgu_css_cfg_acc_stripe()= warn: 'acc->stripe.bds_out_stripes[0]->width - 2 * f' 4294967168 can't fit= into 65535 'acc->stripe.bds_out_stripes[1]->offset' Cc: stable@vger.kernel.org Fixes: e11110a5b744 ("media: staging/intel-ipu3: css: Compute and program c= cs") Signed-off-by: Ricardo Ribalda --- drivers/staging/media/ipu3/ipu3-css-params.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/staging/media/ipu3/ipu3-css-params.c b/drivers/staging= /media/ipu3/ipu3-css-params.c index 2c48d57a3180..92cce31e35c5 100644 --- a/drivers/staging/media/ipu3/ipu3-css-params.c +++ b/drivers/staging/media/ipu3/ipu3-css-params.c @@ -1770,6 +1770,8 @@ static int imgu_css_cfg_acc_stripe(struct imgu_css *c= ss, unsigned int pipe, acc->stripe.bds_out_stripes[0].width =3D ALIGN(css_pipe->rect[IPU3_CSS_RECT_BDS].width, f); } else { + u32 offset; + /* Image processing is divided into two stripes */ acc->stripe.bds_out_stripes[0].width =3D acc->stripe.bds_out_stripes[1].width =3D @@ -1788,8 +1790,10 @@ static int imgu_css_cfg_acc_stripe(struct imgu_css *= css, unsigned int pipe, acc->stripe.bds_out_stripes[1].width +=3D f; } /* Overlap between stripes is IPU3_UAPI_ISP_VEC_ELEMS * 4 */ - acc->stripe.bds_out_stripes[1].offset =3D - acc->stripe.bds_out_stripes[0].width - 2 * f; + offset =3D acc->stripe.bds_out_stripes[0].width - 2 * f; + if (offset > 65535) + return -EINVAL; + acc->stripe.bds_out_stripes[1].offset =3D offset; } =20 acc->stripe.effective_stripes[0].height =3D --=20 2.54.0.545.g6539524ca2-goog From nobody Sun Jun 14 07:39:11 2026 Received: from mail-lf1-f48.google.com (mail-lf1-f48.google.com [209.85.167.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 23222395250 for ; Fri, 1 May 2026 11:33:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.48 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777635190; cv=none; b=aMs4KnrgF/GyLM9SAlGL7XgDoRQH9/dWh71aLpJUAOrvWbDbpOPpmxvQ+geU/ApURuqXwQ0XUsqn26W+ljp6EZVP/OovRCj5atLiAY2T8SgWvWzxMrNHAAew9z5pPHt295RzJnk2mkYlsBuZ3uuoaG6bTABIAO9ffwDzUOyvB3E= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777635190; c=relaxed/simple; bh=maPN0uAGh5T9TmRwUDufwkMVbmorC5oANIGuNmwR7ek=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=ODBFyNIL3SJVsd7z+3lkZgmhg0DGJGnANIgdcv3YowQTvRgOfl61h8SixzfbwazOdQysih88v5mRDY9y2aQVKt7U8ZMVDF0UDYeKNcGk/zQgazBLJjrErGgMRdQ+lNsdFqQlVnf+kAVIY9COe3ugLTh+m5JKGb++lt6hChrqVTw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=FuwyeX9U; arc=none smtp.client-ip=209.85.167.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="FuwyeX9U" Received: by mail-lf1-f48.google.com with SMTP id 2adb3069b0e04-5a40cfab24dso2019801e87.2 for ; Fri, 01 May 2026 04:33:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1777635187; x=1778239987; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=1kcPDoUx1Q/YaISrAn+S58ePlDUIO7Y3t/DDUcj1x4Y=; b=FuwyeX9UgcMIM4AW2mDRMHVqdlSsYKq1SloYu1Bm4Et1u2Of/VBjY5XQT1JLiBm7Xh Ujp2EgH8yIpFsgoLGDdzjw0g+UQ9vei1jrz2CcMk/zCNnbLyb/GzjbMELqBVM3UIIxge /uDPKD++FEnmmtWBSreNNhwIO0/UMsOdd//Ec= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777635187; x=1778239987; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=1kcPDoUx1Q/YaISrAn+S58ePlDUIO7Y3t/DDUcj1x4Y=; b=rlppSZYQSRkRs9eAEw2Z1Z1+mTeFutJ8T2HqzdsYrve9QrGVHAk9lYA+NtCSMyhwnF Ve/lmmb2oUe66d/p+Jot2HQtWRs/DJENsYXBNzf5FDwcV3STdTJs75GfVy7Qqqa7hHv/ pE7XzFWf1vlE+1jwQKeotcL0e4ko7FBzbkajbunw7hQM+1SzOWdt0r6Pjy5moIP8kX4m D2mijuXG7ziFtQR6VjmFTOJ/bgrubaPcmWVMfxqeak8TizmGMgPjt8STsJx3iJ6ABLnG SiXnd+snjyb+ZfGQcHOLynS+5UqdvQWy3P9OKeSYjV49AGHreSCHQ62wJs2b2orNWsr2 Efzg== X-Forwarded-Encrypted: i=1; AFNElJ9+oqx/2FaQJ6RRB/kCIkrygZBgKqqyeO9HGplm+3Hpi7/9WvF1hm0eS9H7Chyd6Q2teyK/pmGgfkSTk9Q=@vger.kernel.org X-Gm-Message-State: