From nobody Sat May 10 01:42:25 2025 Delivered-To: importer2@patchew.org Received-SPF: pass (zohomail.com: domain of vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; envelope-from=linux-kernel-owner@vger.kernel.org; helo=vger.kernel.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass(p=none dis=none) header.from=kernel.org ARC-Seal: i=1; a=rsa-sha256; t=1624276623; cv=none; d=zohomail.com; s=zohoarc; b=j42etcMB4vQRE6geOKuleCGs36Uy7X4CcLF+y2z/q/BHfYLU+4Yq+9fcZXWuSg0p9lKsjxD+It9vtfSjnUGNF2eSS9O1nxFvIN60tLI4hc1i76U2iyUt73FNZDGYz7apfiA7E8hUBnHG6OQA7W68eHNeNVVI4vPlK3T1VE9sUf0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1624276623; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:MIME-Version:Message-ID:References:Sender:Subject:To; bh=lIV/M6pHtS84m2LQOMxHkYaQ6C8q2QatRTa7lf9vmUU=; b=E5WIvddlAPmjyM86wTqKvIGsGivY9nDAJ/3U/vZrSZVCVqB0nsoYqNBJ5abdNKuI8TpGNc+jMQpRyVcZTn81kyy+xeFYj9uaFdT57h9Tp1MLukdee/qPW4YrLH4JLYknkbAbpAxcz/YnOKyruDv5lQVomwfLoUN1sdTZhTrK1Ws= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mx.zohomail.com with SMTP id 1624276623918534.9702499729152; Mon, 21 Jun 2021 04:57:03 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230146AbhFUL7Q (ORCPT ); Mon, 21 Jun 2021 07:59:16 -0400 Received: from mail.kernel.org ([198.145.29.99]:34248 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229695AbhFUL7H (ORCPT ); Mon, 21 Jun 2021 07:59:07 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 2A2EF61206; Mon, 21 Jun 2021 11:56:53 +0000 (UTC) Received: by mail.kernel.org with local (Exim 4.94.2) (envelope-from ) id 1lvIXq-000Hcg-S7; Mon, 21 Jun 2021 13:56:50 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1624276613; bh=ANoabVaUzkB8uByqIYbl9sn5GX3seetBSDp7JoEwpi4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=BCQFDbRPbo0454eQTUJ9Zpws8unRKPu8AQlSFcr1y13HQ2miRH7IyucBxiS/KgFOa kJK8EOt3eVF1405qY3OXSKG7D9DNh9HlsIpfMo5CnLYLQEybnQUyl8QCWsu8Ot/Uqj xDSzJtfN+nvQuUQ9Sw9Sx91xoOv0a0aRnUQFqYbmBwidXXAf9P78ls9Cxl29BxlVQA AxJydMCVtfoFhCdyNYG4es2UVlmAIrlqotxn0ECZGcYSicHGL6v3qwv4krbHiPU2e6 D5LKVqjSTXNmvybfW73yySZyr4/vCoMx08Hk2XmW90BvDOZDIKsZif/O3PeiKNoxEY HBDJ6n8xx4sYw== From: Mauro Carvalho Chehab Cc: linuxarm@huawei.com, mauro.chehab@huawei.com, Mauro Carvalho Chehab , Mauro Carvalho Chehab , linux-kernel@vger.kernel.org, linux-media@vger.kernel.org Subject: [PATCH 1/5] media: dib8000: rewrite the init prbs logic Date: Mon, 21 Jun 2021 13:56:45 +0200 Message-Id: <4727871dc9f255dbaed6f44799f9980d41e5f637.1624276137.git.mchehab+huawei@kernel.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: Mauro Carvalho Chehab To: unlisted-recipients:; (no To-header on input) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-ZohoMail-DKIM: fail (Header signature does not verify) Content-Type: text/plain; charset="utf-8" The logic at dib8000_get_init_prbs() has a few issues: 1. the tables used there has an extra unused value at the beginning; 2. the dprintk() message doesn't write the right value when transmission mode is not 8K; 3. the array overflow validation is done by the callers. Rewrite the code to fix such issues. This should also shut up those smatch warnings: drivers/media/dvb-frontends/dib8000.c:2125 dib8000_get_init_prbs() error: = buffer overflow 'lut_prbs_8k' 14 <=3D 14 drivers/media/dvb-frontends/dib8000.c:2129 dib8000_get_init_prbs() error: = buffer overflow 'lut_prbs_2k' 14 <=3D 14 drivers/media/dvb-frontends/dib8000.c:2131 dib8000_get_init_prbs() error: = buffer overflow 'lut_prbs_4k' 14 <=3D 14 drivers/media/dvb-frontends/dib8000.c:2134 dib8000_get_init_prbs() error: = buffer overflow 'lut_prbs_8k' 14 <=3D 14 Signed-off-by: Mauro Carvalho Chehab --- drivers/media/dvb-frontends/dib8000.c | 56 +++++++++++++++++++-------- 1 file changed, 39 insertions(+), 17 deletions(-) diff --git a/drivers/media/dvb-frontends/dib8000.c b/drivers/media/dvb-fron= tends/dib8000.c index 082796534b0a..541f8b9f5f8a 100644 --- a/drivers/media/dvb-frontends/dib8000.c +++ b/drivers/media/dvb-frontends/dib8000.c @@ -2107,32 +2107,53 @@ static void dib8000_load_ana_fe_coefs(struct dib800= 0_state *state, const s16 *an dib8000_write_word(state, 117 + mode, ana_fe[mode]); } =20 -static const u16 lut_prbs_2k[14] =3D { - 0, 0x423, 0x009, 0x5C7, 0x7A6, 0x3D8, 0x527, 0x7FF, 0x79B, 0x3D6, 0x3A2, = 0x53B, 0x2F4, 0x213 +static const u16 lut_prbs_2k[13] =3D { + 0x423, 0x009, 0x5C7, + 0x7A6, 0x3D8, 0x527, + 0x7FF, 0x79B, 0x3D6, + 0x3A2, 0x53B, 0x2F4, + 0x213 }; -static const u16 lut_prbs_4k[14] =3D { - 0, 0x208, 0x0C3, 0x7B9, 0x423, 0x5C7, 0x3D8, 0x7FF, 0x3D6, 0x53B, 0x213, = 0x029, 0x0D0, 0x48E +static const u16 lut_prbs_4k[13] =3D { + 0x208, 0x0C3, 0x7B9, + 0x423, 0x5C7, 0x3D8, + 0x7FF, 0x3D6, 0x53B, + 0x213, 0x029, 0x0D0, + 0x48E }; -static const u16 lut_prbs_8k[14] =3D { - 0, 0x740, 0x069, 0x7DD, 0x208, 0x7B9, 0x5C7, 0x7FF, 0x53B, 0x029, 0x48E, = 0x4C4, 0x367, 0x684 +static const u16 lut_prbs_8k[13] =3D { + 0x740, 0x069, 0x7DD, + 0x208, 0x7B9, 0x5C7, + 0x7FF, 0x53B, 0x029, + 0x48E, 0x4C4, 0x367, + 0x684 }; =20 static u16 dib8000_get_init_prbs(struct dib8000_state *state, u16 subchann= el) { int sub_channel_prbs_group =3D 0; + int prbs_group; =20 - sub_channel_prbs_group =3D (subchannel / 3) + 1; - dprintk("sub_channel_prbs_group =3D %d , subchannel =3D%d prbs =3D 0x%04x= \n", sub_channel_prbs_group, subchannel, lut_prbs_8k[sub_channel_prbs_group= ]); + sub_channel_prbs_group =3D subchannel / 3; + if (sub_channel_prbs_group >=3D ARRAY_SIZE(lut_prbs_2k)) + return 0; =20 switch (state->fe[0]->dtv_property_cache.transmission_mode) { case TRANSMISSION_MODE_2K: - return lut_prbs_2k[sub_channel_prbs_group]; + prbs_group =3D lut_prbs_2k[sub_channel_prbs_group]; + break; case TRANSMISSION_MODE_4K: - return lut_prbs_4k[sub_channel_prbs_group]; + prbs_group =3D lut_prbs_4k[sub_channel_prbs_group]; + break; default: case TRANSMISSION_MODE_8K: - return lut_prbs_8k[sub_channel_prbs_group]; + prbs_group =3D lut_prbs_8k[sub_channel_prbs_group]; } + + dprintk("sub_channel_prbs_group =3D %d , subchannel =3D%d prbs =3D 0x%04x= \n", + sub_channel_prbs_group, subchannel, prbs_group); + + return prbs_group; } =20 static void dib8000_set_13seg_channel(struct dib8000_state *state) @@ -2409,10 +2430,8 @@ static void dib8000_set_isdbt_common_channel(struct = dib8000_state *state, u8 seq /* TSB or ISDBT ? apply it now */ if (c->isdbt_sb_mode) { dib8000_set_sb_channel(state); - if (c->isdbt_sb_subchannel < 14) - init_prbs =3D dib8000_get_init_prbs(state, c->isdbt_sb_subchannel); - else - init_prbs =3D 0; + init_prbs =3D dib8000_get_init_prbs(state, + c->isdbt_sb_subchannel); } else { dib8000_set_13seg_channel(state); init_prbs =3D 0xfff; @@ -3004,6 +3023,7 @@ static int dib8000_tune(struct dvb_frontend *fe) =20 unsigned long *timeout =3D &state->timeout; unsigned long now =3D jiffies; + u16 init_prbs; #ifdef DIB8000_AGC_FREEZE u16 agc1, agc2; #endif @@ -3302,8 +3322,10 @@ static int dib8000_tune(struct dvb_frontend *fe) break; =20 case CT_DEMOD_STEP_11: /* 41 : init prbs autosearch */ - if (state->subchannel <=3D 41) { - dib8000_set_subchannel_prbs(state, dib8000_get_init_prbs(state, state->= subchannel)); + init_prbs =3D dib8000_get_init_prbs(state, state->subchannel); + + if (init_prbs) { + dib8000_set_subchannel_prbs(state, init_prbs); *tune_state =3D CT_DEMOD_STEP_9; } else { *tune_state =3D CT_DEMOD_STOP; --=20 2.31.1 From nobody Sat May 10 01:42:25 2025 Delivered-To: importer2@patchew.org Received-SPF: pass (zohomail.com: domain of vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; envelope-from=linux-kernel-owner@vger.kernel.org; helo=vger.kernel.