From nobody Sun Jun 14 04:21:44 2026 Received: from mail-lf1-f43.google.com (mail-lf1-f43.google.com [209.85.167.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 063BB2D5A19 for ; Mon, 4 May 2026 06:54:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.43 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777877651; cv=none; b=Ylms6nlBh6AJ61hTVQdunut0JW4bUVZPi1FY0ZpZ/65Wk2B46YCjKA+q8hUrWaubV6XZqpPeQ+uM6rlddp0IiDstigdqaOdyM8u99LKksEO00oJBuUjYpAP+U0xeAhy35On8dcheCfvzvLfX385nOKWkJubj795WwPe7SpNBMiI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777877651; c=relaxed/simple; bh=ne42xYajKx8Kiea21amC61A8URblNNdzVSYQ5+DXQtM=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=HvtPaDzKHj8L+CTM4xsLvNCBwdUDyggtBGe6EWAtgH7TssCyLwOjX3hixTOygPmJI412JHM37+eyyqRQeM6mOImY51xikdTaXvoNhO6R1+glJBMfOp4tz72K7YtNxXBpLrGxGwbL0aBFqGCr/xrZr47xajnCU7HNt8JDaK68HTU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=LwLwZp0a; arc=none smtp.client-ip=209.85.167.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="LwLwZp0a" Received: by mail-lf1-f43.google.com with SMTP id 2adb3069b0e04-5a86bfa2a4eso1678281e87.1 for ; Sun, 03 May 2026 23:54:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1777877648; x=1778482448; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=VgEZKNrl10DgxlH1xZQyC/yRD4psOac+PKsvu6TEYIs=; b=LwLwZp0a3pKasW8GKqYw8ksSg8hE4RoCL8jyB1WycftvZZk3+I8dmQpPkWURtRt9zF 4o+w3z7/r2s/EyANmyjK+2XUGW5CgMqNNZ0XNDyiJqPaEkc1fpCV38Koi16C7m2PjTYw 9qCJczD0OjNlAh9p1mlKjCBPK1PQqcXjHrf+4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777877648; x=1778482448; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=VgEZKNrl10DgxlH1xZQyC/yRD4psOac+PKsvu6TEYIs=; b=Sgx0sg7xJ266FAAXF/0sc6a3KlY7gIapz7OgCKTWoqqjIM7DdUDQjVolRVRZ7nYgra S5g8CFre5s1lhdo8EqKaHL7ZrpH/+DHc7p7dSIwTrca6yC+1+h5AV3666cwZxoSvWOcq 9rL36rAlLM/SDI6gqPBOzcSBGYhR0WLY1JbYDNiEuS4d1K+sERtzCiUhDc/jYyJ8T3vM hdrhhkJjO/3GDimcbS6l6CrrjKf+R2rbIgkdBIMULmFDJB/u3tSI2CaAzaOGemCoVq9i FZnyphxv6G65LmbxBPNDo/oNosanyjUpfqYCiITERFL2HSUwpVutll9yJTAdDoClWBWT 8zsA== X-Forwarded-Encrypted: i=1; AFNElJ+JyMbbzBTWEaZhL4wiKv/+4sIDf0mYfMHzeWDfK2s5D4XNFlsibw/A8734rWLUW5u2y39WEz7K9HEatT0=@vger.kernel.org X-Gm-Message-State: AOJu0YyejfWmUuJDna7RpcJHdSN5gP4rvAkbxXBIzUx+46FsJxS2QqxN 8eF5xB6w1LzMaK1FW8i+Spk+H3yMUnP0rOQNVVMSRg44HAqXqfbsHuW8Hbk2sB9qcA== X-Gm-Gg: AeBDieuBzPxMPBr9DFTyHXU20uw1NE0C7b0Kd1C4neY6UlMdahH4EVKy+D4pDpbqKZu NItj+pV0jWiapCMCMiCbZkQGC4CQYCRs9KJyG9/ZV7iOBIFpcTpvqegOSASoDmcGDUexnFnHsrq 4XzVLFxlhELV3s5nbtfBaCLKu+Y7BAU8Kgqa+XG/B6X+74YQXwOVF9a1BwEM4cfU5aXn/x2kEzM bzTElEBEh+Y+8qP1dB+jkiEGKwadVaWZCjpYjFHENxo8R4F9lVZFT7cke9+SCGZKjUb0cJsJ8tc n4nd2+BLiMEBfO6SDZ/7KchYA0XwAtYZ7RI0cy+y6pubA207SryEbi1jkHIjYqc/JNQZY4cdoRz +i302RlNc3SoPl0IGh9MDi0eCAgLJLHrbdEJONTSlSKWz1ofMXfg83h/2ob/lcoiU9GOmDu5TVR /CuSqcZu3k4hdGvZXk1ChYQ7Kj49mSZJFPmor993wRPHEk7YTcOmqoHkGv5NgiINapTBydgCIzT MW+Ye5B1TCP1Brkqg== X-Received: by 2002:a05:6512:114d:b0:5a8:7352:a885 with SMTP id 2adb3069b0e04-5a87352aa2bmr615908e87.17.1777877648177; Sun, 03 May 2026 23:54:08 -0700 (PDT) Received: from ribalda.c.googlers.com (52.163.228.35.bc.googleusercontent.com. [35.228.163.52]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-5a85c22e1d4sm2674579e87.9.2026.05.03.23.54.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 03 May 2026 23:54:07 -0700 (PDT) From: Ricardo Ribalda Date: Mon, 04 May 2026 06:54:04 +0000 Subject: [PATCH v3 1/6] media: v4l2-dev: Add range check for vdev->minor Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260504-smatch-7-1-v3-1-fda125c30058@chromium.org> References: <20260504-smatch-7-1-v3-0-fda125c30058@chromium.org> In-Reply-To: <20260504-smatch-7-1-v3-0-fda125c30058@chromium.org> To: Mauro Carvalho Chehab , Laurent Pinchart , Sakari Ailus , Hans Verkuil , Nas Chung , Jackson Lee , Bingbu Cao , Tianshu Qiu , Greg Kroah-Hartman , Keke Li , Yong Zhi , Jacopo Mondi Cc: linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, linux-staging@lists.linux.dev, Mauro Carvalho Chehab , Ricardo Ribalda X-Mailer: b4 0.14.3 If the fixed minor ranges are not properly set we could end up in a situation where the calculated minor is invalid. Add a check for this in the code to make it more robust. This check also fixes the following false positive smatch warning: drivers/media/v4l2-core/v4l2-dev.c:1036 __video_register_device() error: bu= ffer overflow 'video_devices' 256 <=3D 288 drivers/media/v4l2-core/v4l2-dev.c:1043 __video_register_device() error: bu= ffer overflow 'video_devices' 256 <=3D 288 drivers/media/v4l2-core/v4l2-dev.c:1101 __video_register_device() error: bu= ffer overflow 'video_devices' 256 <=3D 288 Signed-off-by: Ricardo Ribalda Reviewed-by: Laurent Pinchart --- drivers/media/v4l2-core/v4l2-dev.