Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp7277099ybi; Wed, 5 Jun 2019 14:32:09 -0700 (PDT) X-Google-Smtp-Source: APXvYqxt2ldwDR9wIINgnp9LE79KF+2H29UiP6Yf0dmOmhh/5qEfq0dMSBxYIulcjfntrrsO6J6E X-Received: by 2002:a63:c006:: with SMTP id h6mr1121940pgg.368.1559770329395; Wed, 05 Jun 2019 14:32:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559770329; cv=none; d=google.com; s=arc-20160816; b=iFT29YjcnjzoFjZk6vbbLg1oQVhTxbRihcgkOGdF5mZDwvYyv45ag+uXkGRv668bDh PZl/HiYdsM7cNmCD/jgVoPLH20eYeiCveFHrEcbGgKRf9sp149qPHSoa7QZOv2GAf2Dh FyMHYsN5/u5p1YD9bxNJxl6XC1mQ7yWx7J5vr8SR4FUJQRtcvLMKz8LXu/EPHkjzKvkP 6xSf/GvgvW+cW2bvUagFVQyveu2k7IYiggAdED46CEVic1WEtB8eXU3N/hCH2PUPhbZc W21fKKTa4hJ3Gpknfk2c2Ve/3BLaDGWSqAncOPdyBK4P5axyL+BXU0COSnRc+KR9Oe6N 3ccw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=W1SwKAzrSsraL2rJYcRqKU9p/AAS2w/6bHcCd/yWVTY=; b=D84av0UwKwNqZ4QCCHejDW2x/ELh7BjnCqsGHq3hfKxMPlVEfh+STW8I8QMY+ng8iU jPuWNt1gCVZ9dR/Ob/Zxs/o6f7y3irJZOGONYyQ4DVLMaUq4Eqczq9/3ZdZ/tDb9sm27 tkUWpqvKnE/pfuSvhyjLMN5/zMMwhOwLqqQW1cmXmHRUxfKCwIqaFF+iQYGveJUWGrRq 0JaG86v8w3MwZDerfBwHM2RwqBn+yA801lhQXWepDUEYvso9eL6/qesTDkv2YBGyaO5l yqVaHU2O+5BCOl+VgWWKhoPElRI6V/x2II9/Bg8vCDz7slmnqWUe42fiKAIY+zFeMaIZ o9lg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@marek-ca.20150623.gappssmtp.com header.s=20150623 header.b=XvoSyiJW; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i4si29071013pfa.218.2019.06.05.14.31.52; Wed, 05 Jun 2019 14:32:09 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@marek-ca.20150623.gappssmtp.com header.s=20150623 header.b=XvoSyiJW; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726605AbfFEVaZ (ORCPT + 99 others); Wed, 5 Jun 2019 17:30:25 -0400 Received: from mail-qt1-f194.google.com ([209.85.160.194]:36391 "EHLO mail-qt1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726527AbfFEVaY (ORCPT ); Wed, 5 Jun 2019 17:30:24 -0400 Received: by mail-qt1-f194.google.com with SMTP id u12so317171qth.3 for ; Wed, 05 Jun 2019 14:30:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marek-ca.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=W1SwKAzrSsraL2rJYcRqKU9p/AAS2w/6bHcCd/yWVTY=; b=XvoSyiJWJjZ8O1byGZWAjxvlsniWLJz+KAPD8l0fEGvVihiVdIjoMHmThPQX0IAFdH OLqH7L3HbIGle+BLtliIEpNU1RAx77yleEYUd4/aDvcm6TsXvCyho10McqEwwgT+ijpy T+KX7DYWNUWYDeSwUfcf6U1ZHeoKqx6ITYk/euysVAF5CbCqDHfJtMhkCiul5BcuG6lo 38k2HB4XhrKWEscKB6syZx8Vk0sEnseixgDsFPzglKe4XEQlkGY+9ucGLOccEbzG/AWX ra2tCcqsL9Av0/NvkHGdxCG6kRAGY7Lt5+1chyd5k4HqT0rAaaP0nLhUgE5Cxjv73qVB vQ+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=W1SwKAzrSsraL2rJYcRqKU9p/AAS2w/6bHcCd/yWVTY=; b=c/meYxZezRoIZ75h7yU17tTZxlXd5wiZMZadUr+6f4JGORbX4L5/t7SrhQcq+P3dZp Wta7HTpX71vjv85SLpFJC1QxElAe0w02xe+eB4VIttMq6xDIU6zxzCM7ZwMov0H7hFgV EoqHu5n3CqcKhi6RBBe1dAYjSkXwWpXuZIKaE1lbJGkV8Mqmk0TG1nJWZsqwe1vdlyLT s5V5+1+xNFlc1IniOrVqNK80k1ebpwGk9wpkzs5a2/o+KLgV/TFr2xZkflKVGFFGQlPr