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass(p=none dis=none) header.from=kernel.org ARC-Seal: i=1; a=rsa-sha256; t=1624276628; cv=none; d=zohomail.com; s=zohoarc; b=OfBQatAJu4jXsRVl6E0oZbv59KF1MN3TJFz70ENDRZgeCztwjVhRpE6SkJ1Rcp5YlPatzodRUHHBz/ByEDZPq14/ujAleaKWCogyzDFk5V5NHSlrLcieAsy4u5vb3YGLbHI04YVP6Gecekr0dpLdM62W2IgYcJB3K7cjqnHtij0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1624276628; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:MIME-Version:Message-ID:References:Sender:Subject:To; bh=Tgk2nR4XLQyW8kgnO1sHQW8NjyuxTjbnJSAZdE/CMgU=; b=cHh31PZGIYIagMKyNQWttc6VG7mkUTSSHTvqnNpmueA1tSQBvvEwTUauYUG4amU+lrQRvx4MChjMNAl145uBr4G6DbLjjWkJzbcxiyNt9b2z0OAEZS03k5k59EzaQnnKpRj9cbmgM7wPYvZlUCpgJo+rj2EkqfpxINfMKoNDr3A= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mx.zohomail.com with SMTP id 1624276628306644.1663009082987; Mon, 21 Jun 2021 04:57:08 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230157AbhFUL7S (ORCPT ); Mon, 21 Jun 2021 07:59:18 -0400 Received: from mail.kernel.org ([198.145.29.99]:34236 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229651AbhFUL7H (ORCPT ); Mon, 21 Jun 2021 07:59:07 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 26EFF610C7; Mon, 21 Jun 2021 11:56:53 +0000 (UTC) Received: by mail.kernel.org with local (Exim 4.94.2) (envelope-from ) id 1lvIXq-000Hck-U8; Mon, 21 Jun 2021 13:56:50 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1624276613; bh=kxakYSNRVuDodkZft6TScXV0U+zp0Xa4cGVu/The1dU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=TmB/MoKPWOaf/pdMvYiOZa8kjJWQ5vpVHBW39bJmGlOdQ/uXHWdj5cqJiTBoYoHIo 9/3dOpo4IJRvl3MkXLhN9Xr/0/jwHfZk/VbnaWPWXCv9DERctvHb47ygiD0mDRkzvc w9ovzNLsN+IuR5gya5of8ONctsPU6UdlWW93g62HbtRnZ+u5VFz31pDz303F5z5vVh vdkaQn92q5MMN0ufs6p/jxKM9VAv6NC29WlG+S6jVG3GsrtsEQ01T5x3qFkH/YyHEW grNd2oIHYE/6MVVOO1NqpgXque0TO3L2rh/ZhjBw2EnpQSjUOVScP4kTGC3IliDfo3 poDwsOWWHc/jg== From: Mauro Carvalho Chehab Cc: linuxarm@huawei.com, mauro.chehab@huawei.com, Mauro Carvalho Chehab , Laurent Pinchart , Mauro Carvalho Chehab , linux-kernel@vger.kernel.org, linux-media@vger.kernel.org Subject: [PATCH 2/5] media: uvc: don't do DMA on stack Date: Mon, 21 Jun 2021 13:56:46 +0200 Message-Id: X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: Mauro Carvalho Chehab To: unlisted-recipients:; (no To-header on input) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-ZohoMail-DKIM: fail (Header signature does not verify) Content-Type: text/plain; charset="utf-8" As warned by smatch: drivers/media/usb/uvc/uvc_v4l2.c:911 uvc_ioctl_g_input() error: doing dma = on the stack (&i) drivers/media/usb/uvc/uvc_v4l2.c:943 uvc_ioctl_s_input() error: doing dma = on the stack (&i) those two functions call uvc_query_ctrl passing a pointer to a data at the DMA stack. those are used to send URBs via usb_control_msg(). Using DMA stack is not supported and should not work anymore on modern Linux versions. So, use a temporary buffer, allocated together with struct uvc_video_chain. Signed-off-by: Mauro Carvalho Chehab --- drivers/media/usb/uvc/uvc_v4l2.c | 10 ++++------ drivers/media/usb/uvc/uvcvideo.h | 3 +++ 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v= 4l2.c index 252136cc885c..e60d4675881a 100644 --- a/drivers/media/usb/uvc/uvc_v4l2.c +++ b/drivers/media/usb/uvc/uvc_v4l2.c @@ -900,7 +900,6 @@ static int uvc_ioctl_g_input(struct file *file, void *f= h, unsigned