Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp19401346rwd; Wed, 28 Jun 2023 08:51:41 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5ANL4DoaUFamft5WZnSbxbY2Z5rj0EF81k627QJgCYpvElx9fqnXj5bNKUfQroYgUjbWDc X-Received: by 2002:a17:907:b0e:b0:989:450:e565 with SMTP id h14-20020a1709070b0e00b009890450e565mr1718476ejl.23.1687967501180; Wed, 28 Jun 2023 08:51:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1687967501; cv=none; d=google.com; s=arc-20160816; b=JdfmyoctR0jXywunkkCGApahTkfIW4fwgfR+Pn+CUE4EE1cp8NHsBUAdTXKNrCHhb4 qOGlpvuEi7zLCNxfcvWquQFe7KdFr3+TdbMBQT4aMBx0WbJiFJJEi0dIs2jF+BEJxWfW 60Dm39SRoyfYyrks0tSPela2iVwxQ+0WHpXd5F5791zJmbb8KOgci67OeThzvA7ywTcG ogsMJHthtZdQDFsfNwUa5E8ar+ix1jgsKDGxrywFH5dTwpORT9wWJdM2fxVOIhU7CqnP q0PKLFVPsHq0IDN+cqClFZoJ4Jc4jDQb4QT5PlHDKdTQq8aPDyvhXsN2Nej4aAHiTFFt jWmg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=vAqBDel36UtyC93AQGUxY3WIqcnDnwpdxhq+9skbAEY=; fh=JAaoI1j4sTvy0CpvlT72MtzMi1+uTG+PahmOLsafEos=; b=E27xs2mg2kloByhTGozJHeHZseaamuIIHFNZ2+s954LdGrxcyJBEp609TO4dZO2cbc tzGA7bIyp6aFT+IpBEmzyqOR65rKHJEN/V8MNTvKRFz7Hk6ZbycH/6dFRSxrBsJi+UxN KmkUY+34EGKe+jk32OknSuli1MH46vMp6KtIVW5MPlIEXcYA/h9nRlI9baQPFTO8HCVS 96hWYRJI51TJ0nG/TzJNI3DO7uUoCRcDOWwQOFal3FpQw68nd+Y+Qhq+DIQtahxLc5Ya pJxSVjH7JiaGSkm3ylOLWGgVgWQlYlViORo/P5mIc1zct5UZ6338KXpF6TDMGf4RT+Re XOIA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=aO3E1Rck; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id p14-20020a17090628ce00b00991cc9224c4si3709959ejd.394.2023.06.28.08.51.15; Wed, 28 Jun 2023 08:51:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=aO3E1Rck; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230081AbjF1PNm (ORCPT + 99 others); Wed, 28 Jun 2023 11:13:42 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58892 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229939AbjF1PNk (ORCPT ); Wed, 28 Jun 2023 11:13:40 -0400 Received: from mail-vs1-xe35.google.com (mail-vs1-xe35.google.com [IPv6:2607:f8b0:4864:20::e35]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 532F1268E for ; Wed, 28 Jun 2023 08:13:35 -0700 (PDT) Received: by mail-vs1-xe35.google.com with SMTP id ada2fe7eead31-44387d40adaso12191137.0 for ; Wed, 28 Jun 2023 08:13:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1687965213; x=1690557213; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=vAqBDel36UtyC93AQGUxY3WIqcnDnwpdxhq+9skbAEY=; b=aO3E1RckbJtGlyqgqECmya4wwyfLTWQtVCXyMbW3No0n0HAXZvIA1IfvkvoKQ09579 PuOszq0niqkMeI8fAsu2VFD4YWXFez7Y4za5tiBqKX1qiD9Xpu4/lkL65noHpe9wEDga fu9ROeYX4WiO+1IjuyKd8obvcfutZ4Y54M9yc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687965213; x=1690557213; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=vAqBDel36UtyC93AQGUxY3WIqcnDnwpdxhq+9skbAEY=; b=TJ7AIk5hnSqOpegODOfvrYVVAbLsqRWtJ39Xo9zIhDvKjLiufokUylYIA+z+iWcxxF E+ycfYWu71r5quRjXmSmsFWCBgHl7qmT8kmQL6GlBTu9QDULS9r5YOkFOMgh7RLdfe5O 2+mW7oH8W0nKvEET5fRm0MdCJ6pMjX8SDGthSCibaudDCKo3hS7d2PH6B+S+IXT1/EbN 8vuWQpWtuXzrkezDXVaqKbzI9n8qJOYlRK79figUtSyB1ekPR8K6M+iD3z1nKGOsj0JJ rx4VEpygKloJJgCim7pvRhh5kGjUEwGZf4U0jfHu5yrnOxGAbBSRPBba+/Jgl/gZzWaJ Nk9g== X-Gm-Message-State: AC+VfDzwsn2aY//M60GNIG1eHFsYW26Wd/+wvjzhx/Xn5B+IyLlxa9s5 Zn3/7ngffWy+XFdeOFQFc0Ix/iklulfMlJy4iEOrhA== X-Received: by 2002:a05:6102:3f94:b0:439:3e26:990e with SMTP id o20-20020a0561023f9400b004393e26990emr671023vsv.6.1687965213350; Wed, 28 Jun 2023 08:13:33 -0700 (PDT) MIME-Version: 1.0 References: <20230627082731.1769620-1-yqsun1997@gmail.com> <20230627140640.GA3605278@gnbcxd0016.gnb.st.com> <20230628063353.GA3625616@gnbcxd0016.gnb.st.com> In-Reply-To: From: Chen-Yu Tsai Date: Wed, 28 Jun 2023 17:13:19 +0200 Message-ID: Subject: Re: [PATCH] OOB read and write in mdp_prepare_buffer To: sun yq Cc: mchehab@kernel.org, matthias.bgg@gmail.com, angelogioacchino.delregno@collabora.com, linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, 499671216@qq.