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/media/v4l2-core/v4l2-dev.c b/drivers/media/v4l2-core/v= 4l2-dev.c index 6ce623a1245a..5516b2bbb08f 100644 --- a/drivers/media/v4l2-core/v4l2-dev.c +++ b/drivers/media/v4l2-core/v4l2-dev.c @@ -1032,6 +1032,11 @@ int __video_register_device(struct video_device *vde= v, vdev->minor =3D i + minor_offset; vdev->num =3D nr; =20 + if (WARN_ON(vdev->minor >=3D VIDEO_NUM_DEVICES)) { + mutex_unlock(&videodev_lock); + return -EINVAL; + } + /* Should not happen since we thought this minor was free */ if (WARN_ON(video_devices[vdev->minor])) { mutex_unlock(&videodev_lock); --=20 2.54.0.545.g6539524ca2-goog From nobody Sun Jun 14 04:21:44 2026 Received: from mail-lf1-f52.google.com (mail-lf1-f52.google.com [209.85.167.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7C3C62D5941 for ; Mon, 4 May 2026 06:54:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.52 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777877655; cv=none; b=Iy+UKjYSZ3N8saSXuOAh72R2+nCz5yUxRoQ7A77WW9UkN/zgO4/57l4p1FN6lHBvR/IsjYELbcBzR9p5D9WQjHNEKVhwwTSO8MxvT7yiyFlrqLIuLtRzjaZ9xWUXgpS8mEBL0yuOWN3EjrJGIGti8qUyo7kxkrVPPua3XgWUVRY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777877655; c=relaxed/simple; bh=tLwMsZtKESL5KitvooJvICOu2RrZ4OM6qvgcLZaroZk=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=POsirjqBibn7d6BMw6gbkPfMHVdvxwVfSbxFLrEDUUDGSOuoL9hCXQAnHigDUU9SkY4AKEFiYyr1T0t5ELq/bNQmNBns4Dr6EDCWGw8gaSzPkOTxggAr/u8QNdGFwwVqTcD0uQybvLgdjn6/tOOBRWwDr9X4wpkWLWSCsUQVBeM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=Y+/PNc+g; arc=none smtp.client-ip=209.85.167.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="Y+/PNc+g" Received: by mail-lf1-f52.google.com with SMTP id 2adb3069b0e04-5a0ff30b240so5572560e87.0 for ; Sun, 03 May 2026 23:54:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1777877653; x=1778482453; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=DO6EYg4vrsGld5Vns0zx8Rx5L9ViOljnC9zyP7KqNys=; b=Y+/PNc+gBaOBV/R3yZtS5BkfC9QiihrpbwSro68IdCRdRKsH2o6digdm3TTAJd41c+ T6l0jM0/e84bge60od94j/4YWysqdeE5mqVQE31FNcFfl52QQC1bXPCU1ra9H3GTOeww FdnH1eUUa2dTg690mvhRTJQ/f7gb3cvjUYTTQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777877653; x=1778482453; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=DO6EYg4vrsGld5Vns0zx8Rx5L9ViOljnC9zyP7KqNys=; b=UyYi+gyntQYZsAjesdwiYlQ20oudB9HCE5jIAoGI/0/BSZLGEzYPrNv8+Y0+BB41ku /fFu212On75g1rswORf+GnJuGKtZZCZi5+wWA8OtIsS92Dy+8tPxILcjSN2PLqv1zzf0 o2xrKGzBhO1HdYqXGtVlSevV4BtTPZdGHjm+9LiEfLY9r/V/eS63IBIPITDw/1lDF1Ze 9QgeqF6J7cbpdFGz8Gtsil93WMMr0pGGZ7FD1bDH0Dj/45mC7UAq7h3ProQc/ImWIQUt morb6VFdUqjivrraLFYJEXP3DiR4y4lYZv0cMB+WY9jpjTuvUQ1HkDyW8D7O3brcfDjB BWQA== X-Forwarded-Encrypted: i=1; AFNElJ90oFTkcpBcea+/SP9NJaSwLC1EkHY7DHXbb3AT+35y7V4qmkiepAU3KQdOmEZXTI6fMPr197xIpOMGuA0=@vger.kernel.org X-Gm-Message-State: AOJu0Yw6xzQipDiXZrkMGz++/dAsHd7jHuGY21OiSwU5GAwBnRdIFTYV nDlxY9EQKGzYuQXdBnvglqBUI658iZeuR5opJ/wMtJxmgl/GKo05ZgpHT6KDLZxdyQ== X-Gm-Gg: AeBDieuw5XA8KDWdl51WjHTnRhp/KMCuAjZh2q86tVh25f+G+7dT12fFLtYLBWVk22p v29EG6ZC3+Am0lnd52nDaAstmrXCTCmd1lJb3gS6edL+RLkRpirbNeOTzzO9ZAEdd7z3x6Zjl+q 1Ej0K76mlOkLXlkWtSH3k4r01hFSwJDXX+pw0XR57r3sE8mj2hKU817dbxqPohIxqNHcuFwDR3z JC5uQsFDnL+xVWUhxk6rKpycrornq5AAck+cbUvCnsPB92kvlnocUh8zJ/GWVhOPP9DcLwbfS1Z FwICOxgv0Psdzz499dZoTamlPc8jAD4Ij1azxg5aYSdRxNyj7xa/ifslmDvmulyrrXTAepnzNXJ /9X0OCr7H2qb7QbnKUe1lwCLgJ/tMoWq5IYBSZ4MJx9RlmfmUJ6xgM60iREOxOKEaXqc40dZ0EV sJuhA3YgwK9CVsiNA+sGDYt/+JqotnAfR/deXZmVoaEcoG0W1BDTZurzH+4KDv+R1u1HUB7CmJg pLQ3c8zmFzYZKCGczE9UF+tlT4f X-Received: by 2002:a05:6512:3ba2:b0:5a3:d1d9:6080 with SMTP id 2adb3069b0e04-5a8631c00famr2451231e87.29.1777877651260; Sun, 03 May 2026 23:54:11 -0700 (PDT) Received: from ribalda.c.googlers.com (52.163.228.35.bc.googleusercontent.com. [35.228.163.52]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-5a85c22e1d4sm2674579e87.9.2026.05.03.23.54.