int *input) struct uvc_fh *handle =3D fh; struct uvc_video_chain *chain =3D handle->chain; int ret; - u8 i; =20 if (chain->selector =3D=3D NULL || (chain->dev->quirks & UVC_QUIRK_IGNORE_SELECTOR_UNIT)) { @@ -910,11 +909,11 @@ static int uvc_ioctl_g_input(struct file *file, void = *fh, unsigned int *input) =20 ret =3D uvc_query_ctrl(chain->dev, UVC_GET_CUR, chain->selector->id, chain->dev->intfnum, UVC_SU_INPUT_SELECT_CONTROL, - &i, 1); + &chain->input, 1); if (ret < 0) return ret; =20 - *input =3D i - 1; + *input =3D chain->input - 1; return 0; } =20 @@ -923,7 +922,6 @@ static int uvc_ioctl_s_input(struct file *file, void *f= h, unsigned int input) struct uvc_fh *handle =3D fh; struct uvc_video_chain *chain =3D handle->chain; int ret; - u32 i; =20 ret =3D uvc_acquire_privileges(handle); if (ret < 0) @@ -939,10 +937,10 @@ static int uvc_ioctl_s_input(struct file *file, void = *fh, unsigned int input) if (input >=3D chain->selector->bNrInPins) return -EINVAL; =20 - i =3D input + 1; + chain->input =3D input + 1; return uvc_query_ctrl(chain->dev, UVC_SET_CUR, chain->selector->id, chain->dev->intfnum, UVC_SU_INPUT_SELECT_CONTROL, - &i, 1); + &chain->input, 1); } =20 static int uvc_ioctl_queryctrl(struct file *file, void *fh, diff --git a/drivers/media/usb/uvc/uvcvideo.h b/drivers/media/usb/uvc/uvcvi= deo.h index cce5e38133cd..3c0ed90d6912 100644 --- a/drivers/media/usb/uvc/uvcvideo.h +++ b/drivers/media/usb/uvc/uvcvideo.h @@ -475,6 +475,9 @@ struct uvc_video_chain { struct mutex ctrl_mutex; /* Protects ctrl.info */ =20 struct v4l2_prio_state prio; /* V4L2 priority state */ + + u8 input; /* buffer for set/get input */ + u32 caps; /* V4L2 chain-wide caps */ }; =20 --=20 2.31.1 From nobody Sat May 10 01:42:25 2025 Delivered-To: importer2@patchew.org Received-SPF: pass (zohomail.com: domain of vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; envelope-from=linux-kernel-owner@vger.kernel.org; helo=vger.kernel.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass(p=none dis=none) header.from=kernel.org ARC-Seal: i=1; a=rsa-sha256; t=1624276621; cv=none; d=zohomail.com; s=zohoarc; b=V/TXJQasUd4pd879gViryslNK8N03SGiMHI5xY6AAFEkNZn5HAKhoTnXrt0oHOC933uDM4DJJKxXjXuvguZjiKfO+lSVyOFnrkjLk/BwngXkXgkUQ3g/lSbO1z29oYkvr4wIdXqYr9uuggdghFi1R+849nzrTmUyU/LqsS6eUaY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1624276621; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:MIME-Version:Message-ID:References:Sender:Subject:To; bh=Ll4NAI9AIqreV3VF7S9YUwkr0TrY9P4Zyh+zQggnpg4=; b=mMlNresvXcBMMXHKnwqHAIbFUKxResTq/KwZe4Gt1Q3BG4A+nw39JvuCSUfV5TZ5Co0ycA7yTVdbgl+wnE8iFkpGLdMXU/tMb9VUKdpSwEeLfvHZ0Oanrs4SlDaUm1ENaolzwQVZMkE6oTv07j/CB6Qx11yUdneKssybUgOgGGM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mx.zohomail.com with SMTP id 1624276621422384.8809176558518; Mon, 21 Jun 2021 04:57:01 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230082AbhFUL7N (ORCPT ); Mon, 21 Jun 2021 07:59:13 -0400 Received: from mail.kernel.org ([198.145.29.99]:34234 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229610AbhFUL7H (ORCPT ); Mon, 21 Jun 2021 07:59:07 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 2496461153; Mon, 21 Jun 2021 11:56:53 +0000 (UTC) Received: by mail.kernel.org with local (Exim 4.94.2) (envelope-from ) id 1lvIXq-000Hco-Vr; Mon, 21 Jun 2021 13:56:50 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1624276613; bh=uwGsDLBM94wlH08xSFR21Av3pUOHYUbttrYJhv47Jjk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=M2VJW0ElDZvi62c5dBfx9jvQeL4z7PgZ24MY/B4Gb4D4A9bPE3i/woCKhLWFDED/7 4HwBf5ohJMa7Jjax54eCixgLNbbCGdUMxO/ozyGkNeEBllEtguytwhg/2uciWVfDWX W1gPbrqazNlRHC3cBWMd8tFqaLxTDbts4L6En3vbStVOFskX2rMP31nWK0Tc8pPVY5 