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jun 28, 2023 at 12:09=E2=80=AFPM sun yq wrote= : > > Hi Alain, > > May I ask if you are the person involved in the code?We should listen > to the opinions of the code owner. Please don't top post. Alain has a valid point. Please describe in detail how you are running into or detecting this problem. Are you running into this for real? Or is this from a static analyzer? Or are you simply eyeballing the issue? ChenYu > On Wed, Jun 28, 2023 at 2:34=E2=80=AFPM Alain Volmat wrote: > > > > Hi, > > > > On Wed, Jun 28, 2023 at 07:28:54AM +0800, sun yq wrote: > > > Hi, > > > Because there are many functions using the plane, increasing the max > > > number of the plane is to maximize the solution to all possible oob > > > places. > > > > I don't think it is the right approach then. If the HW is only handlin= g > > 3 planes, there should be no reason to have to allocate for 8 planes. = I > > suspect that this 8 value is coming from the maximum allowed plane > > number in V4L2 right ? > > INHO driver should simply be fixed to ensure that num_plane won't go > > higher than the real number of plane allocated in the structures. > > It should be possible to get the num_plane value from the format > > selected. > > > > Alain > > > > > > > > On Tue, Jun 27, 2023 at 10:06=E2=80=AFPM Alain Volmat wrote: > > > > > > > > Hi, > > > > > > > > On Tue, Jun 27, 2023 at 04:27:31PM +0800, yqsun1997@gmail.com wrote= : > > > > > From: yqsun1997 > > > > > > > > > > Because format in struct img_image_buffer max index is IMG_MAX_PL= ANES =3D=3D3, > > > > > The num_planes max index is 8.so will be OOB like in mdp_prepare_= buffer. > > > > > > > > Similarly as your other patch, could you describe why you need to > > > > increase the IMG_MAX_PLANES while I suspect your driver only needs = to > > > > deal with 3 planes. While the maximum num_planes value that can be > > > > given by the user is 8, this has to be first compared to the config= ured > > > > format prior to reaching this function. > > > > > > > > > > > > > > static void mdp_prepare_buffer(struct img_image_buffer *b, > > > > > struct mdp_frame *frame, struct vb= 2_buffer *vb) > > > > > { > > > > > struct v4l2_pix_format_mplane *pix_mp =3D &frame->format.= fmt.pix_mp; > > > > > unsigned int i; > > > > > > > > > > b->format.colorformat =3D frame->mdp_fmt->mdp_color; > > > > > b->format.ycbcr_prof =3D frame->ycbcr_prof; > > > > > for (i =3D 0; i < pix_mp->num_planes; ++i) { > > > > > u32 stride =3D mdp_fmt_get_stride(frame->mdp_fmt, > > > > > pix_mp->plane_fmt[i].bytesperline, i); > > > > > > > > > > b->format.plane_fmt[i].stride =3D stride; //oob > > > > > ...... > > > > > > > > > > Signed-off-by: yqsun1997 > > > > > --- > > > > > drivers/media/platform/mediatek/mdp3/mtk-mdp3-type.h | 2 +- > > > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > > > > > diff --git a/drivers/media/platform/mediatek/mdp3/mtk-mdp3-type.h= b/drivers/media/platform/mediatek/mdp3/mtk-mdp3-type.h > > > > > index ae0396806..e2e991a34 100644 > > > > > --- a/drivers/media/platform/mediatek/mdp3/mtk-mdp3-type.h > > > > > +++ b/drivers/media/platform/mediatek/mdp3/mtk-mdp3-type.h > > > > > @@ -11,7 +11,7 @@ > > > > > > > > > > #define IMG_MAX_HW_INPUTS 3 > > > > > #define IMG_MAX_HW_OUTPUTS 4 > > > > > -#define IMG_MAX_PLANES 3 > > > > > +#define IMG_MAX_PLANES 8 > > > > > #define IMG_MAX_COMPONENTS 20 > > > > > > > > > > struct img_crop { > > > > > -- > > > > > 2.39.2 > > > > > > > > > > > > > Regards, > > > > Alain >