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 03 May 2026 23:54:09 -0700 (PDT) From: Ricardo Ribalda Date: Mon, 04 May 2026 06:54:05 +0000 Subject: [PATCH v3 2/6] media: i2c: mt9p031: Rewrite assignment to make smatch happy Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260504-smatch-7-1-v3-2-fda125c30058@chromium.org> References: <20260504-smatch-7-1-v3-0-fda125c30058@chromium.org> In-Reply-To: <20260504-smatch-7-1-v3-0-fda125c30058@chromium.org> To: Mauro Carvalho Chehab , Laurent Pinchart , Sakari Ailus , Hans Verkuil , Nas Chung , Jackson Lee , Bingbu Cao , Tianshu Qiu , Greg Kroah-Hartman , Keke Li , Yong Zhi , Jacopo Mondi Cc: linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, linux-staging@lists.linux.dev, Mauro Carvalho Chehab , Ricardo Ribalda X-Mailer: b4 0.14.3 The current code makes smatch a bit uncomfortable: drivers/media/i2c/mt9p031.c:799 mt9p031_s_ctrl() warn: assigning (-1952) to= unsigned variable 'data' Probably because smatch is not clever enough (yet). Do a simple rewrite to make sure that smatch understands what we are doing here. Signed-off-by: Ricardo Ribalda Reviewed-by: Laurent Pinchart --- drivers/media/i2c/mt9p031.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/media/i2c/mt9p031.c b/drivers/media/i2c/mt9p031.c index ea5d43d925ff..8dc57eeba606 100644 --- a/drivers/media/i2c/mt9p031.c +++ b/drivers/media/i2c/mt9p031.c @@ -796,7 +796,8 @@ static int mt9p031_s_ctrl(struct v4l2_ctrl *ctrl) data =3D (1 << 6) | (ctrl->val >> 1); } else { ctrl->val &=3D ~7; - data =3D ((ctrl->val - 64) << 5) | (1 << 6) | 32; + data =3D ((ctrl->val - 64) >> 3) & 0x7f; + data =3D (data << 8) | (1 << 6) | 32; } =20 return mt9p031_write(client, MT9P031_GLOBAL_GAIN, data); --=20 2.54.0.545.g6539524ca2-goog From nobody Sun Jun 14 04:21:44 2026 Received: from mail-lf1-f43.google.com (mail-lf1-f43.google.com [209.85.167.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C25641A6813 for ; Mon, 4 May 2026 06:54:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.43 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777877657; cv=none; b=JjyU9CTntkZRUm69/q200VuAiUITlgzdBy1FuLufh5CWSBStMbW6h8U3rXBF0ObMLjHj+RaGkJptA3nkDdOEWne/cxsnkzSRZ00tEcYy3kx+bZbw/efCzBUJIZybFZ1YcCHSEgWS0CQBHRN0twyej0zt5i6kKkZ8P2UW9EX7B14= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777877657; c=relaxed/simple; bh=1ZSaYK9KkfV5+GCoFqf+X0v1Q+Y+dHjA70Bg+RMm57U=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=fk3p/fw4y5XVjg6QJeGsvZOjaAoguoLfOtXhEHzvVLFbGbotgJTD29Zt2Qtp2k+rfr185mpFA8y8af421UqOir+j6VSGE6ZmK5QF2z+brX4xGKJaGwOdQw6O7H3as912d8BOD30j6QWO47xKZiPbWJ7/GkrMWUvIiw6xG1I6a8w= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=gGMygKS2; arc=none smtp.client-ip=209.85.167.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="gGMygKS2" Received: by mail-lf1-f43.google.com with SMTP id 2adb3069b0e04-5a865004748so1723552e87.0 for ; Sun, 03 May 2026 23:54:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1777877654; x=1778482454; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=BnXlL3KzWzfPtDefDXKY2+uDbjeKnEfIYOtp4pEQbxI=; b=gGMygKS2gl8mmkhLk85E2YT7VK5WTLCxGOA2AL+AXsq61/VKUogY0IoZAuUxQZwU6b WKy9wL0E9RpimII2qNCFsKARw6IMJ6SkiGjFTMi4YN+4PSdpPYDNDVHcMUOhyR3DVKmB 5fYd0zEQxZmP/EY+IdT9ITvuFtW9QekhD8Deo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777877654; x=1778482454; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=BnXlL3KzWzfPtDefDXKY2+uDbjeKnEfIYOtp4pEQbxI=; b=famLkS8YKn7AZF5f+GGZDOBN027WzJPOBKh+xR7ne1M+NdkTxALYh7zdj3ls+QiTEm iaDbfk+KC98PzmDcDPN66B04jcqFhPf+rzI2zdL6cx0eYqBKRj2TR7fn+c5oMT3D5sLa oQBh+5OBApu7B3U9WflLxCbUo1jHt9KnIcvntvj/AS5hBmkyllV1B/OesPdkqR5PR0+7 42E1BXp1c70uSRAdP2IwvsV/uWX7SjzwglcQNSuaUKPjL6acMifV7RfRI424q3Dn+uli