From nobody Sat Jun 13 11:29:02 2026 Received: from mail-lj1-f173.google.com (mail-lj1-f173.google.com [209.85.208.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 30CA733BBB9 for ; Thu, 7 May 2026 20:58:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.173 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778187495; cv=none; b=ehWPQX8ZCWe4Ddq66QulUXq7WAteui9tcyRuKgtojyPwzlpkfE0/CFazh/+XlfGWXjJ7Ws7dRfQ5OPFKhPRxz74HD36M3WEVpyftMUBgF68nBwlgNCCCQfPJppIP44/ZPxeo6RaE9Y5lH1ZuUHcx5Z0+vDnP3uSc3tZoWERabSk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778187495; c=relaxed/simple; bh=o1JBoNSnmeENnVyJCFBJK54WhchLIrjvMvIxsKS/SXc=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=eSLPPrckQHIoiD0h50osbEsT9asf6L/GvpnysfH3LbGoJ1efnU3K5Zz8MVUSWSN/mIItWNG4x0n96k5rmTNpwBerEyKFTi1ZLZvJ+FB3NuKDzujAt3bZrkBQBWPqyay3brGhsBKNdf0KiRjwnhNuoi3c7GGYU2N0wP0KdhyGsBs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=DLTF2boo; arc=none smtp.client-ip=209.85.208.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="DLTF2boo" Received: by mail-lj1-f173.google.com with SMTP id 38308e7fff4ca-38e7b0903cdso11902991fa.3 for ; Thu, 07 May 2026 13:58:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1778187492; x=1778792292; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=cK+Nktca7F+6iN68JEbLhEZKpbc6Uv2OrCKSJ0NIVg8=; b=DLTF2booHQxiOylxu1wdqSJbHWDN8qX8MtjuaWwV8OopM/pBRNAhJU0clXm+NNfFKi aq77bVfKQu2lnCOzYskWa+n8+EEJ9thddp+YwnZejg2dtckwSJUPSONx1rjBqdzSpzg0 hpBGxVIcIUecj4mAqvU6PQxvDWCpyX+tuNLn4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778187492; x=1778792292; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=cK+Nktca7F+6iN68JEbLhEZKpbc6Uv2OrCKSJ0NIVg8=; b=M7ucvAEWAzKyPyhpWJ1TgloG6LhSe/HijfYcrQqi5w0OIj4QO08oPRrPQi0dkniAm5 21BXpCtwTxYiQBuiHP1IhzTMxF6Z2Z6kl3k1VAgjObi2cE30LSGlTGiRNQczf0yrXACQ mCDQ3pjSNJPGnpTbYYcqWhd0q4GYU6MsBkERsBon1pACXs16uOmNgHCM3WCybisWJKqc tVeFoi84AsYB7/4c06mUMC7scRLp+Ow+GC3X/V/8cHd7YvQYRizzj0hB+FduNk7o2MAS ob3lgeTryg7iTlKeYvSIds5tgMqZ4HUA/522VBXKHMYr3QHM7lrwTlF4L1LDtc7BX+FA PVCQ== X-Forwarded-Encrypted: i=1; AFNElJ+iIjAt9BTprhpbddJ7rrpvrG/YS+dX2AyIz80jC6E4AowRaMyKvSIpa0TNsP9TruRll/FNCEAziFRfyBY=@vger.kernel.org X-Gm-Message-State: AOJu0Yz3WHhtoqRVAuCcigUkW/j9TPEZ/XG8oDwhT1Ui8Ir6uFVfy1wD xD1GrHtcfX52/iUIWW1G2JOv/8pCz+eU7pesKvJdPcNyvTZIM6mHHGgyVhicsZ5xvw== X-Gm-Gg: AeBDies6yTpD4gkzg029EJ06y8OLkTTTv9uoTqyfMoQW8DiAth4LUaYXovpZv5ze48Q zpi2sTHTAuagJuK3WdDSYH2BdYMf+EI9BTLvIS5LFrDGbAQ0NnIBhfZQ0UP0aM/7eENCOEAL1ik 7HoWzsrpcEmfYpvzuStnXzay2SHt2gb34TtZ0iBpGkOmDQzvoVuGIrSgELz+yufL8/QRqsRCM43 Lgeh7QAXAinXR2naUdup2RVF0cJltU25WzSCATvqR+c+HAcBMWpres1n/ELisoaz75Vs+sffFOv 4EGWtg+zeORrxUQoW0s3x4r1/wcglor6Ix/ZpB8m3u407EhbBg4SrZvQrl0OSjXG+j9eeABRDLp KqcjWRqT6ySYDTcUkKOPGXydYpsaQn+CnVB//hNibjHf4q3UZkesO25g9QxSHhZF40dBytYeNqL I65qmQC9LRsGVjwjSgTaE/lSJxZXAfWDdgENUVqwECjJaEni8SRAfPn6REP4N3uyy5y6ckaE+jL UnuhLld2VKwe15dmQ== X-Received: by 2002:a2e:a273:0:b0:38c:de21:3e14 with SMTP id 38308e7fff4ca-393c41c97demr25930941fa.19.1778187492474; Thu, 07 May 2026 13:58:12 -0700 (PDT) Received: from ribalda.c.googlers.com (52.163.228.35.bc.googleusercontent.com. [35.228.163.52]) by smtp.gmail.com with ESMTPSA id 38308e7fff4ca-393eee53655sm2325571fa.0.2026.05.07.13.58.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 07 May 2026 13:58:10 -0700 (PDT) From: Ricardo Ribalda Date: Thu, 07 May 2026 20:58:06 +0000 Subject: [PATCH v4 1/6] media: v4l2-dev: Add range check for vdev->minor Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260507-smatch-7-1-v4-1-cc195f142167@chromium.org> References: <20260507-smatch-7-1-v4-0-cc195f142167@chromium.org> In-Reply-To: <20260507-smatch-7-1-v4-0-cc195f142167@chromium.org> To: Mauro Carvalho Chehab , Laurent Pinchart , Sakari Ailus , Hans Verkuil , Nas Chung , Jackson Lee , Greg Kroah-Hartman , Keke Li , Yong Zhi , Jacopo Mondi Cc: linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, linux-staging@lists.linux.dev, Mauro Carvalho Chehab , Ricardo Ribalda , Laurent Pinchart X-Mailer: b4 0.14.3 If the fixed minor ranges are not properly set we could end up in a situation