bJ661Ygw/y3W0FAu0Omhh4/DlnGy1VEUF3IHPNusBkEVOhkodGPoZ8jiZbNP7ZnYtUoU KNKA== X-Gm-Message-State: APjAAAVumhnKIWig5XJ7OV34Lh/Og6gTqgllUERT3qshB4vGth++kIzk WFUzqlXVYedP57tQUYh7ptS9PhmXX0o= X-Received: by 2002:aed:3a87:: with SMTP id o7mr36089666qte.310.1559770223223; Wed, 05 Jun 2019 14:30:23 -0700 (PDT) Received: from [192.168.0.189] ([147.253.86.153]) by smtp.gmail.com with ESMTPSA id v195sm12092964qka.28.2019.06.05.14.30.22 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 05 Jun 2019 14:30:22 -0700 (PDT) Subject: Re: [PATCH] Revert "media: hfi_parser: don't trick gcc with a wrong expected size" To: Mauro Carvalho Chehab Cc: Stanimir Varbanov , Andy Gross , David Brown , "open list:QUALCOMM VENUS VIDEO ACCELERATOR DRIVER" , "open list:QUALCOMM VENUS VIDEO ACCELERATOR DRIVER" , open list References: <20190605201941.4150-1-jonathan@marek.ca> <20190605174044.65ac1e4a@coco.lan> From: Jonathan Marek Message-ID: Date: Wed, 5 Jun 2019 17:27:38 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 MIME-Version: 1.0 In-Reply-To: <20190605174044.65ac1e4a@coco.lan> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org hfi_capabilities / hfi_profile_level_supported come from hardware so there is no option to dynamically allocate, and using size [1] doesn't cause any bug. Your enclosed patch is wrong in a way because MAX_CAP_ENTRIES is not a hardware limit but the size of the statically allocated array used by the driver. I don't think there is any defined hardware limit, otherwise the driver author would've defined it as they did with HFI_MAX_PROFILE_COUNT. A better solution (IMO) if you want to avoid these warnings is to remove those memcpy() and work on the data[] / profile_level[] from the struct directly: diff --git a/drivers/media/platform/qcom/venus/hfi_parser.c b/drivers/media/platform/qcom/venus/hfi_parser.c index 2293d936e49c..ecaa336b2cb9 100644 --- a/drivers/media/platform/qcom/venus/hfi_parser.c +++ b/drivers/media/platform/qcom/venus/hfi_parser.c @@ -94,16 +94,12 @@ static void parse_profile_level(struct venus_core *core, u32 codecs, u32 domain, void *data) { struct hfi_profile_level_supported *pl = data; - struct hfi_profile_level *proflevel = pl->profile_level; - struct hfi_profile_level pl_arr[HFI_MAX_PROFILE_COUNT] = {}; if (pl->profile_count > HFI_MAX_PROFILE_COUNT) return; - memcpy(pl_arr, proflevel, pl->profile_count * sizeof(*proflevel)); - for_each_codec(core->caps, ARRAY_SIZE(core->caps), codecs, domain, - fill_profile_level, pl_arr, pl->profile_count); + fill_profile_level, pl->profile_level, pl->profile_count); } static void @@ -119,17 +115,12 @@ static void parse_caps(struct venus_core *core, u32 codecs, u32 domain, void *data) { struct hfi_capabilities *caps = data; - struct hfi_capability *cap = caps->data; - u32 num_caps = caps->num_capabilities; - struct