es1rJo4furoAdzcvdXoy1coexag8DjbaU0fqyJlYr9izu6+BPQgdbTAT61Nvar/kwi lb+SxQ+TMZHWxVIPO0lnzLk6UF7/t6JhfPCN5R0xmc5Q6N2YqekaMSidPm48kvvd3A wggMwDJy/JgCg== From: Mauro Carvalho Chehab Cc: linuxarm@huawei.com, mauro.chehab@huawei.com, Mauro Carvalho Chehab , Mauro Carvalho Chehab , linux-kernel@vger.kernel.org, linux-media@vger.kernel.org Subject: [PATCH 3/5] media: v4l2-flash-led-class: drop an useless check Date: Mon, 21 Jun 2021 13:56:47 +0200 Message-Id: X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: Mauro Carvalho Chehab To: unlisted-recipients:; (no To-header on input) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-ZohoMail-DKIM: fail (Header signature does not verify) Content-Type: text/plain; charset="utf-8" As pointed by smatch: drivers/media/v4l2-core/v4l2-flash-led-class.c:264 v4l2_flash_s_ctrl() err= or: we previously assumed 'fled_cdev' could be null (see line 197) It is too late to check if fled_cdev is NULL there. If such check is needed, it should be, instead, inside v4l2_flash_init(). On other words, if v4l2_flash->fled_cdev() is NULL at v4l2_flash_s_ctrl(), all led_*() function calls inside the function would try to de-reference a NULL pointer, as the logic won't prevent it. So, remove the useless check. Signed-off-by: Mauro Carvalho Chehab --- drivers/media/v4l2-core/v4l2-flash-led-class.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/v4l2-core/v4l2-flash-led-class.c b/drivers/media= /v4l2-core/v4l2-flash-led-class.c index 10ddcc48aa17..a1653c635d82 100644 --- a/drivers/media/v4l2-core/v4l2-flash-led-class.c +++ b/drivers/media/v4l2-core/v4l2-flash-led-class.c @@ -194,7 +194,7 @@ static int v4l2_flash_s_ctrl(struct v4l2_ctrl *c) { struct v4l2_flash *v4l2_flash =3D v4l2_ctrl_to_v4l2_flash(c); struct led_classdev_flash *fled_cdev =3D v4l2_flash->fled_cdev; - struct led_classdev *led_cdev =3D fled_cdev ? &fled_cdev->led_cdev : NULL; + struct led_classdev *led_cdev =3D &fled_cdev->led_cdev; struct v4l2_ctrl **ctrls =3D v4l2_flash->ctrls; bool external_strobe; int ret =3D 0; --=20 2.31.1 From nobody Sat May 10 01:42:25 2025 Delivered-To: importer2@patchew.org Received-SPF: pass (zohomail.com: domain of vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; envelope-from=linux-kernel-owner@vger.kernel.org; helo=vger.kernel.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass(p=none dis=none) header.from=kernel.org ARC-Seal: i=1; a=rsa-sha256; t=1624276636; cv=none; d=zohomail.com; s=zohoarc; b=Zn61ZR/8CPA8vORRkywm8pUQIz7UbeIyH4pYoA3k2qfg40pmD5+gayfRkgfCfPe7c6KXjsRRI+cj0a+fosZgdEBJ6OV07z6tPoYXlIBl3G99JX2cUNWi5JWqEbWI7SlYyPTP3zNhDSep5mM3yQXM7DfzEeIKOxAGDkCsCQxnffs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1624276636; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:MIME-Version:Message-ID:References:Sender:Subject:To; bh=uyTkbwQc6WHF2jfSkKwHd4yEq74lps0QBKCj5FaOPso=; b=NUyjhzpzD38HDLMdKzmHqZt6RGYcrma6edMWrODA13D9yOh21+ginw0mNguIBe5z+T/TZSTNMB0ONyYEE7f50V+8grLNpgbSPOWYGkpGy50llPAT6LP8QwxT4ibIS4/7ICDD4Jmk+m6QOsGxgNeDAZI/2sJZU1yo8LoAb258mOs= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mx.zohomail.com with SMTP id 1624276636838113.49889271240306; Mon, 21 Jun 2021 04:57:16 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230252AbhFUL72 (ORCPT ); Mon, 21 Jun 2021 07:59:28 -0400 Received: from mail.kernel.org ([198.145.29.99]:34260 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229789AbhFUL7H (ORCPT ); Mon, 21 Jun 2021 07:59:07 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 2FBBC61245; Mon, 21 Jun 2021 11:56:53 +0000 (UTC) Received: by mail.kernel.org with local (Exim 4.94.2) (envelope-from ) id 1lvIXr-000Hcs-0m; Mon, 21 Jun 2021 13:56:51 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1624276613; bh=11eW0KcqaEnwVcqSAzyPNAdsSG+zIv8WUhOkdsd8c6A=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jmBWtdlwqBDKNAm0dTHfHk3uqCFK1ZsHbkjcsduKsXqVvOuPet+GLsoDYXPdjlrHI ck08bAldltzViQVZn+i1HyTKGKPchxS0WT6ipRn2IehNUswLZOyO91AbbVceEUlmkQ 12I+mXI7BXnIcZEfIpSCni2VR8SXYy6OnyECYPvDvpgcM16IXowGfQ1YvNoaTGttbM 5ttJwJzQyGLB+6U2ZBTy1aSWJ8GgtkamPMz6skmPi5S70ZwyO7UJAd2r0gomfwDWoE NdkTvEDKY2JqJfK5vXrUzDHlb2Bh1Jexz2V6/8nG839FdrFaxkHqcjWH3kfR83FSDD DXhKyvRindZfA== From: Mauro Carvalho Chehab Cc: linuxarm@huawei.com, mauro.chehab@huawei.com, Mauro Carvalho Chehab , Andy Walls , Mauro Carvalho Chehab , linux-kernel@vger.kernel.org, linux-media@vger.kernel.org Subject: [PATCH 4/5] media: ivtv: prevent going past the hw arrays Date: Mon, 21 Jun 2021 13:56:48 +0200 Message-Id: <94334c02c246fad023ec04a02c43b708d853b0cc.1624276138.git.mchehab+huawei@kernel.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: Mauro Carvalho Chehab To: unlisted-recipients:; (no To-header on input) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-ZohoMail-DKIM: fail (Header signature does not verify) Content-Type: text/plain; charset="utf-8" As warned by smatch: drivers/media/pci/ivtv/ivtv-i2c.c:245 ivtv_i2c_register() error: buffer ov= erflow 'hw_devicenames' 21 <=3D 31 drivers/media/pci/ivtv/ivtv-i2c.c:266 ivtv_i2c_register() error: buffer ov= erflow 'hw_addrs' 21 <=3D 31 drivers/media/pci/ivtv/ivtv-i2c.c:269 ivtv_i2c_register() error: buffer ov= erflow 'hw_addrs' 21 <=3D 31 drivers/media/pci/ivtv/ivtv-i2c.c:275 ivtv_i2c_register() error: buffer ov= erflow 'hw_addrs' 21 <=3D 31 drivers/media/pci/ivtv/ivtv-i2c.c:280 ivtv_i2c_register() error: buffer ov= erflow 'hw_addrs' 21 <=3D 31 drivers/media/pci/ivtv/ivtv-i2c.c:290 ivtv_i2c_register() error: buffer ov= erflow 'hw_addrs' 21 <=3D 31 The logic at ivtv_i2c_register() could let buffer overflows at hw_devicenames and hw_addrs arrays. This won't happen in practice due to a carefully-contructed logic, but it is not error-prune. Change the logic in a way that will make clearer that the I2C hardware flags will affect the size of those two arrays, and add an explicit check to avoid buffer overflows. While here, use the bit macro. Signed-off-by: Mauro Carvalho Chehab --- drivers/media/pci/ivtv/ivtv-cards.h | 68 ++++++++++++++++++++--------- drivers/media/pci/ivtv/ivtv-i2c.c | 16 ++++--- 2 files changed, 58 insertions(+), 26 deletions(-) diff --git a/drivers/media/pci/ivtv/ivtv-cards.h b/drivers/media/pci/ivtv/i= vtv-cards.h index f3e2c5634962..494982e4165d 100644 --- a/drivers/media/pci/ivtv/ivtv-cards.h +++ b/drivers/media/pci/ivtv/ivtv-cards.h @@ -78,27 +78,53 @@ #define IVTV_PCI_ID_SONY 0x104d =20 /* hardware flags, no gaps allowed */ -#define IVTV_HW_CX25840 (1 << 0) -#define IVTV_HW_SAA7115 (1 << 1) -#define IVTV_HW_SAA7127 (1 << 2) -#define IVTV_HW_MSP34XX (1 << 3) -#define IVTV_HW_TUNER (1 << 4) -#define IVTV_HW_WM8775 (1 << 5) -#define IVTV_HW_CS53L32A (1 << 6) -#define IVTV_HW_TVEEPROM (1 << 7) -#define IVTV_HW_SAA7114 (1 << 8) -#define IVTV_HW_UPD64031A (1 << 9) -#define IVTV_HW_UPD6408X (1 << 10) -#define IVTV_HW_SAA717X (1 << 11) -#define IVTV_HW_WM8739 (1 << 12) -#define IVTV_HW_VP27SMPX (1 << 13) -#define IVTV_HW_M52790 (1 << 14) -#define IVTV_HW_GPIO (1 << 15) -#define IVTV_HW_I2C_IR_RX_AVER (1 << 16) -#define IVTV_HW_I2C_IR_RX_HAUP_EXT (1 << 17) /* External before internal */ -#define IVTV_HW_I2C_IR_RX_HAUP_INT (1 << 18) -#define IVTV_HW_Z8F0811_IR_HAUP (1 << 19) -#define IVTV_HW_I2C_IR_RX_ADAPTEC (1 << 20) +enum ivtv_hw_bits { + IVTV_HW_BIT_CX25840 =3D 