where the calculated minor is invalid. Add a check for this in the code to make it more robust. This check also fixes the following false positive smatch warning: drivers/media/v4l2-core/v4l2-dev.c:1036 __video_register_device() error: bu= ffer overflow 'video_devices' 256 <=3D 288 drivers/media/v4l2-core/v4l2-dev.c:1043 __video_register_device() error: bu= ffer overflow 'video_devices' 256 <=3D 288 drivers/media/v4l2-core/v4l2-dev.c:1101 __video_register_device() error: bu= ffer overflow 'video_devices' 256 <=3D 288 Reviewed-by: Sakari Ailus Reviewed-by: Laurent Pinchart Signed-off-by: Ricardo Ribalda --- drivers/media/v4l2-core/v4l2-dev.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/media/v4l2-core/v4l2-dev.c b/drivers/media/v4l2-core/v= 4l2-dev.c index 6ce623a1245a..5516b2bbb08f 100644 --- a/drivers/media/v4l2-core/v4l2-dev.c +++ b/drivers/media/v4l2-core/v4l2-dev.c @@ -1032,6 +1032,11 @@ int __video_register_device(struct video_device *vde= v, vdev->minor =3D i + minor_offset; vdev->num =3D nr; =20 + if (WARN_ON(vdev->minor >=3D VIDEO_NUM_DEVICES)) { + mutex_unlock(&videodev_lock); + return -EINVAL; + } + /* Should not happen since we thought this minor was free */ if (WARN_ON(video_devices[vdev->minor])) { mutex_unlock(&videodev_lock); --=20 2.54.0.563.g4f69b47b94-goog From nobody Sat Jun 13 11:29:02 2026 Received: from mail-lj1-f175.google.com (mail-lj1-f175.google.com [209.85.208.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2BC2B33B97B for ; Thu, 7 May 2026 20:58:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.175 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778187497; cv=none; b=cHKwE35a29s8T6y2YY6O/8AdrhRWR0oZ2yDI4sO/NxCwbc5IW6KLGVn+kJZ5eTKxJ2hXGTqIUXzCgdBdm5+Uj+H+PmtGmgQzwTh38rbVFtgSUhKMwJ8Qo4gSZ2vW0zH41R2XNbjEXims1pxIn1IH5/UeHtHJS8etqhoOil+SlXc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778187497; c=relaxed/simple; bh=uz/gROx+rjRO7Y7pLi9uXLD8lzDUoRiVHf25jEK7m7c=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=BIi9P9/VsgQP0h3JaPIyjUJeWWQfAQU4j4TIvFK1fivTY72HLbT6PI3Ji52m4PqMbEFlVl44mwQRgnvbYazRQssI/jR72mr/CLxKJThU3/l7MlR9st0oRfnMtP0+YUqKHFzZXXoOttL0z7k4CJhC4VueFr7tB5pJ+tZ4+wwvI6g= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=Niv6IERJ; arc=none smtp.client-ip=209.85.208.175 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="Niv6IERJ" Received: by mail-lj1-f175.google.com with SMTP id 38308e7fff4ca-38eab6cf7d8so10483451fa.1 for ; Thu, 07 May 2026 13:58:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1778187493; x=1778792293; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=wsiVHzLscfDV0/HZD1Y9rxslOuv9oKsD+zQVHA3Vk98=; b=Niv6IERJPUAEOnXDdoAiac4Ssp/Z2t3fvstgiqlqsxT3+nnOJCXri7ABwzIGtVIu6m 87SVZU4bb+MLdPBzJD40Xk/eF46+NxC6ARu9iQfdQbhpyD7XVrANL/FR+dTxntqreSfm mL0cXYyg25jWZsk9k+klLuYsRH1oqGmJsK38Q= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778187493; x=1778792293; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=wsiVHzLscfDV0/HZD1Y9rxslOuv9oKsD+zQVHA3Vk98=; b=G2D44VjZEAwiDA/0nyeRSBX4wcuxsuWuoei4xXk4J7e/fSaYxSnave6fmHiZPPaBdj AMyHoAVa78Aa102Oa+zbBIVHSInpQ6CSYQZDtyYvAVg5FBwpdZ8PrasYJ/XwGOPSxikA RW9EnpHe/u0ZeQ8fGDLSMo+O7mUv38g3JddDZUdC+NJb8dSGbOzFwdhwsxmRq97ZdYGh kvuheypA1MRUBDQo6abiAytsDZLWWp4WcJHCzUjCtnSa0z30JRRje8wxHHNjD28BHzKE KAR/7FXm/mXF/3xhcGJkrTGkHeZKGj7oNLbYv0eiC5HkrrtK+zstbUZNJ9CAm7xjyq7I Jo7A== X-Forwarded-Encrypted: i=1; AFNElJ8bxGkuvB6INtOxI4/qBCgMkpRNErTHXJzyxiv5ezkLZXgkwhP231HCrel5GJ5UDcSlFkcsUFsQGhRsnhU=@vger.kernel.org X-Gm-Message-State: AOJu0Yz+Nec5IjEvUBUhutWO4FuN6EB7pM92/Eliq9tUDVFLOaWr8Qh0 1/Ll4iT8i0EbvkDBFZJOSfXRiO9MC0pLqhURi9+AGRJCf7bm8qZ4tAjmAybl2EoEAg== X-Gm-Gg: AeBDievanIKDwxrs+sih/OG9qLO9775fZBwiwaNpBJjUNWrxzjrHjaWzIzJdhbFKBIw HfNlorUEhtd1daLiaxXWl6BVqcoG2fqiBO50I4d07FLa3TEV2L3JoQwvExaHeESCWlF7d3PdTLr TISJj+ad3seRdeeTHvZzZOTJN/EaSVbmAap/vtOXSjfR1ibctTNtC+BTUMSWqnX5ZvEdjn0w7xC qJm0rdS3IekJc2DpE/4dLW7EKhFEPwtpve1Rb2HInQHxbCWPUKOUM1Afusxtr+ZhP3IM2tjxPMZ Fn3qsKX1dlwstAJNCstYCAq0E1486z57EGE0VQJrmePlzNVZyN0do3iB8yOGh51x36kLbzffEjh dvBt7QNwUa8mhDW957sjHqa/oIr3+1jBKK6PLjUOgtJswTyhTKkNqlIdrCwwlR2YYhqa6bh3wBJ Q8Lh7lY4bgEbaiZnrF82VNqAZAlnHOCRfpgpo6Q8pb8XY5K/M3Kcq0q40O+hNwMSBllhrORWm3Z INWxz8= X-Received: by 2002:a2e:9bd1:0:b0:38e:36c2:9bd1 with SMTP id 38308e7fff4ca-393c40fe441mr24746121fa.11.1778187493409; Thu, 07 May 2026 13:58:13 -0700 (PDT) Received: from ribalda.c.googlers.com (52.163.228.35.bc.googleusercontent.com. [35.228.163.52]) by smtp.gmail.com with ESMTPSA id 38308e7fff4ca-393eee53655sm2325571fa.0.2026.05.07.13.58.