v7fbCX4kEV75UnpkoQ6DlxqtvLP2Nk7ivwle9ZqsM2DfkHcaONhyq59DVMnFWGJmtjVx ez+A== X-Forwarded-Encrypted: i=1; AFNElJ/NZqEuO0JaM+8GvSitH6Tghg2n161asCAok84OPEK9bddNpSdBuoYf5CS1vGIJYNiXlUVCK85B+cEmyOA=@vger.kernel.org X-Gm-Message-State: AOJu0YyXQehbQFef/SlyOvIR7/zQjGAsDxZWdRr9EzDh/Qv7h/keGBlh KusB/Roq9+is0AEaYTJcIjns7PfpxZkk7c6SWZeIeU3Csrrf5UbMWhoCdT7ZDv0pyQ== X-Gm-Gg: AeBDieumpaAzqSzYHUqUbC+rl3czEHu4nnEnDsapDW9aaS+twq3KZkSvSh1YC4hcRNg 0FO7LPHeE00Jvyird2UcFfaeGNmWGGQGR3FUj0OBahnsqSgoeCQkNDOu7a85Fddp+F37emTx8Zs zIa/dQmNn8oCjyqLafAz7eKo4EI7AcrzGG0mZGPAwMoeWiWcd3UVniqnfNm6ZiTGybh6N9Z6YiY jWLzWvNzj26hjtZGpOW0eeTSf+cNqgXV/l5TJNkiZ7OmiCvGWjawiT754iJYsY++O0CaMMhMoz4 rvPwLgZn5GAt4V1ZcLiu5JbU6PzO/MZ0zxhsO5kHcBZ3Ul6mNdgngnxvmjwaeLPdIcwh6cJdfBO sggZq8lGzuUj8ygHzENB8x8UngtwpY84AWSpKSh31unvNPUGjiKYqkN6BjRcuQF+1F5fh+PXicc WIg2RlQwzCOANnNxmfO5uwbaRCxE7JD4jiEKUI6031BQpu0i0yAkfiPJKgcou/K6ijTi19ZFrkQ L26U93cBRhgEgbGmQ== X-Received: by 2002:a05:6512:3e18:b0:5a4:299:285b with SMTP id 2adb3069b0e04-5a8621509dbmr2250062e87.12.1777877653936; Sun, 03 May 2026 23:54:13 -0700 (PDT) Received: from ribalda.c.googlers.com (52.163.228.35.bc.googleusercontent.com. [35.228.163.52]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-5a85c22e1d4sm2674579e87.9.2026.05.03.23.54.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 03 May 2026 23:54:13 -0700 (PDT) From: Ricardo Ribalda Date: Mon, 04 May 2026 06:54:06 +0000 Subject: [PATCH v3 3/6] media: i2c: adv7604: Add range checks for chip info Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260504-smatch-7-1-v3-3-fda125c30058@chromium.org> References: <20260504-smatch-7-1-v3-0-fda125c30058@chromium.org> In-Reply-To: <20260504-smatch-7-1-v3-0-fda125c30058@chromium.org> To: Mauro Carvalho Chehab , Laurent Pinchart , Sakari Ailus , Hans Verkuil , Nas Chung , Jackson Lee , Bingbu Cao , Tianshu Qiu , Greg Kroah-Hartman , Keke Li , Yong Zhi , Jacopo Mondi Cc: linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, linux-staging@lists.linux.dev, Mauro Carvalho Chehab , Ricardo Ribalda , Hans Verkuil X-Mailer: b4 0.14.3 If the driver's chip information is invalid we can end up accessing an invalid memory region. This fixes the following false positive smatch errors: drivers/media/i2c/adv7604.c:3672 adv76xx_probe() error: buffer overflow 'st= ate->pads' 7 <=3D 4294967294 drivers/media/i2c/adv7604.c:3673 adv76xx_probe() error: buffer overflow 'st= ate->pads' 7 <=3D u32max Reviewed-by: Hans Verkuil Signed-off-by: Ricardo Ribalda --- drivers/media/i2c/adv7604.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/media/i2c/adv7604.c b/drivers/media/i2c/adv7604.c index 67116a4ef134..ae75982fb514 100644 --- a/drivers/media/i2c/adv7604.c +++ b/drivers/media/i2c/adv7604.c @@ -3668,6 +3668,12 @@ static int adv76xx_probe(struct i2c_client *client) =20 state->source_pad =3D state->info->num_dv_ports + (state->info->has_afe ? 2 : 0); + if (WARN_ON(state->source_pad >=3D ADV76XX_PAD_MAX)) { + err =3D -EINVAL; + v4l2_err(sd, "invalid chip info\n"); + goto err_i2c; + } + for (i =3D 0; i < state->source_pad; ++i) state->pads[i].flags =3D MEDIA_PAD_FL_SINK; state->pads[state->source_pad].flags =3D MEDIA_PAD_FL_SOURCE; --=20 2.54.0.545.g6539524ca2-goog From nobody Sun Jun 14 04:21:44 2026 Received: from mail-lf1-f53.google.com (mail-lf1-f53.google.com [209.85.167.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B29AF2D8DC3 for ; Mon, 4 May 2026 06:54:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.53 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777877658; cv=none; b=s/PzkrShthzvtlDCON290x2ueSKy1+wJfp06xwUAXOKDDa07HO40TMds7s6zcYb7x9qooR4tuDzABVksY+Z9Ea9MNvJEUiF9Z54rP0jPMbU2TcdtUeQ8UvcyphVNU5iHpz/arFmk+CNys4D9noXJ5Vv5/OdDWx19R1uFBNyAozY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777877658; c=relaxed/simple; bh=fM+EOez8tTjZWMaKaiEYlL+/TS0+1cDYerp5pGjy9hQ=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=HnSpH1LzYTSJQp4muiB5gLw1qHYvp5qr1KgZDKzpwuZQsxZX9LhyCJdDHC9/ib5Oiijy5yIMw8FRdXhw0MrF7U5vl2Cwv7cBZHPfsFPYR65IuBDJ3HEY8U1OpvlTEvDKUHMRb4Mu762Nq4nTDX2ogP3H1w+25qtv6+JYHYUZq/I= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=FLSrwgHI; arc=none smtp.client-ip=209.85.167.