Received: by 2002:a05:6358:c692:b0:131:369:b2a3 with SMTP id fe18csp683209rwb; Wed, 26 Jul 2023 00:41:42 -0700 (PDT) X-Google-Smtp-Source: APBJJlHXDRALGBSRX+asVkf7r196suw/a7DvO0EZKJPJoaUqpBSGjULNv9cTo+EVh2rt/qy1cfHi X-Received: by 2002:a05:6a20:26a5:b0:135:6ef6:171 with SMTP id h37-20020a056a2026a500b001356ef60171mr1089457pze.39.1690357301702; Wed, 26 Jul 2023 00:41:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690357301; cv=none; d=google.com; s=arc-20160816; b=sURmZJa62nrxgFBhC31/xGp6T/sKiKxm/VUxL+h9VHw+c2C7nCEbRzZVFVDzDyhgDn DSqKDvd5aVH6+zDxi7nQPRftKG116KISBq+wiYOVd2+0H0kUFiwoWESKORC+o/kyHihd Rzq8+KOhpooWvEGOcKv3k70c8Rtz7S2+yMyhREHQswSaw6lEPK5jjwMXSxiOceqw8XAy m/kHQ8J6PgIz6Hvd/QCLKM36S26Fm2C6dL3C0vx1izczteIQ7tE3kKuzYesER661qIkn rGgP2hFh0E4C4BnJw0KJQ6J/bU2BTXwM01wSOJ2XEYsw2y67O6hI1nHQjYIWSDtSS734 /J6g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=2ikHJ80QHJ1+1eg/aMRSdmfO7Fo9j+Wx0A0t69cPy/0=; fh=UweM24z1Hr7KDoqidNEsUGj6BkdbA9O00NEYV2MNRb4=; b=0tUHdb2XTVNkPo7B4kJhUc1fdIxsWf8alPuXiHFDawSH+MZAog6DdTJh4Y5xawycZZ oWfKyXTKBN9S1CmkxEIgSp5sk8HmD1OZ5hMnxFocM7bTLwzvmXBvZtX6tAQdQfmXXJE+ McTx5rL5/d+rdSREwSQnr32JmcR0P/HT4TXDhbzuf45cyPy0B9nQOanndEbT1HqSXrvM bnJEmCW2FFcIwUYcQLc3jJjLh+uKQByOCetgcX8JEIggeEFdsDciPAZzo1qkK0gD2Tm1 0o7QdCK01pYAsyTDKGYJ11ahAuz/e7nFFMFvShbEEylXHCq9QJ+Gn1HnQalUnH0OMlV4 blwA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@collabora.com header.s=mail header.b=AGGIjrK1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=collabora.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id a23-20020a637057000000b00563b0cbe80bsi6332735pgn.398.2023.07.26.00.41.28; Wed, 26 Jul 2023 00:41:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@collabora.com header.s=mail header.b=AGGIjrK1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=collabora.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230033AbjGZHD3 (ORCPT + 99 others); Wed, 26 Jul 2023 03:03:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40164 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232346AbjGZHC4 (ORCPT ); Wed, 26 Jul 2023 03:02:56 -0400 Received: from madras.collabora.co.uk (madras.collabora.co.uk [IPv6:2a00:1098:0:82:1000:25:2eeb:e5ab]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5E99B423B; Wed, 26 Jul 2023 00:01:32 -0700 (PDT) Received: from [192.168.1.100] (2-237-20-237.ip236.fastwebnet.it [2.237.20.237]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) (Authenticated sender: kholk11) by madras.collabora.co.uk (Postfix) with ESMTPSA id D32EA6606FCD; Wed, 26 Jul 2023 08:01:29 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=collabora.com; s=mail; t=1690354890; bh=b3275iZpeVMp7nlokph744oUHdv+Z9l5geLiebs0KXw=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=AGGIjrK1AuhE4G3/2REeqPS4TJ2FRl25j8vVbcMqiVq2MlrPCIAd55MPFSwbMpPD8 n8InzWlzbUkEAItf9kNquzNKvx1c796WVHHlA/WGUNCBaje9GqkcfiT90/gWDP+C5K yxxfXeQVYk0CgcH7WEKRbnJJvxCWtBkB6ERJe1VJUOZqmSC13hQFNiEQnrayjJpnec JYX7BwUEUM9BOg/9byTpO+hoLfnmVyfnpPfHBe7v4QzHYgnPtgQmrr+4HfmxZ490eC B5a/ANfAO28MTYS7rSsygVd4A4qn11nZL18pYrhEZlL10tlWTJ+/NdInrxhqP3HnxY FgXWhaSfnxyDg== Message-ID: <5a7c6b24-03f1-dd33-5911-ce046ee140f1@collabora.com> Date: Wed, 26 Jul 2023 09:01:27 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0 Subject: Re: [PATCH] media: mediatek: vcodec: Consider vdecsys presence in reg range check Content-Language: en-US To: =?UTF-8?B?TsOtY29sYXMgRi4gUi4gQS4gUHJhZG8=?