0, + IVTV_HW_BIT_SAA7115 =3D 1, + IVTV_HW_BIT_SAA7127 =3D 2, + IVTV_HW_BIT_MSP34XX =3D 3, + IVTV_HW_BIT_TUNER =3D 4, + IVTV_HW_BIT_WM8775 =3D 5, + IVTV_HW_BIT_CS53L32A =3D 6, + IVTV_HW_BIT_TVEEPROM =3D 7, + IVTV_HW_BIT_SAA7114 =3D 8, + IVTV_HW_BIT_UPD64031A =3D 9, + IVTV_HW_BIT_UPD6408X =3D 10, + IVTV_HW_BIT_SAA717X =3D 11, + IVTV_HW_BIT_WM8739 =3D 12, + IVTV_HW_BIT_VP27SMPX =3D 13, + IVTV_HW_BIT_M52790 =3D 14, + IVTV_HW_BIT_GPIO =3D 15, + IVTV_HW_BIT_I2C_IR_RX_AVER =3D 16, + IVTV_HW_BIT_I2C_IR_RX_HAUP_EXT =3D 17, /* External before internal */ + IVTV_HW_BIT_I2C_IR_RX_HAUP_INT =3D 18, + IVTV_HW_BIT_Z8F0811_IR_HAUP =3D 19, + IVTV_HW_BIT_I2C_IR_RX_ADAPTEC =3D 20, + + IVTV_HW_MAX_BITS =3D 21 /* Should be the last bit + 1 */ +}; + +#define IVTV_HW_CX25840 BIT(IVTV_HW_BIT_CX25840) +#define IVTV_HW_SAA7115 BIT(IVTV_HW_BIT_SAA7115) +#define IVTV_HW_SAA7127 BIT(IVTV_HW_BIT_SAA7127) +#define IVTV_HW_MSP34XX BIT(IVTV_HW_BIT_MSP34XX) +#define IVTV_HW_TUNER BIT(IVTV_HW_BIT_TUNER) +#define IVTV_HW_WM8775 BIT(IVTV_HW_BIT_WM8775) +#define IVTV_HW_CS53L32A BIT(IVTV_HW_BIT_CS53L32A) +#define IVTV_HW_TVEEPROM BIT(IVTV_HW_BIT_TVEEPROM) +#define IVTV_HW_SAA7114 BIT(IVTV_HW_BIT_SAA7114) +#define IVTV_HW_UPD64031A BIT(IVTV_HW_BIT_UPD64031A) +#define IVTV_HW_UPD6408X BIT(IVTV_HW_BIT_UPD6408X) +#define IVTV_HW_SAA717X BIT(IVTV_HW_BIT_SAA717X) +#define IVTV_HW_WM8739 BIT(IVTV_HW_BIT_WM8739) +#define IVTV_HW_VP27SMPX BIT(IVTV_HW_BIT_VP27SMPX) +#define IVTV_HW_M52790 BIT(IVTV_HW_BIT_M52790) +#define IVTV_HW_GPIO BIT(IVTV_HW_BIT_GPIO) +#define IVTV_HW_I2C_IR_RX_AVER BIT(IVTV_HW_BIT_I2C_IR_RX_AVER) +#define IVTV_HW_I2C_IR_RX_HAUP_EXT BIT(IVTV_HW_BIT_I2C_IR_RX_HAUP_EXT) +#define IVTV_HW_I2C_IR_RX_HAUP_INT BIT(IVTV_HW_BIT_I2C_IR_RX_HAUP_INT) +#define IVTV_HW_Z8F0811_IR_HAUP BIT(IVTV_HW_BIT_Z8F0811_IR_HAUP) +#define IVTV_HW_I2C_IR_RX_ADAPTEC BIT(IVTV_HW_BIT_I2C_IR_RX_ADAPTEC) =20 #define IVTV_HW_SAA711X (IVTV_HW_SAA7115 | IVTV_HW_SAA7114) =20 diff --git a/drivers/media/pci/ivtv/ivtv-i2c.c b/drivers/media/pci/ivtv/ivt= v-i2c.c index 982045c4eea8..c052c57c6dce 100644 --- a/drivers/media/pci/ivtv/ivtv-i2c.c +++ b/drivers/media/pci/ivtv/ivtv-i2c.c @@ -85,7 +85,7 @@ #define IVTV_ADAPTEC_IR_ADDR 0x6b =20 /* This array should match the IVTV_HW_ defines */ -static const u8 hw_addrs[] =3D { +static const u8 hw_addrs[IVTV_HW_MAX_BITS] =3D { IVTV_CX25840_I2C_ADDR, IVTV_SAA7115_I2C_ADDR, IVTV_SAA7127_I2C_ADDR, @@ -110,7 +110,7 @@ static const u8 hw_addrs[] =3D { }; =20 /* This array should match the IVTV_HW_ defines */ -static const char * const hw_devicenames[] =3D { +static const char * const hw_devicenames[IVTV_HW_MAX_BITS] =3D { "cx25840", "saa7115", "saa7127_auto", /* saa7127 or saa7129 */ @@ -240,10 +240,16 @@ void ivtv_i2c_new_ir_legacy(struct ivtv *itv) =20 int ivtv_i2c_register(struct ivtv *itv, unsigned idx) { - struct v4l2_subdev *sd; struct i2c_adapter *adap =3D &itv->i2c_adap; - const char *type =3D hw_devicenames[idx]; - u32 hw =3D 1 << idx; + struct v4l2_subdev *sd; + const char *type; + u32 hw; + + if (idx >=3D IVTV_HW_MAX_BITS) + return -ENODEV; + + type =3D hw_devicenames[idx]; + hw =3D 1 << idx; =20 if (hw =3D=3D IVTV_HW_TUNER) { /* special tuner handling */ --=20 2.31.1 From nobody Sat May 10 01:42:25 2025 Delivered-To: importer2@patchew.org Received-SPF: pass (zohomail.com: domain of vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; envelope-from=linux-kernel-owner@vger.kernel.org; helo=vger.kernel.