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="FLSrwgHI" Received: by mail-lf1-f53.google.com with SMTP id 2adb3069b0e04-5a3d42263e4so4395239e87.2 for ; Sun, 03 May 2026 23:54:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1777877655; x=1778482455; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=iu0V+UWGhKofbsqLMuK6FkwiFliyODBO+j8A2mvjt3M=; b=FLSrwgHIWyTvOtS5gdU3Snt+qGQO5CAFxlytbP5BBqikxl7zhMRU8WDwDsdqEB4yaT 0SlOa0LvOx8vIhifMV2fXAjGaxlX3yMzcP8tt1G9jTkuMi8kAOCHheAA4k7CTodvDcaF 5Nz5Y7vYNb9I+CxcCZ+x5orzUXSyXPK5pqPOA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777877655; x=1778482455; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=iu0V+UWGhKofbsqLMuK6FkwiFliyODBO+j8A2mvjt3M=; b=VJq0jT9vJYkrEbgdx3RP3S+Vd1ezRTUHBZ49APShS0nYEq7JIzuK5QD0/EL4RND4+E AIn26+8GQ46Ql4Aho6t4mhc2uoBtSg17UZ8vY8j89Rnd4AQEYHF+DWOWH8TtmoFOzNVp 9YvkXLDga5yNd62ZxzIiix7lF2dl3cvEBAhpodn9yPmP8L8G9IeJRPJSgavHYju22LAp 9I1/SIipz52CatANprtNFFCxeJvuShLaL1I0RRuzrZnT8/aOe+0BVgdwWFWxPJxzCCxU k2eBFX1/a2bsV1BkQgZ0zQ01SByX9MUa3DziFqZJNCqqR/vibXqKvwoDzAvqkL/CFBZG 6pHw== X-Forwarded-Encrypted: i=1; AFNElJ/gRxioXHC4c1iVt7sgsWieYgZvgB8FYbY1VcB5jEiF2Dr7E2espWqmrZp/ZZf6Iq0Mo3QODZO31ADf1mU=@vger.kernel.org X-Gm-Message-State: AOJu0YwxZVPUX+/9Z9aZ91dfAhJaPPvo467xwmsVJTgBnv4vvEHWDIDn a6JfIT1XzYi32fD63oHJ2htDR96XMCFmWmBqRyqFS0tk3KLKG57d/dguJN+DSLL8nA== X-Gm-Gg: AeBDieuvLhqum/LDHLOXR0lzMXOHSQJqu2u/JxjY3R+g0muber/Oq96+BTkbTaoAArw i87aTXj7G9FKIpwKfBSmebeHMm3AFFOsMRr6S56jQ9EcROWTxyipCTWOANZpOydQhUIeWLwohns qAVZmZm1vzZkAQZnq9mDAu/QH9H6l8KgK8xkp04Lxzmx/MpQRo/9oq/QZLpw9dlUekbZrz+vopc h+hAfw99NqlUxr5B8WSiAWkopKu7KXXdFAuiqx9HmvTup4msDDrZykudA2g7qNcNNTRs89oxHF5 dAAkdiC3wGbE2gQQoffvh7g+pzCdmnx145+VODRpRTtUCHS5dg/LlUJQE6vaaKgzMOl/s46Ei0m TtiHipXSMcQS9P8qIxCznzFgvSAXYE+ULdab/D029uQsXquIgVwjBP1C5Ktk5Sf2M2D3R7jbeu3 k8eq1Qt2giMNNTxVSF1rThf6fwTIAQRQDFEejc7qRQfVJf8LvDLg6TohFtHr8SujZIJxMeRPeZd ilA08mlTp6/BRfLyA== X-Received: by 2002:a05:6512:39c8:b0:5a8:6746:3f9f with SMTP id 2adb3069b0e04-5a867463fc4mr2661114e87.40.1777877655087; Sun, 03 May 2026 23:54:15 -0700 (PDT) Received: from ribalda.c.googlers.com (52.163.228.35.bc.googleusercontent.com. [35.228.163.52]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-5a85c22e1d4sm2674579e87.9.2026.05.03.23.54.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 03 May 2026 23:54:14 -0700 (PDT) From: Ricardo Ribalda Date: Mon, 04 May 2026 06:54:07 +0000 Subject: [PATCH v3 4/6] media: chips-media: wave5: Add range checks for dec_output_info Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260504-smatch-7-1-v3-4-fda125c30058@chromium.org> References: <20260504-smatch-7-1-v3-0-fda125c30058@chromium.org> In-Reply-To: <20260504-smatch-7-1-v3-0-fda125c30058@chromium.org> To: Mauro Carvalho Chehab , Laurent Pinchart , Sakari Ailus , Hans Verkuil , Nas Chung , Jackson Lee , Bingbu Cao , Tianshu Qiu , Greg Kroah-Hartman , Keke Li , Yong Zhi , Jacopo Mondi Cc: linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, linux-staging@lists.linux.dev, Mauro Carvalho Chehab , Ricardo Ribalda X-Mailer: b4 0.14.3 If the driver's dec_output_info contains invalid data the driver can write in invalid memory. Add a range check for that. This fixes this smatch error: drivers/media/platform/chips-media/wave5/wave5-vpuapi.c:588 wave5_vpu_dec_g= et_output_info() error: buffer overflow 'inst->frame_buf' 64 <=3D 127 Signed-off-by: Ricardo Ribalda --- drivers/media/platform/chips-media/wave5/wave5-vpuapi.