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 07 May 2026 13:58:12 -0700 (PDT) From: Ricardo Ribalda Date: Thu, 07 May 2026 20:58:07 +0000 Subject: [PATCH v4 2/6] media: i2c: mt9p031: Rewrite assignment to make smatch happy Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260507-smatch-7-1-v4-2-cc195f142167@chromium.org> References: <20260507-smatch-7-1-v4-0-cc195f142167@chromium.org> In-Reply-To: <20260507-smatch-7-1-v4-0-cc195f142167@chromium.org> To: Mauro Carvalho Chehab , Laurent Pinchart , Sakari Ailus , Hans Verkuil , Nas Chung , Jackson Lee , Greg Kroah-Hartman , Keke Li , Yong Zhi , Jacopo Mondi Cc: linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, linux-staging@lists.linux.dev, Mauro Carvalho Chehab , Ricardo Ribalda X-Mailer: b4 0.14.3 The current code makes smatch a bit uncomfortable: drivers/media/i2c/mt9p031.c:799 mt9p031_s_ctrl() warn: assigning (-1952) to= unsigned variable 'data' Probably because smatch is not clever enough (yet). Do a simple rewrite to make sure that smatch understands what we are doing here. Reviewed-by: Laurent Pinchart Signed-off-by: Ricardo Ribalda --- drivers/media/i2c/mt9p031.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/media/i2c/mt9p031.c b/drivers/media/i2c/mt9p031.c index ea5d43d925ff..8dc57eeba606 100644 --- a/drivers/media/i2c/mt9p031.c +++ b/drivers/media/i2c/mt9p031.c @@ -796,7 +796,8 @@ static int mt9p031_s_ctrl(struct v4l2_ctrl *ctrl) data =3D (1 << 6) | (ctrl->val >> 1); } else { ctrl->val &=3D ~7; - data =3D ((ctrl->val - 64) << 5) | (1 << 6) | 32; + data =3D ((ctrl->val - 64) >> 3) & 0x7f; + data =3D (data << 8) | (1 << 6) | 32; } =20 return mt9p031_write(client, MT9P031_GLOBAL_GAIN, data); --=20 2.54.0.563.g4f69b47b94-goog From nobody Sat Jun 13 11:29:02 2026 Received: from mail-lj1-f174.google.com (mail-lj1-f174.google.com [209.85.208.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2FCF134107D for ; Thu, 7 May 2026 20:58:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.174 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778187499; cv=none; b=bsBCKoYkuVztVMh+hY97b8WeJ1v0W1OPo3YP1kwRJXzdhn5dVpOAQQbWEBRcZRRF4cVtRnjWcC4+UMMz6gY++PP6nwK6B8JUvD6SCozgHIK/deYCzHN+bUCBytqRiTMq+hkQbSTsfXQ7/A8sWDUbTacXL64EH3c2XykZ4G/4jkI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778187499; c=relaxed/simple; bh=qlDyVSguO43yD+o1D6syNL7bDlNFGJb1XrBv5FCyraM=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=Rf5DP6Bol18J2jMaSN0mh2ujf/cvqih+PXInWryccaHjIuKUxKuTudfFuChT3Gl2w1nqxD2MjOEbRq8TZhSi+Nanv35vxTd/wYFIO3jTBSR56jyhtXJoVjrEvcVZhp6+BdDBV+DPuaiMK6uIg+mQDtf5cP/6Qga/ykB6nUXSoAo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=EVQ7j/Vk; arc=none smtp.client-ip=209.85.208.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="EVQ7j/Vk" Received: by mail-lj1-f174.google.com with SMTP id 38308e7fff4ca-3939d2bd739so12218291fa.0 for ; Thu, 07 May 2026 13:58:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1778187496; x=1778792296; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=rR9uqI1Ds3GQSANQEb3RBFKQcN17Sla3ff1JK+seUFw=; b=EVQ7j/Vk0pW4YkeYVee4tzv2elhRG20B+64GXeQDslDKUE1CWGszah5JaeWqF8cRFl W8KccwhoUyPRKvLqIrKhH5imFFDXsjmsWQ+vzGQENjzeL/6ynH4W+yphtRABvNr9oyWK ht+87mbIATACGGBIOpTrs2z6N8SFGCkL/bae4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778187496; x=1778792296; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=rR9uqI1Ds3GQSANQEb3RBFKQcN17Sla3ff1JK+seUFw=; b=nGvEeSujzVXCpxegnUC1ESKxOCIubRkrsHa8BzB1I2Ituwm3wkkK1kgosQh6RNnE1l 7pkSfyq2NJNaGr+m3uYB/nqQozpAnBiSRIeRk0gBg+R82U6wJHjCrvLnwpfJAGmcNevq 60AELI04NJ9Jh3Livkep1HhX/jDM6ocYaX44uq/l450j8EJXtMi231VSn5gYmo8hb97l 