From patchwork Wed Jul 26 16:57:39 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?b?TsOtY29sYXMgRi4gUi4gQS4gUHJhZG8=?= X-Patchwork-Id: 126527 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:a985:0:b0:3e4:2afc:c1 with SMTP id t5csp590085vqo; Wed, 26 Jul 2023 11:35:55 -0700 (PDT) X-Google-Smtp-Source: APBJJlGBq0fcVL3W2EDN6BNVwwU3DQGRYfDkh5C6G9PQWz2vRlGjBemzA84uqIcyS9ttQcJ3sl+0 X-Received: by 2002:a17:902:b708:b0:1b6:b703:36f8 with SMTP id d8-20020a170902b70800b001b6b70336f8mr334377pls.25.1690396555444; Wed, 26 Jul 2023 11:35:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690396555; cv=none; d=google.com; s=arc-20160816; b=CJujCf8sc5sVdXbPZigu0uoUZRpLfsxcXoSUhsRGp6p6tJFqbfxyycyUgk5xATYnCb Vp9PCLDVm/xytsufL8/DEM4XWW2PlUHhUr5PwLBItmiB/rx72G5He6Q46YKQLhmoivwV q7XjP0L2IeXTW+XWRwMRntB9wzCnc1zcVIA2bgPoXgDbjbGnbaQBlTFcQQgnOTT7HoWT v5Qe9IS1rjNhvxKeAEBd9RWBWDTiDB1VHPQ+Y2WxN4cy1ztMb4Ol+/JR4LYzNl3V6S+7 1mlZQh5duQGiX0wuBtP7Ivnlp1xWTE/1fpzkl11UTeLowyPpAxgoHgPZ8SDmpyGRC5X0 JJoA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=ObpI3zj6Xl6C0CBu+Oy2cnCWLWyG0w8ErsnM9u7VILU=; fh=avi8W7X79y1W8coO2PeC6qovCBw8g7f9CpoyH9kOFQ8=; b=0b4EqgHA7Y3Vj6OtxiDM7sXAEu9p08qKLOT6OMq6VVBvNlYkryVo/+VLWgNtWcgyDj MHUE/4QtzoVxg1/oGxRJR+V8atMI64GR7RcbMsFU2bY+M+hNfoMDqYR1zL0LRTA4b98P iQKz2K9jA63v3xAajga+MGMr3mdlvHz8u+8bCPClOAlXy9FnvVmUmkiCAltb82fKOg8I BQI/M1hZjQtDdh3QF2nR/ff78XX2+ECDV/OAdPJSev9n6gSXoQtgHft6qlao7H5t7acL QZOWNlxEoPOdlMaaxEiOjG7bZVHHUtzuhgMcLDxXg+jRVnV9qeHRoF8gu9J6caBr/vuq 1AsQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@collabora.com header.s=mail header.b=Y6BeWLgM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=collabora.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id f1-20020a170902684100b001bb907f3981si8078894pln.302.2023.07.26.11.35.41; Wed, 26 Jul 2023 11:35:55 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@collabora.com header.s=mail header.b=Y6BeWLgM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=collabora.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232312AbjGZQ6J (ORCPT + 99 others); Wed, 26 Jul 2023 12:58:09 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41358 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232179AbjGZQ5z (ORCPT ); Wed, 26 Jul 2023 12:57:55 -0400 Received: from madras.collabora.co.uk (madras.collabora.co.uk [46.235.227.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B7EE89C; Wed, 26 Jul 2023 09:57:53 -0700 (PDT) Received: from notapiano.myfiosgateway.com (zone.collabora.co.uk [167.235.23.81]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nfraprado) by madras.collabora.co.uk (Postfix) with ESMTPSA id A2852660709C; Wed, 26 Jul 2023 17:57:49 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=collabora.com; s=mail; t=1690390672; bh=GlSb/Bi4XjuFoQXGAU8G64f+6li+1Qu1vQWug/7FS4g=; h=From:To:Cc:Subject:Date:From; b=Y6BeWLgMrfIcehv5Ih0vL+HDn+bwY/cr2pesUVlIOakGBv2jPOsnhgCHHMoLQfonw 5n4dnGMiYpWm+DJEToZmn1iUqHIazQJ+WEd/rw+B+dfxnwttftEpKYYlNEPJ0LMRQZ VElt4B1JoxD92zSWdD+vcjJ+2YsvEIIU1IYifPCyJwU4AIioe/JWHJuzFLZgjqUlev NNQ2KRAiCa7f6K6uLij5Wmpwc3soLAoXy+3WAhTpIhu5OAzqUhSMVL42Ih4y5iQpcu s8ce4GJ9a53q2gZBYUU40Jxg9qfwG1DGNgCWS3jn2WjigPEfwMHdHZMAhSj/Vx29E1 Y2VVSGXhTgy8g== From: =?utf-8?b?TsOtY29sYXMgRi4gUi4gQS4gUHJhZG8=?