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/media/platform/chips-media/wave5/wave5-vpuapi.c b/driv= ers/media/platform/chips-media/wave5/wave5-vpuapi.c index d26ffc942219..f77abd5e122a 100644 --- a/drivers/media/platform/chips-media/wave5/wave5-vpuapi.c +++ b/drivers/media/platform/chips-media/wave5/wave5-vpuapi.c @@ -584,8 +584,15 @@ int wave5_vpu_dec_get_output_info(struct vpu_instance = *inst, struct dec_output_i p_dec_info->num_of_decoding_fbs : p_dec_info->num_of_display_fbs; =20 if (info->index_frame_display >=3D 0 && - info->index_frame_display < (int)max_dec_index) - info->disp_frame =3D inst->frame_buf[val + info->index_frame_display]; + info->index_frame_display < (int)max_dec_index) { + u32 idx =3D val + info->index_frame_display; + + if (WARN_ON(idx >=3D MAX_REG_FRAME)) { + ret =3D -EINVAL; + goto err_out; + } + info->disp_frame =3D inst->frame_buf[idx]; + } =20 info->rd_ptr =3D p_dec_info->stream_rd_ptr; info->wr_ptr =3D p_dec_info->stream_wr_ptr; --=20 2.54.0.545.g6539524ca2-goog From nobody Sun Jun 14 04:21:44 2026 Received: from mail-lj1-f171.google.com (mail-lj1-f171.google.com [209.85.208.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 48DC62F2914 for ; Mon, 4 May 2026 06:54:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.171 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777877660; cv=none; b=rCW0VQ+KdSBj8bBt4N8V991bum42yoYYzVPz/RefJ5LVby3cp6JYLm+IUzgah5PpmgrETXZwQKoPzUDpaLpQfKDJDJUm0ulAlBc1GAxfplOABPGMknggY/HHlSVcTweIB+q+WtWb2Uk67wmANy3fwNa+riA6IrQiZVHNy2F/aIY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777877660; c=relaxed/simple; bh=1hqe5xk6q8A/JJ7IgDYxkmD8c7CkAOuEyy57fGoNOLA=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=O/3hYWrV6mlpOT+areEFxeJMtECOG7uKqm3cSzaDAHz8oim8oz2ZMDB1g7NTio5VEe6obdu0/ANWCTPIcj7BSI8uATSUFVzCZpFHSs0WkA9Cht8TxsxXC9JLGtCK6iuYEMJTKxKHZfcM6sdAZfPxEjdf3WyOD1fofbEHOK3XwjI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=nMfghY/w; arc=none smtp.client-ip=209.85.208.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="nMfghY/w" Received: by mail-lj1-f171.google.com with SMTP id 38308e7fff4ca-38dd9f11a09so29867441fa.2 for ; Sun, 03 May 2026 23:54:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1777877657; x=1778482457; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=84cmq9M5CJzu1gj8OcFfHRDpQSy+05+lbM8dfJHx98c=; b=nMfghY/wkxLJw9I8Y+mea44qibD1UKaUCIyowg1pF3FCLjHdOB2e2bWXwO7d9nZmSs BNxdjJZtZr7KidsEGBKLKaF/3ps5TKCQ4I2kXhE2B6Jn4BtW4bp9oTcbxUy4tnOleFmk VwcnS88az2vzB6Q0CqbOg1Kc6n0X7I64/ZjXI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777877657; x=1778482457; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=84cmq9M5CJzu1gj8OcFfHRDpQSy+05+lbM8dfJHx98c=; b=oZx+gsTkF9n4e6YMaEmMyP8zisDPRR2IjQ1JiU/CPbQb56H5NcUk5QSeMGEfHn6zsK DBvoFRB42LRH7boTbY1oCd0xnLeff80itHbelu8zwQ7UosPzvu4EOOfQMcw6vxZ3RX73 RXiX5cPz78PJV9tn51aUqm3XSdCTYkKKBucqgWWo35qxqz0kfYKSq3Jwsy396ntAB/SL oZdZORki9NyalxxUVhx/4Z8dditpDwnkasgXqJkW8+E3mLAzrB+Xg9ODnZhOeP8fMBCD /UabpmeD4Q9kxUhpDfKwkT3PQ7yPIyzf0IY3oH6nQ8hPtc2kd88AfXnul2fBMj5xKxuX Sr9Q== X-Forwarded-Encrypted: i=1; AFNElJ+d5lHRILS5IjmH+UG76M7Aouc6VJGdWK9lhkawBKowt7tX1huUfeUC6Lu+/65o+6j3k26ZqutUMj/sOjM=@vger.kernel.org X-Gm-Message-State: AOJu0YxHAHst09IlLm4oZljAp0jk8qcDEninavieChi14QvxN+9sGdM8 Aj4evfQCOIgQc66n3wMt9/Pqu++0VKdZ6PexASZQxQ46M6p/CDXOSHWHAetl21GeCA== X-Gm-Gg: AeBDieuDqNeyqllXWALMv597OQyOaEby7+fyHAMPjLetSsWVRff0uCHY/BHGrhZ869H YpWWdBH00uCvBAOxXKjA0mvBQxovOLyvWSqH+T3ydsdcNvd1wr5CmtHcbBQ6CdIivAAusbTpTtJ ZYffMTDFO4Jau9vKDw673tb9uPEk1LA7HAcEfZPpR7LzlLYNAySAYd6JVsVNv2m8EiZyoAe9aDo NT9TXTlsCsXJLZp+oRXE9N0On2OkaNVU76svSUfnaThYZ/AhsmH8j061QSSf4+x3oCdFfIW419X 95knUfkvPTvP4QHRCwj5d0c0Rpq5ZBQMUlV0yMwEAj59/KzTzw1R8WitHPNyjL6Cj9e0a2gALVL lKxvV9CawX6obFzZAyK/+fTLC82yo/baXg9h/65OOdoqiy8ZaDnMTAjcd4b3mxyOpTjBgk9wO+l 1WlhFxJMjZnjKVqZL9TbkR2ljwHZ46dicBdpU4BYSiW5zL0+cOlf9PiIGizG+cIQbaj881P2lm+ AL2mL1NrgQVQ46A5Q== X-Received: by 2002:ac2:5599:0:b0:5a8:6b4b:bea0 with SMTP id 2adb3069b0e04-5a86b4bbf45mr1130311e87.41.1777877657467; Sun, 03 May 2026 23:54:17 -0700 (PDT) Received: from ribalda.c.googlers.com (52.163.228.35.bc.googleusercontent.com. [35.228.163.52]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-5a85c22e1d4sm2674579e87.9.2026.05.03.23.54.