4XytA2gkrP5V06VUgidurP+QFs91kV/xatJnrfCL2vWSMnF5SC8pg8ukPRGjV/UMPoMW vGPOBKkIy/fkRekHZGmr8hTSrVvomIQFou7EHis/qDGQNZRDgjYMccIqWBvMp5tIxkE3 sHQw== X-Forwarded-Encrypted: i=1; AFNElJ+nliSVkYEMXnwjYU3AK/gEypnKYkdLIHIZkdos6WbcL2LaVg/txJcTAhIREk8cd+8D2RGfdGymsv8ZVuM=@vger.kernel.org X-Gm-Message-State: AOJu0YzzHp4z4Bl+tsTlzBHsJolM+JcJJqjd/VWBbNRlgyN083ffNTkT hj5NQ09mFf+bxoR/yBRjoQyLGU3nmkWLAW1PSjqAGnEyeV4R5dkOXK4dUDtjOTbMLw== X-Gm-Gg: AeBDievPOMpyN3a0WRGCSjSWLhBPK/uE7sUd/5ucv77BkSn/Xvsm2McwvvEJlZn/8/k 9vKGyVnhXV0BJ+/FVZl0K2lhqjusPazHj9yicM6SrgLf4eKoT35rZ6F3xC2JMkepokRa7ML17uY 5c2CfVM6+EZqOO/Cb/TfvD3L/R80D3Z+iXtFfj7OjJ5yRZhHXJHcn0pCJRhUT19so+2jIungZAF 5Y7XQ33LI9EqFqMccbAh6S+NTZuFY4y//ktJUWj8NTD0+A/7MuwHF0vv2s00TUl55ClfQ4hA4Kx 5pNcDrkozLwMPXhOxWkjAb7vAQkZsk0JL6iqtuZwT9Lm+T5I69iGRnzdA2EunwJPGLNChGEqtK4 dkoj8KLj+XwlJKM47BoGwaT9s4KFStPyhey5QyKkhmCoD8Q3RTNkoHvd95ClIk7suElqoAoGUad FfIUIHdFdPrp1uEcSO1/aU9+IMo7AEKf5fx3t7Yi70nuU4MQue0Ru4RPiqfq4Zzxqb0JZ3wWWKp fvF6tc= X-Received: by 2002:a2e:95d4:0:b0:38e:d870:1db4 with SMTP id 38308e7fff4ca-393c41efc1amr27481061fa.22.1778187496487; Thu, 07 May 2026 13:58:16 -0700 (PDT) Received: from ribalda.c.googlers.com (52.163.228.35.bc.googleusercontent.com. [35.228.163.52]) by smtp.gmail.com with ESMTPSA id 38308e7fff4ca-393eee53655sm2325571fa.0.2026.05.07.13.58.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 07 May 2026 13:58:14 -0700 (PDT) From: Ricardo Ribalda Date: Thu, 07 May 2026 20:58:08 +0000 Subject: [PATCH v4 3/6] media: i2c: adv7604: Add range checks for chip info Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260507-smatch-7-1-v4-3-cc195f142167@chromium.org> References: <20260507-smatch-7-1-v4-0-cc195f142167@chromium.org> In-Reply-To: <20260507-smatch-7-1-v4-0-cc195f142167@chromium.org> To: Mauro Carvalho Chehab , Laurent Pinchart , Sakari Ailus , Hans Verkuil , Nas Chung , Jackson Lee , Greg Kroah-Hartman , Keke Li , Yong Zhi , Jacopo Mondi Cc: linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, linux-staging@lists.linux.dev, Mauro Carvalho Chehab , Ricardo Ribalda , Hans Verkuil X-Mailer: b4 0.14.3 If the driver's chip information is invalid we can end up accessing an invalid memory region. This fixes the following false positive smatch errors: drivers/media/i2c/adv7604.c:3672 adv76xx_probe() error: buffer overflow 'st= ate->pads' 7 <=3D 4294967294 drivers/media/i2c/adv7604.c:3673 adv76xx_probe() error: buffer overflow 'st= ate->pads' 7 <=3D u32max Reviewed-by: Hans Verkuil Signed-off-by: Ricardo Ribalda --- drivers/media/i2c/adv7604.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/media/i2c/adv7604.c b/drivers/media/i2c/adv7604.c index 67116a4ef134..ae75982fb514 100644 --- a/drivers/media/i2c/adv7604.c +++ b/drivers/media/i2c/adv7604.c @@ -3668,6 +3668,12 @@ static int adv76xx_probe(struct i2c_client *client) =20 state->source_pad =3D state->info->num_dv_ports + (state->info->has_afe ? 2 : 0); + if (WARN_ON(state->source_pad >=3D ADV76XX_PAD_MAX)) { + err =3D -EINVAL; + v4l2_err(sd, "invalid chip info\n"); + goto err_i2c; + } + for (i =3D 0; i < state->source_pad; ++i) state->pads[i].flags =3D MEDIA_PAD_FL_SINK; state->pads[state->source_pad].flags =3D MEDIA_PAD_FL_SOURCE; --=20 2.54.0.563.g4f69b47b94-goog From nobody Sat Jun 13 11:29:02 2026 Received: from mail-lj1-f171.google.com (mail-lj1-f171.google.com [209.85.208.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 32AB0342CBA for ; Thu, 7 May 2026 20:58:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.171 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778187501; cv=none; b=JwBM4jdGC/d88FuhB8joZwW+MN9t0x0VvwwMw7VA0gDxxkG0XYecaiOnSxkly0wHOoCvDTnBDq4uQR5xRaV27qh5r6CTv84bwAMT1e87GI086FXlp5qEzaInHEwzcSMDsKYE8Rf17rRwxaNS9Tt4GfjSAhJq4ACMPTxWiiL9dhA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778187501; c=relaxed/simple; bh=bhiAdfSzncpURbgdsQrG1MdM2mxUmXSubgdV4ifgDbk=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=qDMEZIfjEaQWe6Y/YlqX35cWuScD/rdp1kodENSb5vn14+cHnoADyqDHhEyM6AFt7DK13eCdsbk6QamNByIDHFFV9W4/OEUsKEJvsDJVkxk/mAn8UwAOn5FBFjlz8XuU33K1kMprwrCqqNI3rgndWI2KsnaKgkIvKMLkb79yk18= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=Yq8TVhvW; arc=none smtp.client-ip=209.85.208.