= To: Hans Verkuil Cc: kernel@collabora.com, AngeloGioacchino Del Regno , =?utf-8?b?TsOtY29sYXMgRi4gUi4gQS4gUHJhZG8=?= , Andrew-CT Chen , Matthias Brugger , Mauro Carvalho Chehab , Tiffany Lin , Yunfei Dong , linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, linux-mediatek@lists.infradead.org Subject: [PATCH v2] media: mediatek: vcodec: Consider vdecsys presence in reg range check Date: Wed, 26 Jul 2023 12:57:39 -0400 Message-ID: <20230726165742.614248-1-nfraprado@collabora.com> X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1772509258467443911 X-GMAIL-MSGID: 1772509258467443911 Commit fe8a33978383 ("media: mediatek: vcodec: Read HW active status from syscon") allowed the driver to read the VDEC_SYS io space from a syscon instead of from the reg property when reg-names are supplied. However as part of that change, a smatch warning was introduced: drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_drv.c:142 mtk_vcodec_get_reg_bases() error: buffer overflow 'mtk_dec_reg_names' 11 <= 11 With a correct Devicetree, that is, one that follows the dt-binding, it wouldn't be possible to trigger such a buffer overflow. Even so, update the range validation of the reg property, so that the smatch warning is fixed and if an incorrect Devicetree is ever supplied the code errors out instead of causing memory corruption. Reported-by: Hans Verkuil Closes: https://lore.kernel.org/all/b5fd2dff-14a5-3ad8-9698-d1a50f4516fa@xs4all.nl Fixes: fe8a33978383 ("media: mediatek: vcodec: Read HW active status from syscon") Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: NĂ­colas F. R. A. Prado --- Changes in v2: - Tidied logic by moving number of maximum regs to separate variable - Rebased on top of Hans' for-v6.6i branch drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_drv.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_drv.c b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_drv.c index 6cf5f88a3a8e..f5b8c37f32f5 100644 --- a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_drv.c +++ b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_drv.c @@ -96,6 +96,7 @@ static int mtk_vcodec_get_reg_bases(struct mtk_vcodec_dev *dev) int reg_num, i; struct resource *res; bool has_vdecsys_reg; + int num_max_vdec_regs; static const char * const mtk_dec_reg_names[] = { "misc", "ld", @@ -122,10 +123,13 @@ static int mtk_vcodec_get_reg_bases(struct mtk_vcodec_dev *dev) else has_vdecsys_reg = true; + num_max_vdec_regs = has_vdecsys_reg ? NUM_MAX_VDEC_REG_BASE : + ARRAY_SIZE(mtk_dec_reg_names); + /* Sizeof(u32) * 4 bytes for each register base. */ reg_num = of_property_count_elems_of_size(pdev->dev.of_node, "reg", sizeof(u32) * 4); - if (reg_num <= 0 || reg_num > NUM_MAX_VDEC_REG_BASE) { + if (reg_num <= 0 || reg_num > num_max_vdec_regs) { dev_err(&pdev->dev, "Invalid register property size: %d\n", reg_num); return -EINVAL; }