= , Hans Verkuil Cc: kernel@collabora.com, Andrew-CT Chen , Matthias Brugger , Mauro Carvalho Chehab , Tiffany Lin , Yunfei Dong , linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, linux-mediatek@lists.infradead.org References: <20230725204043.569799-1-nfraprado@collabora.com> From: AngeloGioacchino Del Regno In-Reply-To: <20230725204043.569799-1-nfraprado@collabora.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.2 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Il 25/07/23 22:40, NĂ­colas F. R. A. Prado ha scritto: > Commit fe8a33978383 ("media: mediatek: vcodec: Read HW active status > from syscon") allowed the driver to read the VDEC_SYS io space from a > syscon instead of from the reg property when reg-names are supplied. > However as part of that change, a smatch warning was introduced: > > drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_drv.c:142 mtk_vcodec_get_reg_bases() error: buffer overflow 'mtk_dec_reg_names' 11 <= 11 > > With a correct Devicetree, that is, one that follows the dt-binding, it > wouldn't be possible to trigger such a buffer overflow. Even so, update > the range validation of the reg property, so that the smatch warning is > fixed and if an incorrect Devicetree is ever supplied the code errors > out instead of causing memory corruption. > > Reported-by: Hans Verkuil > Closes: https://lore.kernel.org/all/b5fd2dff-14a5-3ad8-9698-d1a50f4516fa@xs4all.nl > Fixes: fe8a33978383 ("media: mediatek: vcodec: Read HW active status from syscon") > Signed-off-by: NĂ­colas F. R. A. Prado > > --- > > drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_drv.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_drv.c b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_drv.c > index 742b6903d030..cd62b3f68072 100644 > --- a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_drv.c > +++ b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_drv.c > @@ -124,7 +124,8 @@ static int mtk_vcodec_get_reg_bases(struct mtk_vcodec_dev *dev) > /* Sizeof(u32) * 4 bytes for each register base. */ > reg_num = of_property_count_elems_of_size(pdev->dev.of_node, "reg", > sizeof(u32) * 4); > - if (reg_num <= 0 || reg_num > NUM_MAX_VDEC_REG_BASE) { > + if (reg_num <= 0 || reg_num > NUM_MAX_VDEC_REG_BASE || You could also simplify this like int num_max_vdec_regs; .... num_max_vdec_regs = no_vdecsys_reg ? ARRAY_SIZE(mtk_dec_reg_names) : NUM_MAX_VDEC_REG_BASE; if (reg_num <= 0 || reg_num > num_max_vdec_regs) .... I'd go for the proposed solution, as it looks better in my eyes, but it's ultimately your choice and probably just a personal preference. That said, if you want to keep this commit as it is, you still get my Reviewed-by: AngeloGioacchino Del Regno > + (!has_vdecsys_reg && reg_num > NUM_MAX_VDEC_REG_BASE - 1)) { > dev_err(&pdev->dev, "Invalid register property size: %d\n", reg_num); > return -EINVAL; > }