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="Yq8TVhvW" Received: by mail-lj1-f171.google.com with SMTP id 38308e7fff4ca-39393ec4ed0so11952621fa.0 for ; Thu, 07 May 2026 13:58:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1778187498; x=1778792298; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=UAoOc6QkMdG4r56PaqK1IeCoUwn5Lvm7uulH9yzKLh8=; b=Yq8TVhvWSvmYOuX2oV01ByLJmRytAIff/1LHPePFl15JVS9dDzd2cRHLsckAhTBUOG 8cNKJoJD/pG1ZfX7H6USERbjGMQskFrCUyRVaia1QvcRuLkoFgXpoi/SQZYOAOBLhSoN YqM/I53hqvJPfamk2sZ0ZoJN3AQV1zLb/Fboo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778187498; x=1778792298; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=UAoOc6QkMdG4r56PaqK1IeCoUwn5Lvm7uulH9yzKLh8=; b=h6BUOv6712RM5U3c52Yuo4V/121dWK6pcDDBDZGakw9u8etKU0cqPOcY+u+mTpy3bb XcQMdWs85WRrFTifig/smLEgt71LnOqVC6QH75Kd3pTmPAurvcbg2fAo3ePXcRTo8UnR x+KZ5SoDxSQNg43fdgwi298d0PA5Q5AIuqBf10GGPDoMpx7jH971tia9hij1eVmPHY4s Zhivy8SDwOt32Ch7dMo/WxWPO6KrRkt9Z+8D4JnaMuDnZcpIXDFc1TZ/xie6Hjd57e3n 5ZtpqBGq1aBjOlgZfAKRf3ElxgWUIjueYEJJUS9ucnhdswgKc5YLob08EDRE71pRqWpv Nf+g== X-Forwarded-Encrypted: i=1; AFNElJ94+6JnGyrZLcQ2fWaUX82dw5h+N663Pgtvek0ETrvA2rn96iU8p8Nkj7uMd8QeQajETchsIlDV+XXVRtQ=@vger.kernel.org X-Gm-Message-State: AOJu0YwGaZlvA4Z2R50aIaQ2OcWSHYXyDgrRMha3xMcX9q8SN+hm4cZW lUcUfFprGwy88JPkfATajoWDARgFWI5M9EOCQmd7684xRaLIYDeTo+bGHJhzJZcmXw== X-Gm-Gg: AeBDietXg9S6yfzIeAqcfnWwXG29s1xBIY7LPT80Ofe+7v5/kYQOXPMIEF0QdxanWTv SSCZtX93gYOkRkTAH0WP18lO20wcXf6toIch/I5/TGfbrFiv2TCwgp+6YO0GJr9tU01T+R556fQ IXCX263oTDfL53wij0SunjpYRS+1+9MjXb8VxnmxBECdXJJ0xoNeJ5XGcun3+x/1eYz0KP8fd59 ZYV/PGLxZZ8P8e6rXppQD6RrQiuX1pzgyVeJuWEj+ZAnQcIjeA8uzd4wi1TW16az0dk+6MIcwXp CMrCdiO8tC4FDAe5iGoBFvKdiy70fUo6F6NUJiCUSuWdE+UGYhOxtPsNOEjuXmWQUXbMmoQ6EmR GG5eoGTLSzaWUjEUU/GAPAtxHKOx2sBOKkx7+BMH7IexBl8El+8esMnmYiqYU4cHOSXeX/Ks9s3 h6/emk+MrMaXg1A5yp5UDNuzR/lfrqvzm054JV6g/WbDXM+7UOSIcZeRyXKiaSCnlfwzxW2T02I pQ/NEo= X-Received: by 2002:a05:6512:681:b0:5a8:52e0:7bc5 with SMTP id 2adb3069b0e04-5a887ce6338mr3443107e87.27.1778187498409; Thu, 07 May 2026 13:58:18 -0700 (PDT) Received: from ribalda.c.googlers.com (52.163.228.35.bc.googleusercontent.com. [35.228.163.52]) by smtp.gmail.com with ESMTPSA id 38308e7fff4ca-393eee53655sm2325571fa.0.2026.05.07.13.58.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 07 May 2026 13:58:17 -0700 (PDT) From: Ricardo Ribalda Date: Thu, 07 May 2026 20:58:09 +0000 Subject: [PATCH v4 4/6] media: chips-media: wave5: Add range checks for dec_output_info Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260507-smatch-7-1-v4-4-cc195f142167@chromium.org> References: <20260507-smatch-7-1-v4-0-cc195f142167@chromium.org> In-Reply-To: <20260507-smatch-7-1-v4-0-cc195f142167@chromium.org> To: Mauro Carvalho Chehab , Laurent Pinchart , Sakari Ailus , Hans Verkuil , Nas Chung , Jackson Lee , Greg Kroah-Hartman , Keke Li , Yong Zhi , Jacopo Mondi Cc: linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, linux-staging@lists.linux.dev, Mauro Carvalho Chehab , Ricardo Ribalda X-Mailer: b4 0.14.3 If the driver's dec_output_info contains invalid data the driver can write in invalid memory. Add a range check for that. This fixes this smatch error: drivers/media/platform/chips-media/wave5/wave5-vpuapi.c:588 wave5_vpu_dec_g= et_output_info() error: buffer overflow 'inst->frame_buf' 64 <=3D 127 Signed-off-by: Ricardo Ribalda Reviewed-by: Nicolas Dufresne --- drivers/media/platform/chips-media/wave5/wave5-vpuapi.