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 03 May 2026 23:54:16 -0700 (PDT) From: Ricardo Ribalda Date: Mon, 04 May 2026 06:54:08 +0000 Subject: [PATCH v3 5/6] media: staging: ipu3-imgu: Add range check for imgu_css_cfg_acc_stripe Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260504-smatch-7-1-v3-5-fda125c30058@chromium.org> References: <20260504-smatch-7-1-v3-0-fda125c30058@chromium.org> In-Reply-To: <20260504-smatch-7-1-v3-0-fda125c30058@chromium.org> To: Mauro Carvalho Chehab , Laurent Pinchart , Sakari Ailus , Hans Verkuil , Nas Chung , Jackson Lee , Bingbu Cao , Tianshu Qiu , Greg Kroah-Hartman , Keke Li , Yong Zhi , Jacopo Mondi Cc: linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, linux-staging@lists.linux.dev, Mauro Carvalho Chehab , Ricardo Ribalda , stable@vger.kernel.org X-Mailer: b4 0.14.3 If the driver's stripe information is invalid it can result in an integer overflow. Add a range check with a WARN_ON to expose this kind of error. This patch fixes the following smatch error: drivers/staging/media/ipu3/ipu3-css-params.c:1792 imgu_css_cfg_acc_stripe()= warn: 'acc->stripe.bds_out_stripes[0]->width - 2 * f' 4294967168 can't fit= into 65535 'acc->stripe.bds_out_stripes[1]->offset' Cc: stable@vger.kernel.org Fixes: e11110a5b744 ("media: staging/intel-ipu3: css: Compute and program c= cs") Signed-off-by: Ricardo Ribalda --- drivers/staging/media/ipu3/ipu3-css-params.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/staging/media/ipu3/ipu3-css-params.c b/drivers/staging= /media/ipu3/ipu3-css-params.c index 2c48d57a3180..92cce31e35c5 100644 --- a/drivers/staging/media/ipu3/ipu3-css-params.c +++ b/drivers/staging/media/ipu3/ipu3-css-params.c @@ -1770,6 +1770,8 @@ static int imgu_css_cfg_acc_stripe(struct imgu_css *c= ss, unsigned int pipe, acc->stripe.bds_out_stripes[0].width =3D ALIGN(css_pipe->rect[IPU3_CSS_RECT_BDS].width, f); } else { + u32 offset; + /* Image processing is divided into two stripes */ acc->stripe.bds_out_stripes[0].width =3D acc->stripe.bds_out_stripes[1].width =3D @@ -1788,8 +1790,10 @@ static int imgu_css_cfg_acc_stripe(struct imgu_css *= css, unsigned int pipe, acc->stripe.bds_out_stripes[1].width +=3D f; } /* Overlap between stripes is IPU3_UAPI_ISP_VEC_ELEMS * 4 */ - acc->stripe.bds_out_stripes[1].offset =3D - acc->stripe.bds_out_stripes[0].width - 2 * f; + offset =3D acc->stripe.bds_out_stripes[0].width - 2 * f; + if (offset > 65535) + return -EINVAL; + acc->stripe.bds_out_stripes[1].offset =3D offset; } =20 acc->stripe.effective_stripes[0].height =3D --=20 2.54.0.545.g6539524ca2-goog From nobody Sun Jun 14 04:21:44 2026 Received: from mail-lf1-f44.google.com (mail-lf1-f44.google.com [209.85.167.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BA91A2DBF76 for ; Mon, 4 May 2026 06:54:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.44 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777877662; cv=none; b=jzZlWdcWkEi0fxgX6vsDUTEZIQH3rG1nqjf9JuMIT3wWNqA6SlMmQSFMpJ3GPIFtEuloxXHR6DgHrXd612cmi/9+p64SOLaixM6tbGEU+7ngzQssx1T8KMRGRXhsYMJOFXdZ93aj2iNkUGGOlbeSloMtf+GBM5MXZQRbi5GNB5k= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777877662; c=relaxed/simple; bh=maPN0uAGh5T9TmRwUDufwkMVbmorC5oANIGuNmwR7ek=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=dv9x6tSZMT3MzRzr722VRd2/xmSDHH1YavsCkmB0RO1w9v5w2DKXe6cx7qnmlw1wqiVOsvjj7+jbve2Qw6XKTgoYj2waV7a7xiiTWp+dR4G4+Ftq9vHALejbAlljkNHc1+QVNCD26pGRF+JKV1eU2OU5MP714vZk20rUyV0Ton0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=ivXTabDD; arc=none smtp.client-ip=209.85.167.44 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="ivXTabDD" Received: by mail-lf1-f44.google.com with SMTP id 2adb3069b0e04-5a0ff30b240so5572641e87.0 for ; Sun, 03 May 2026 23:54:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1777877659; x=1778482459; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=1kcPDoUx1Q/YaISrAn+S58ePlDUIO7Y3t/DDUcj1x4Y=; b=ivXTabDDn58ho+nhz8hm0KEeyu3UGNmRWTFYmNY85tPSYtrgcGxuUnl9g+Jh0oj8LB VVmTwEQzw9jj7Alqzbed+2KlJ/A54BjvOC9tYTffRDBkzP37S7kY9T37SqIM/9zwGBS6 IoewgRu+XNdE6CFSxPB5ZetIM+k8bm4X0cfQk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777877659; x=1778482459; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=1kcPDoUx1Q/YaISrAn+S58ePlDUIO7Y3t/DDUcj1x4Y=; b=hFS2yUZWxGKcpThQACJ7hLXxGHeDHizGLHwizuxHone86IPw7LAmfM4hSr5JkdqvxC EnPpQU/w3ouiiT71g2JfRya1SOwPdZ2uizQnK9Wrcf2kTjsIQV3AMY/3/0rjcr9+kfom pn/3NWoacTiIyBJUPhI19M1tr/7y29IhmwGSmdvO02Y67ioX/S+MWFXeezJyZvpG1fSq 