AOJu0Ywim3lKQnW6MxGsCvF6o/YqRXaYmSNwHr7k+31+E1yVmX6tmnmX oi57qAlFQjGjy9kFfmsdjTit6JWUnlybeLxMMVnlxcpLkGrHOE1xmoCFCTlJy0Jc5g== X-Gm-Gg: AeBDieuG8uQ6XNTXVzq4ffClA8PFwL6F3mxZliTEgAqZXJdy3BP+2xAzusvzNrU0ySq HxgiS7OQoeidQkU/NpRurmD60UK2pKDcO9Eo/VMIGr8alq07f1/jvKQ4oVw2RTC+rlRsm/yDrLA Q6G4gecFsg1AMVdfABy+9w7jyQ6B4+BLDo36wJ4f1L4aqR6Akfws/ppiPz8xoKA7GHWVzOJjshO ssleIo+Xk+CddSlVU1LqQbIGcJ7q9MypNF6U4abbjkMOwihjHqJT1N40f1eAVWNsxKfcZm7NQVa n69X8CDqy1dPeRqUqCGqTEib+fy9q9WM3UNeLdVgT/krvVcPwbeySRt44nIkYWigTTjNCFwE08q 1A6YX8DsgivZwxupR7a8v/zQ6US28zjvlMTYXzFTwiHIQx90ThRG0I9HWbrpClbGXfIlgK4FQ7Y xuEF4t/B2YimwQmLg+YXVKIYy1FJFtibYRZ4ot3nDHzNJnu/L+yqnR4gSKNOu5qPE5BlZO/31xw Dw6m5eUBnkYrBNcJw== X-Received: by 2002:a05:6512:10cc:b0:5a3:cd94:df73 with SMTP id 2adb3069b0e04-5a8522dda2emr2212355e87.38.1777635187389; Fri, 01 May 2026 04:33:07 -0700 (PDT) Received: from ribalda.c.googlers.com (52.163.228.35.bc.googleusercontent.com. [35.228.163.52]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-5a85c346c02sm429166e87.74.2026.05.01.04.33.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 01 May 2026 04:33:05 -0700 (PDT) From: Ricardo Ribalda Date: Fri, 01 May 2026 11:32:51 +0000 Subject: [PATCH v2 6/6] media: amlogic-c3: Add validations for ae and awb config Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260501-smatch-7-1-v2-6-a2fcfb2531ac@chromium.org> References: <20260501-smatch-7-1-v2-0-a2fcfb2531ac@chromium.org> In-Reply-To: <20260501-smatch-7-1-v2-0-a2fcfb2531ac@chromium.org> To: Mauro Carvalho Chehab , Laurent Pinchart , Sakari Ailus , Hans Verkuil , Nas Chung , Jackson Lee , Bingbu Cao , Tianshu Qiu , Greg Kroah-Hartman , Keke Li , Yong Zhi , Jacopo Mondi Cc: linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, linux-staging@lists.linux.dev, Mauro Carvalho Chehab , Ricardo Ribalda , stable@vger.kernel.org X-Mailer: b4 0.14.3 Avoid invalid memory access if the zones_num is bigger than zone_weight. This patch fixes the following smatch errors: drivers/media/platform/amlogic/c3/isp/c3-isp-params.c:111 c3_isp_params_awb= _wt() error: buffer overflow 'cfg->zone_weight' 768 <=3D u32max drivers/media/platform/amlogic/c3/isp/c3-isp-params.c:111 c3_isp_params_awb= _wt() error: buffer overflow 'cfg->zone_weight' 768 <=3D u32max drivers/media/platform/amlogic/c3/isp/c3-isp-params.c:227 c3_isp_params_ae_= wt() error: buffer overflow 'cfg->zone_weight' 255 <=3D u32max drivers/media/platform/amlogic/c3/isp/c3-isp-params.c:227 c3_isp_params_ae_= wt() error: buffer overflow 'cfg->zone_weight' 255 <=3D u32max Cc: stable@vger.kernel.org Fixes: fb2e135208f3 ("media: platform: Add C3 ISP driver") Signed-off-by: Ricardo Ribalda --- drivers/media/platform/amlogic/c3/isp/c3-isp-params.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/media/platform/amlogic/c3/isp/c3-isp-params.c b/driver= s/media/platform/amlogic/c3/isp/c3-isp-params.c index 6f9ca7a7dd88..aec3eed0e443 100644 --- a/drivers/media/platform/amlogic/c3/isp/c3-isp-params.c +++ b/drivers/media/platform/amlogic/c3/isp/c3-isp-params.c @@ -104,6 +104,8 @@ static void c3_isp_params_awb_wt(struct c3_isp_device *= isp, c3_isp_write(isp, ISP_AWB_BLK_WT_ADDR, 0); =20 zones_num =3D cfg->horiz_zones_num * cfg->vert_zones_num; + if (zones_num > C3_ISP_AWB_MAX_ZONES) + zones_num =3D C3_ISP_AWB_MAX_ZONES; =20 /* Need to write 8 weights at once */ for (i =3D 0; i < zones_num / 8; i++) { @@ -220,6 +222,8 @@ static void c3_isp_params_ae_wt(struct c3_isp_device *i= sp, c3_isp_write(isp, ISP_AE_BLK_WT_ADDR, 0); =20 zones_num =3D cfg->horiz_zones_num * cfg->vert_zones_num; + if (zones_num > C3_ISP_AE_MAX_ZONES) + zones_num =3D C3_ISP_AE_MAX_ZONES; =20 /* Need to write 8 weights at once */ for (i =3D 0; i < zones_num / 8; i++) { --=20 2.54.0.545.g6539524ca2-goog