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/media/platform/chips-media/wave5/wave5-vpuapi.c b/driv= ers/media/platform/chips-media/wave5/wave5-vpuapi.c index d26ffc942219..f77abd5e122a 100644 --- a/drivers/media/platform/chips-media/wave5/wave5-vpuapi.c +++ b/drivers/media/platform/chips-media/wave5/wave5-vpuapi.c @@ -584,8 +584,15 @@ int wave5_vpu_dec_get_output_info(struct vpu_instance = *inst, struct dec_output_i p_dec_info->num_of_decoding_fbs : p_dec_info->num_of_display_fbs; =20 if (info->index_frame_display >=3D 0 && - info->index_frame_display < (int)max_dec_index) - info->disp_frame =3D inst->frame_buf[val + info->index_frame_display]; + info->index_frame_display < (int)max_dec_index) { + u32 idx =3D val + info->index_frame_display; + + if (WARN_ON(idx >=3D MAX_REG_FRAME)) { + ret =3D -EINVAL; + goto err_out; + } + info->disp_frame =3D inst->frame_buf[idx]; + } =20 info->rd_ptr =3D p_dec_info->stream_rd_ptr; info->wr_ptr =3D p_dec_info->stream_wr_ptr; --=20 2.54.0.563.g4f69b47b94-goog From nobody Sat Jun 13 11:29:02 2026 Received: from mail-lj1-f175.google.com (mail-lj1-f175.google.com [209.85.208.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2324B343D85 for ; Thu, 7 May 2026 20:58:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.175 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778187502; cv=none; b=I5sOC2dZ6QH1WdZM3bh+Mc6C+KsXmelAQyL/ThJa3dRsoxb1xB5UdFis1ms5ZaU8x1CBU/+/mTxgVnqVAgnwRoPArf2hvS8zpZccQiJVkVPdvkf2aoXQwgDm4zMSH2x0/+0D966y6uniHW733p0rnSzricldEgF9ekFyzUNVnOE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778187502; c=relaxed/simple; bh=Kj70iDTzSgfkdpFGrFm7jqyxrLXQ8vQDqKV0w2y4QJI=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=GIl+PckbLXEqKlihtrDD2t8vAAEqUm3ldy0mOTDONycGBkWk47kpLqJwnQcZJeHn37H1IxCH8yvOidcyg4ewDhxidJZZbrIYsde9UBPz+52XUEiVVXRjDSlc5BM2sgc8gIinzoKwnvY01+ZRPsnuQXQSHoORF5ShaaN60+/sVDQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=Sz5CdcuY; arc=none smtp.client-ip=209.85.208.175 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="Sz5CdcuY" Received: by mail-lj1-f175.google.com with SMTP id 38308e7fff4ca-3937014be0cso11493461fa.0 for ; Thu, 07 May 2026 13:58:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1778187499; x=1778792299; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=BEKESsFN6b/rn96AIqBdX/QKktD4/S30+ixOsI61EpA=; b=Sz5CdcuYUVI5WWP+/Nv/W2biFqGD8gdbTUQShAtPZoqZ3MGaWWM2KSIepNHBa2cYxq 4U5Pz3airKv5RIVBdhvlU34s82wNiFb+scOYaOSn+bljcTA1h5GLLEfpXk0EySoWI7We D5dsEUjRFkbhJ7my+bz6bw9F8lDa2roM4pG7c= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778187499; x=1778792299; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=BEKESsFN6b/rn96AIqBdX/QKktD4/S30+ixOsI61EpA=; b=muhQ+K2mj+kUW2XNE4yKnr5WkMmB1laEA2Nd+DfsC+c/86Ffav/Oo5Eowc+rsZTyqX TnElWSBodgznkER+d6WZIFK4ysO47SUSnHe5NJk0ufOFJNFlzwDFQk/XXfg+7ZKtpbaz oHywCozwtD93E84oAiTcjtmemV9RnTICrKhUuOzoniXWYrcXfQcI8oFjaciVAJ7ynfjo EXBVsyc2j3smbk/LhAGH0sLH4RzfcLb42vw+BHbqn5//26LgORRogShkr61/oNBO/l0o AQidl8d7xP5CZMoDlswnObZOGJ82WzOW+Alfb08Nwd4uNq6irt+Ib5Bpd3ur2NuFsBjt y2dA== X-Forwarded-Encrypted: i=1; AFNElJ+QrJxPOkV97LFiIPs8AGmyz5Ozrva1ksE2aap7PuJPKA9WdYiFWvUpyMfKZpy6lN5QYFBMUKiJvuHv1Aw=@vger.kernel.org X-Gm-Message-State: AOJu0Yxmm7Z+mm7Kv/l2bDF1AhmH1cm21ArqeB8oSwHwye1Ten1dUc+6 7Wg9Aik5oTHqjgqdsBpoxVop3dtsgiC5T+39R5pOOlYneudBGown1p1YUQXey21ybA== X-Gm-Gg: AeBDietyZVT0esN0Ha/dA2uAXOnkvs6skPTB01FZwlAkgziuOPWVAH2CKbURzPdqn59 Vcp5lR8nryjHgQ0GGbd+RIZe2MxIW9efTVM688Ie0h4IkPpEQUVI++faHEiuOZwJTLHxxWwalZt 6lgig6MQ58qjYkrnrIiublm24nI84247aKYsysbKuVngCivHFMX6+FHEBe/ihkqlTJsqpcyZSB2 jleHo5o8PnBHIbvS2viad8mJDCoYPf8BRJ4xlKXaWBIE7t3VmLh6HNIN67w1d7q5VXqpeIyaPvg fpBJjJe4uDZ5VDOTka6uGBMmr7fh4bDxM50C2vXI+c7XqGX0VyBw8QZiO0POYYI0gaFzA6r7ZQP gyQ9G1w0xP7IxL2Cyl+Xwt/YOzz1+1ctnAt0Zw/4niiJH9MS9Y01u27dYm/2LR0VCtq2+dI5/IF WuKN6OQCZ4FK0CnluQCCnc/DdInHfmTFCCjEJU0VNPCnR7yPBkKpKXnKCg6yNHR7LMPfoJXWTDw Ey5AwM= X-Received: by 2002:a2e:b8cd:0:b0:393:b365:6e28 with SMTP id 38308e7fff4ca-393f4fc95e1mr148531fa.31.1778187499396; Thu, 07 May 2026 13:58:19 -0700 (PDT) Received: from ribalda.c.googlers.com (52.163.228.35.bc.googleusercontent.com. [35.228.163.52]) by smtp.gmail.com with ESMTPSA id 38308e7fff4ca-393eee53655sm2325571fa.0.2026.05.07.13.58.