9F5rhXjpPGTiFI9ro/3sLXK+0CRqKCPMkOL1s0l4KvWvYsbdUo/cpOnCN3j9bTULav5E OS43o8sheqWmoGsrjKJMoCzzQYTn7OAiBU2KpMpTE+2tGnI0MyYPfkcAsKaGGC0YcHbA 0SiQ== X-Forwarded-Encrypted: i=1; AFNElJ//fWN0dhEGaCyC2oZGUuCBbCzJZMvN0p9umlhiOEZW7OUshhfnBXtd7lsTQ0Imk4jAkam2Ye+Sh3fq/q0=@vger.kernel.org X-Gm-Message-State: AOJu0Yw51GI4BM7m2XPO8bTnKeMUGlZBgWR7t2QUbw8WodqONqw8vDAx V92ye2PVQ0ZFobkQvN7tMuDK5XUmO72g/v00Ws8S2e6gwfHWN9axkMd6tArSfzkWYA== X-Gm-Gg: AeBDietbyNgvrktjsWDSCrG+O5WQCvNDxzrUKgxSGlO45TGxRSDn2w7K61LKKM04906 Xx4JKe2o+cXid+0uwEbKc5iRZ3cy2qJ035yMC+qfr/towv/grtjJKdPZE2HzG3uYdLDHW0UyxzV ugcZsbic8osJg5WuENgx2sO8qDRPOoXYzVcn2kOmwlVGynPf1AJaeqhA21Hsz+0on1WwewxNlGJ YnlRgNYWjvqUwSA9jYcr/UVq1DGhbAPMGUANj8XMmfxxMUcDPy6+KKhTBLmwvylbviu9DCmMHZj EXp7MZLIKswVroewcbYqsoBzyoDWUsZEa4nwDIjrBMnoU3NFlRBq86kYXBUXwLzlNy4Su46Dkne TUfTdKeUoPrO4Iv0Xn0fCrivnDF4ZpQevQdITlSmhm1NzdpmvhpbUBPQe63sOU4DmCZeWv+Ocd3 2cloKKBjhvXfscA+J6v/ptK0uDdOG4IBv/T5+YjGA2GjQJCm57rfO01gZlBUjCgZ4Yf+gZAsbsx Lv/X74vZDDJHM4OcA== X-Received: by 2002:a05:6512:3da2:b0:5a4:b2d:25c2 with SMTP id 2adb3069b0e04-5a8631bed57mr3075056e87.27.1777877658949; Sun, 03 May 2026 23:54:18 -0700 (PDT) Received: from ribalda.c.googlers.com (52.163.228.35.bc.googleusercontent.com. [35.228.163.52]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-5a85c22e1d4sm2674579e87.9.2026.05.03.23.54.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 03 May 2026 23:54:17 -0700 (PDT) From: Ricardo Ribalda Date: Mon, 04 May 2026 06:54:09 +0000 Subject: [PATCH v3 6/6] media: amlogic-c3: Add validations for ae and awb config Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260504-smatch-7-1-v3-6-fda125c30058@chromium.org> References: <20260504-smatch-7-1-v3-0-fda125c30058@chromium.org> In-Reply-To: <20260504-smatch-7-1-v3-0-fda125c30058@chromium.org> To: Mauro Carvalho Chehab , Laurent Pinchart , Sakari Ailus , Hans Verkuil , Nas Chung , Jackson Lee , Bingbu Cao , Tianshu Qiu , Greg Kroah-Hartman , Keke Li , Yong Zhi , Jacopo Mondi Cc: linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, linux-staging@lists.linux.dev, Mauro Carvalho Chehab , Ricardo Ribalda , stable@vger.kernel.org X-Mailer: b4 0.14.3 Avoid invalid memory access if the zones_num is bigger than zone_weight. This patch fixes the following smatch errors: drivers/media/platform/amlogic/c3/isp/c3-isp-params.c:111 c3_isp_params_awb= _wt() error: buffer overflow 'cfg->zone_weight' 768 <=3D u32max drivers/media/platform/amlogic/c3/isp/c3-isp-params.c:111 c3_isp_params_awb= _wt() error: buffer overflow 'cfg->zone_weight' 768 <=3D u32max drivers/media/platform/amlogic/c3/isp/c3-isp-params.c:227 c3_isp_params_ae_= wt() error: buffer overflow 'cfg->zone_weight' 255 <=3D u32max drivers/media/platform/amlogic/c3/isp/c3-isp-params.c:227 c3_isp_params_ae_= wt() error: buffer overflow 'cfg->zone_weight' 255 <=3D u32max Cc: stable@vger.kernel.org Fixes: fb2e135208f3 ("media: platform: Add C3 ISP driver") Signed-off-by: Ricardo Ribalda Reviewed-by: Jacopo Mondi Reviewed-by: Laurent Pinchart --- drivers/media/platform/amlogic/c3/isp/c3-isp-params.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/media/platform/amlogic/c3/isp/c3-isp-params.c b/driver= s/media/platform/amlogic/c3/isp/c3-isp-params.c index 6f9ca7a7dd88..aec3eed0e443 100644 --- a/drivers/media/platform/amlogic/c3/isp/c3-isp-params.c +++ b/drivers/media/platform/amlogic/c3/isp/c3-isp-params.c @@ -104,6 +104,8 @@ static void c3_isp_params_awb_wt(struct c3_isp_device *= isp, c3_isp_write(isp, ISP_AWB_BLK_WT_ADDR, 0); =20 zones_num =3D cfg->horiz_zones_num * cfg->vert_zones_num; + if (zones_num > C3_ISP_AWB_MAX_ZONES) + zones_num =3D C3_ISP_AWB_MAX_ZONES; =20 /* Need to write 8 weights at once */ for (i =3D 0; i < zones_num / 8; i++) { @@ -220,6 +222,8 @@ static void c3_isp_params_ae_wt(struct c3_isp_device *i= sp, c3_isp_write(isp, ISP_AE_BLK_WT_ADDR, 0); =20 zones_num =3D cfg->horiz_zones_num * cfg->vert_zones_num; + if (zones_num > C3_ISP_AE_MAX_ZONES) + zones_num =3D C3_ISP_AE_MAX_ZONES; =20 /* Need to write 8 weights at once */ for (i =3D 0; i < zones_num / 8; i++) { --=20 2.54.0.545.g6539524ca2-goog