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass(p=none dis=none) header.from=kernel.org ARC-Seal: i=1; a=rsa-sha256; t=1624276618; cv=none; d=zohomail.com; s=zohoarc; b=SgSrt9T5PlnMmhvW6swuLI4CUMXb+j6LBaDAZIVPR6wFB3O6tbG22yNzUkj0rlPHG+wNZUEJBIoxA7cABRtQL4kG6iOdOSi/3FwTU9s3OY/HnBE2hIiW/socCgLSG/nGVJQyjMlGWIZ3ffnA8V2WlpI6Zz3apVEBFEF9jn+UGEM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1624276618; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:MIME-Version:Message-ID:References:Sender:Subject:To; bh=FX1Dt750wHbHCzPAgOHhhMjQakd0A5C8OVKvAKaS6XQ=; b=FWDTyDW1rMh3C9ebrxZQRy/BzVhultPWnMaYHuqqpy/yRlKRPmh28Ne1wsyyIf3kjCzZVcUQvPs5fjBsf/5nsvyHqYde3ZP6AONxwQsLXwCb7Spe5TJnCCFYy6ccw4NnLIISAAd8X+FwBcm0CpqIWqv3ypoNizoOUtP4kuxKk88= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mx.zohomail.com with SMTP id 1624276618617951.1536645669191; Mon, 21 Jun 2021 04:56:58 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230021AbhFUL7I (ORCPT ); Mon, 21 Jun 2021 07:59:08 -0400 Received: from mail.kernel.org ([198.145.29.99]:34232 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229640AbhFUL7H (ORCPT ); Mon, 21 Jun 2021 07:59:07 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 2179661108; Mon, 21 Jun 2021 11:56:53 +0000 (UTC) Received: by mail.kernel.org with local (Exim 4.94.2) (envelope-from ) id 1lvIXr-000Hcw-2Y; Mon, 21 Jun 2021 13:56:51 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1624276613; bh=eKQAKkLLipiPydD36jq5fQOg8fFfg7eqxulZXVht4ac=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hVX9hvurJiChkgzV1uDiAOYCLzGabkN66JjHWqDHrWZd1/+WCcxVs/SH0DOxZq8Kv U+konUGRUxfz5aT4jAYSTzX7Ib0wsr3RNXx5rnV/AyiBnIL3Sy2AS5d5DaafdvTIhS kmJDIkiE2APzZ8szgzvRe5A7/f9yEE0dMG4JtooLcZpxjlRnYCouIOLXOX3tkGGaFM gd/XbSx0+DJmFK6aK9x7prjXkbuLKkdbQX42Qa535Sf5nJYwxrPvAy1cRxdKgMjNmC SNekzqR+U+TB4Y0v3nGNLQ/+vWSytzILq5eJ/nezNrSFRJ9cAIyYiH4pmtCxXalUG2 n19sCkSOiE+Sg== From: Mauro Carvalho Chehab Cc: linuxarm@huawei.com, mauro.chehab@huawei.com, Mauro Carvalho Chehab , Hugues Fruchet , Mauro Carvalho Chehab , linux-kernel@vger.kernel.org, linux-media@vger.kernel.org Subject: [PATCH 5/5] media: sti: don't copy past the size Date: Mon, 21 Jun 2021 13:56:49 +0200 Message-Id: <1c043f5c26b9cf5b4520241e2015feeae8445f58.1624276138.git.mchehab+huawei@kernel.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: Mauro Carvalho Chehab To: unlisted-recipients:; (no To-header on input) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-ZohoMail-DKIM: fail (Header signature does not verify) Content-Type: text/plain; charset="utf-8" The logic at delta_ipc_open() tries to copy past the size of the name passed to it: drivers/media/platform/sti/delta/delta-ipc.c:178 delta_ipc_open() error: _= _memcpy() 'name' too small (17 vs 32) Basically,this function is called just one with: ret =3D delta_ipc_open(pctx, "JPEG_DECODER_HW0", ...); The string used there has just 17 bytes. Yet, the logic tries to copy the entire name size (32 bytes), which is plain wrong. Replace it by strscpy, which is good enough to copy the string, warranting that this will be NUL-terminated. Signed-off-by: Mauro Carvalho Chehab --- drivers/media/platform/sti/delta/delta-ipc.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/media/platform/sti/delta/delta-ipc.c b/drivers/media/p= latform/sti/delta/delta-ipc.c index 186d88f02ecd..21d3e08e259a 100644 --- a/drivers/media/platform/sti/delta/delta-ipc.c +++ b/drivers/media/platform/sti/delta/delta-ipc.c @@ -175,8 +175,7 @@ int delta_ipc_open(struct delta_ctx *pctx, const char *= name, msg.ipc_buf_size =3D ipc_buf_size; msg.ipc_buf_paddr =3D ctx->ipc_buf->paddr; =20 - memcpy(msg.name, name, sizeof(msg.name)); - msg.name[sizeof(msg.name) - 1] =3D 0; + strscpy(msg.name, name, sizeof(msg.name)); =20 msg.param_size =3D param->size; memcpy(ctx->ipc_buf->vaddr, param->data, msg.param_size); --=20 2.31.1