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 07 May 2026 13:58:18 -0700 (PDT) From: Ricardo Ribalda Date: Thu, 07 May 2026 20:58:10 +0000 Subject: [PATCH v4 5/6] media: staging: ipu3-imgu: Add range check for imgu_css_cfg_acc_stripe Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260507-smatch-7-1-v4-5-cc195f142167@chromium.org> References: <20260507-smatch-7-1-v4-0-cc195f142167@chromium.org> In-Reply-To: <20260507-smatch-7-1-v4-0-cc195f142167@chromium.org> To: Mauro Carvalho Chehab , Laurent Pinchart , Sakari Ailus , Hans Verkuil , Nas Chung , Jackson Lee , Greg Kroah-Hartman , Keke Li , Yong Zhi , Jacopo Mondi Cc: linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, linux-staging@lists.linux.dev, Mauro Carvalho Chehab , Ricardo Ribalda , stable@vger.kernel.org X-Mailer: b4 0.14.3 If the driver's stripe information is invalid it can result in an integer underflow. Add a range check to avoid this kind of error. This patch fixes the following smatch error: drivers/staging/media/ipu3/ipu3-css-params.c:1792 imgu_css_cfg_acc_stripe()= warn: 'acc->stripe.bds_out_stripes[0]->width - 2 * f' 4294967168 can't fit= into 65535 'acc->stripe.bds_out_stripes[1]->offset' Cc: stable@vger.kernel.org Fixes: e11110a5b744 ("media: staging/intel-ipu3: css: Compute and program c= cs") Signed-off-by: Ricardo Ribalda --- drivers/staging/media/ipu3/ipu3-css-params.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/staging/media/ipu3/ipu3-css-params.c b/drivers/staging= /media/ipu3/ipu3-css-params.c index 2c48d57a3180..92cce31e35c5 100644 --- a/drivers/staging/media/ipu3/ipu3-css-params.c +++ b/drivers/staging/media/ipu3/ipu3-css-params.c @@ -1770,6 +1770,8 @@ static int imgu_css_cfg_acc_stripe(struct imgu_css *c= ss, unsigned int pipe, acc->stripe.bds_out_stripes[0].width =3D ALIGN(css_pipe->rect[IPU3_CSS_RECT_BDS].width, f); } else { + u32 offset; + /* Image processing is divided into two stripes */ acc->stripe.bds_out_stripes[0].width =3D acc->stripe.bds_out_stripes[1].width =3D @@ -1788,8 +1790,10 @@ static int imgu_css_cfg_acc_stripe(struct imgu_css *= css, unsigned int pipe, acc->stripe.bds_out_stripes[1].width +=3D f; } /* Overlap between stripes is IPU3_UAPI_ISP_VEC_ELEMS * 4 */ - acc->stripe.bds_out_stripes[1].offset =3D - acc->stripe.bds_out_stripes[0].width - 2 * f; + offset =3D acc->stripe.bds_out_stripes[0].width - 2 * f; + if (offset > 65535) + return -EINVAL; + acc->stripe.bds_out_stripes[1].offset =3D offset; } =20 acc->stripe.effective_stripes[0].height =3D --=20 2.54.0.563.g4f69b47b94-goog From nobody Sat Jun 13 11:29:02 2026 Received: from mail-lj1-f179.google.com (mail-lj1-f179.google.com [209.85.208.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 06575343D7B for ; Thu, 7 May 2026 20:58:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.179 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778187505; cv=none; b=coBuwOeP8TtzVeoGE+WH4eOudg6/LyTJB/eultt/w4u+2LaG8LE+Q9wSUOKVzNXRMPtKzkjEq2b0M5A5uJMCEYykXft/hp8pq06Qx5MWaS1o4i+nSyrrBbSMv4WwHRoQ+98gMMs1ErNLIVM3MgoQ3Z94A7ww4CovH6mHFgnCf48= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778187505; c=relaxed/simple; bh=d+O67gl2GIGylI6phsIj9TBlpbKokc/OVLyxskjLlYY=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=WxU6pO1oHmc8Q8MSudhi1QH5W/cekkjsblaarZ2PgRGVicmoGnnA/yDwPZ1fVOew89wNNd1Bcm9S8fXW54F/uCx6nZnQB4pgNTwu8NeUgxSfLZbWW3rSZ0HStKX7Y+VEA+dlyBTW/eh5IYiETBukrdidrXjO2BCIiKzrFdVMchg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=YvSM6sac; arc=none smtp.client-ip=209.85.208.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="YvSM6sac" Received: by mail-lj1-f179.google.com with SMTP id 38308e7fff4ca-3922b35e69cso10920061fa.0 for ; Thu, 07 May 2026 13:58:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1778187501; x=1778792301; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=62sCEoVz1H20Bvb3z6VX8x/23MkbndGwBQZwPeDoJW4=; b=YvSM6sacUMKa5ReKxmV7Q6pj41AlEYXrqcgW7YQSTTQhdE1QTtPNvF4irkpkkSJtUB 8B1tPznI35SNAR73xrdhf4ZMOqTFI30H884e8NwPDMUdEtbVTgxiqpe+361SEe2CRi+v 4mv12opnfXkfMF6RV033R4C+XztH7q+uy1Ex4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778187501; x=1778792301; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=62sCEoVz1H20Bvb3z6VX8x/23MkbndGwBQZwPeDoJW4=; b=oWVmJYjJjnI4C23KMPQATEYQEfKKFsp1j9bGAJGL660XvYxp2dAso9jZ7DrMx5Zmg/ GEl/1FFV2/x2kBWv33QIESHPXxJbDA6ld8nhf7BRt14gvpqzWp9iw0hv2hzssXOZZZtS lwzaCOXlhZyjlft7XpbPTL4Nn84vVwQuRzfVCf/Y+Im56zcCj67jL0dfpzJu+xJuli7+ ZvVIKShe8C49QowW8JamaSKIZrCqM0F+tQ8M41BQWmeU7w+w2OvWj784x8AuIUr9rS25 guXnV247P6QPIAUnihXcDOltxNVsyStQNMdTkhGQ8dDeefIPZhnQ0QudDQFxlsPxjnSk BQZg== X-Forwarded-Encrypted: i=1; AFNElJ9N3OZ57ZZOBmgQ1aEHByzmSliTd32xk6/AHW1vJ9QZgwZg/VJgUYCi1pExvgQctLFnUR/oAWZJRckXngY=@vger.kernel.org X-Gm-Message-State: AOJu0YytLq0qPX6z28GWqmDUSXXe4fqaE0r4JTPttSwnoaP63yizy/bz KtogQcKOd6rwH2NytGb1P5Fvkytk4E2Iy+ClXWc1nhdFh61uX/m5JDPft+Y4l1Q6bA== X-Gm-Gg: AeBDietEQs/P000v1OuzfFAzmjXgzeZtMRZFFTRft9KttoBdcJDPbkzGriU1bh0W4pp zlPvO9SRE3At8VSUomtTsnlLoTTjBsvDnZg+s71+6Cw7YwEK09TpkKRzM4ggRjDwhL9aX105MzE ZVEFuHIUOGiZqcWOMElfIsdpr75vSWeQ5mgNT5KwPIBQu1KYcYBRKv3QHs4wkEpbwmbLVuPq9t6 kV0V3GoELY5mzkt7j3vAauMJnt1xIkzPa6R68e7f8wuwsMxEja7wMnN4/aB86yaIWPZflVUUVqf vM5Vrx7Ax2GuzHUr1/IpxAHK/wZWAfhCfc9ItgTj+IIuD7RoTZJHRRlxqlR7DEIfKmiNnaugNJ6 jk1Ei57CD/s61436Ch9x8dOJgSQ05nFpyb2bQJEh5PhUu3Ns3k7oMAisw8gMvPFmMP8wIZXx8Tz 1mZNsdo/uv5LnIUg5lfbRR3Wz7YjHGzS2EVYnnVvNP7AbZvN5GU53IfTWcdq76haN7KC8RO/hNF kjF7xs= X-Received: by 2002:a2e:9783:0:b0:393:903c:225b with SMTP id 38308e7fff4ca-393c4338719mr27191651fa.31.1778187501297; Thu, 07 May 2026 13:58:21 -0700 (PDT) Received: from ribalda.c.googlers.com (52.163.228.35.bc.googleusercontent.com. [35.228.163.52]) by smtp.gmail.com with ESMTPSA id 38308e7fff4ca-393eee53655sm2325571fa.0.2026.05.07.13.58.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 07 May 2026 13:58:19 -0700 (PDT) From: Ricardo Ribalda Date: Thu, 07 May 2026 20:58:11 +0000 Subject: [PATCH v4 6/6] media: amlogic-c3: Add validations for ae and awb config Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260507-smatch-7-1-v4-6-cc195f142167@chromium.org> References: <20260507-smatch-7-1-v4-0-cc195f142167@chromium.org> In-Reply-To: <20260507-smatch-7-1-v4-0-cc195f142167@chromium.org> To: Mauro Carvalho Chehab , Laurent Pinchart , Sakari Ailus , Hans Verkuil , Nas Chung , Jackson Lee , Greg Kroah-Hartman , Keke Li , Yong Zhi , Jacopo Mondi Cc: linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, linux-staging@lists.linux.dev, Mauro Carvalho Chehab , Ricardo Ribalda , stable@vger.kernel.org X-Mailer: b4 0.14.3 Avoid invalid memory access if the zones_num is bigger than zone_weight. This patch fixes the following smatch errors: drivers/media/platform/amlogic/c3/isp/c3-isp-params.c:111 c3_isp_params_awb= _wt() error: buffer overflow 'cfg->zone_weight' 768 <=3D u32max drivers/media/platform/amlogic/c3/isp/c3-isp-params.c:111 c3_isp_params_awb= _wt() error: buffer overflow 'cfg->zone_weight' 768 <=3D u32max drivers/media/platform/amlogic/c3/isp/c3-isp-params.c:227 c3_isp_params_ae_= wt() error: buffer overflow 'cfg->zone_weight' 255 <=3D u32max drivers/media/platform/amlogic/c3/isp/c3-isp-params.c:227 c3_isp_params_ae_= wt() error: buffer overflow 'cfg->zone_weight' 255 <=3D u32max Cc: stable@vger.kernel.org Fixes: fb2e135208f3 ("media: platform: Add C3 ISP driver") Reviewed-by: Jacopo Mondi Reviewed-by: Laurent Pinchart Signed-off-by: Ricardo Ribalda --- drivers/media/platform/amlogic/c3/isp/c3-isp-params.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/media/platform/amlogic/c3/isp/c3-isp-params.c b/driver= s/media/platform/amlogic/c3/isp/c3-isp-params.c index 6f9ca7a7dd88..aec3eed0e443 100644 --- a/drivers/media/platform/amlogic/c3/isp/c3-isp-params.c +++ b/drivers/media/platform/amlogic/c3/isp/c3-isp-params.c @@ -104,6 +104,8 @@ static void c3_isp_params_awb_wt(struct c3_isp_device *= isp, c3_isp_write(isp, ISP_AWB_BLK_WT_ADDR, 0); =20 zones_num =3D cfg->horiz_zones_num * cfg->vert_zones_num; + if (zones_num > C3_ISP_AWB_MAX_ZONES) + zones_num =3D C3_ISP_AWB_MAX_ZONES; =20 /* Need to write 8 weights at once */ for (i =3D 0; i < zones_num / 8; i++) { @@ -220,6 +222,8 @@ static void c3_isp_params_ae_wt(struct c3_isp_device *i= sp, c3_isp_write(isp, ISP_AE_BLK_WT_ADDR, 0); =20 zones_num =3D cfg->horiz_zones_num * cfg->vert_zones_num; + if (zones_num > C3_ISP_AE_MAX_ZONES) + zones_num =3D C3_ISP_AE_MAX_ZONES; =20 /* Need to write 8 weights at once */ for (i =3D 0; i < zones_num / 8; i++) { --=20 2.54.0.563.g4f69b47b94-goog