hfi_capability caps_arr[MAX_CAP_ENTRIES] = {}; - if (num_caps > MAX_CAP_ENTRIES) + if (caps->num_capabilities > MAX_CAP_ENTRIES) return; - memcpy(caps_arr, cap, num_caps * sizeof(*cap)); - for_each_codec(core->caps, ARRAY_SIZE(core->caps), codecs, domain, - fill_caps, caps_arr, num_caps); + fill_caps, caps->data, caps->num_capabilities); } static void fill_raw_fmts(struct venus_caps *cap, const void *fmts, On 6/5/19 4:41 PM, Mauro Carvalho Chehab wrote: > Em Wed, 5 Jun 2019 16:19:40 -0400 > Jonathan Marek escreveu: > >> This reverts commit ded716267196862809e5926072adc962a611a1e3. >> >> This change doesn't make any sense and breaks the driver. > > The fix is indeed wrong, but reverting is the wrong thing to do. > > The problem is that the driver is trying to write past the > allocated area, as reported: > > drivers/media/platform/qcom/venus/hfi_parser.c:103 parse_profile_level() error: memcpy() 'proflevel' too small (8 vs 128) > drivers/media/platform/qcom/venus/hfi_parser.c:129 parse_caps() error: memcpy() 'cap' too small (16 vs 512) > > If you check the memcpy() logic at the above lines, you'll see that > hfi_capability.data may have up to 32 entries, and > hfi_profile_level_supported.profile level can have up to it can be up > to 16 entries. > > So, the buffer should either be dynamically allocated with the real > size or we need something like the enclosed patch. > > Thanks, > Mauro > > diff --git a/drivers/media/platform/qcom/venus/core.h b/drivers/media/platform/qcom/venus/core.h > index 7a3feb5cee00..06a84f266bcc 100644 > --- a/drivers/media/platform/qcom/venus/core.h > +++ b/drivers/media/platform/qcom/venus/core.h > @@ -59,7 +59,6 @@ struct venus_format { > > #define MAX_PLANES 4 > #define MAX_FMT_ENTRIES 32 > -#define MAX_CAP_ENTRIES 32 > #define MAX_ALLOC_MODE_ENTRIES 16 > #define MAX_CODEC_NUM 32 > > diff --git a/drivers/media/platform/qcom/venus/hfi_helper.h b/drivers/media/platform/qcom/venus/hfi_helper.h > index 34ea503a9842..ca8033381515 100644 > --- a/drivers/media/platform/qcom/venus/hfi_helper.h > +++ b/drivers/media/platform/qcom/venus/hfi_helper.h > @@ -560,6 +560,8 @@ struct hfi_bitrate { > #define HFI_CAPABILITY_HIER_P_HYBRID_NUM_ENH_LAYERS 0x15 > #define HFI_CAPABILITY_MBS_PER_SECOND_POWERSAVE 0x16 > > +#define MAX_CAP_ENTRIES 32 > + > struct hfi_capability { > u32 capability_type; > u32 min; > @@ -569,7 +571,7 @@ struct hfi_capability { > > struct hfi_capabilities { > u32 num_capabilities; > - struct hfi_capability *data; > + struct hfi_capability data[MAX_CAP_ENTRIES]; > }; > > #define HFI_DEBUG_MSG_LOW 0x01 > @@ -726,7 +728,7 @@ struct hfi_profile_level { > > struct hfi_profile_level_supported { > u32 profile_count; > - struct hfi_profile_level *profile_level; > + struct hfi_profile_level profile_level[HFI_MAX_PROFILE_COUNT]; > }; > > struct hfi_quality_vs_speed { > > >