From patchwork Mon Jun 21 11:56:45 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mauro Carvalho Chehab X-Patchwork-Id: 12334659 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3C9ACC48BE5 for ; Mon, 21 Jun 2021 11:56:59 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 27B5B6124B for ; Mon, 21 Jun 2021 11:56:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229640AbhFUL7J (ORCPT ); Mon, 21 Jun 2021 07:59:09 -0400 Received: from mail.kernel.org ([198.145.29.99]:34248 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229695AbhFUL7H (ORCPT ); Mon, 21 Jun 2021 07:59:07 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 2A2EF61206; Mon, 21 Jun 2021 11:56:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1624276613; bh=ANoabVaUzkB8uByqIYbl9sn5GX3seetBSDp7JoEwpi4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=BCQFDbRPbo0454eQTUJ9Zpws8unRKPu8AQlSFcr1y13HQ2miRH7IyucBxiS/KgFOa kJK8EOt3eVF1405qY3OXSKG7D9DNh9HlsIpfMo5CnLYLQEybnQUyl8QCWsu8Ot/Uqj xDSzJtfN+nvQuUQ9Sw9Sx91xoOv0a0aRnUQFqYbmBwidXXAf9P78ls9Cxl29BxlVQA AxJydMCVtfoFhCdyNYG4es2UVlmAIrlqotxn0ECZGcYSicHGL6v3qwv4krbHiPU2e6 D5LKVqjSTXNmvybfW73yySZyr4/vCoMx08Hk2XmW90BvDOZDIKsZif/O3PeiKNoxEY HBDJ6n8xx4sYw== Received: by mail.kernel.org with local (Exim 4.94.2) (envelope-from ) id 1lvIXq-000Hcg-S7; Mon, 21 Jun 2021 13:56:50 +0200 From: Mauro Carvalho Chehab Cc: linuxarm@huawei.com, mauro.chehab@huawei.com, Mauro Carvalho Chehab , Mauro Carvalho Chehab , linux-kernel@vger.kernel.org, linux-media@vger.kernel.org Subject: [PATCH 1/5] media: dib8000: rewrite the init prbs logic Date: Mon, 21 Jun 2021 13:56:45 +0200 Message-Id: <4727871dc9f255dbaed6f44799f9980d41e5f637.1624276137.git.mchehab+huawei@kernel.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 Sender: Mauro Carvalho Chehab To: unlisted-recipients:; (no To-header on input) Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org The logic at dib8000_get_init_prbs() has a few issues: 1. the tables used there has an extra unused value at the beginning; 2. the dprintk() message doesn't write the right value when transmission mode is not 8K; 3. the array overflow validation is done by the callers. Rewrite the code to fix such issues. This should also shut up those smatch warnings: drivers/media/dvb-frontends/dib8000.c:2125 dib8000_get_init_prbs() error: buffer overflow 'lut_prbs_8k' 14 <= 14 drivers/media/dvb-frontends/dib8000.c:2129 dib8000_get_init_prbs() error: buffer overflow 'lut_prbs_2k' 14 <= 14 drivers/media/dvb-frontends/dib8000.c:2131 dib8000_get_init_prbs() error: buffer overflow 'lut_prbs_4k' 14 <= 14 drivers/media/dvb-frontends/dib8000.c:2134 dib8000_get_init_prbs() error: buffer overflow 'lut_prbs_8k' 14 <= 14 Signed-off-by: Mauro Carvalho Chehab --- drivers/media/dvb-frontends/dib8000.c | 56 +++++++++++++++++++-------- 1 file changed, 39 insertions(+), 17 deletions(-) diff --git a/drivers/media/dvb-frontends/dib8000.c b/drivers/media/dvb-frontends/dib8000.c index 082796534b0a..541f8b9f5f8a 100644 --- a/drivers/media/dvb-frontends/dib8000.c +++ b/drivers/media/dvb-frontends/dib8000.c @@ -2107,32 +2107,53 @@ static void dib8000_load_ana_fe_coefs(struct dib8000_state *state, const s16 *an dib8000_write_word(state, 117 + mode, ana_fe[mode]); } -static const u16 lut_prbs_2k[14] = { - 0, 0x423, 0x009, 0x5C7, 0x7A6, 0x3D8, 0x527, 0x7FF, 0x79B, 0x3D6, 0x3A2, 0x53B, 0x2F4, 0x213 +static const u16 lut_prbs_2k[13] = { + 0x423, 0x009, 0x5C7, + 0x7A6, 0x3D8, 0x527, + 0x7FF, 0x79B, 0x3D6, + 0x3A2, 0x53B, 0x2F4, + 0x213 }; -static const u16 lut_prbs_4k[14] = { - 0, 0x208, 0x0C3, 0x7B9, 0x423, 0x5C7, 0x3D8, 0x7FF, 0x3D6, 0x53B, 0x213, 0x029, 0x0D0, 0x48E +static const u16 lut_prbs_4k[13] = { + 0x208, 0x0C3, 0x7B9, + 0x423, 0x5C7, 0x3D8, + 0x7FF, 0x3D6, 0x53B, + 0x213, 0x029, 0x0D0, + 0x48E }; -static const u16 lut_prbs_8k[14] = { - 0, 0x740, 0x069, 0x7DD, 0x208, 0x7B9, 0x5C7, 0x7FF, 0x53B, 0x029, 0x48E, 0x4C4, 0x367, 0x684 +static const u16 lut_prbs_8k[13] = { + 0x740, 0x069, 0x7DD, + 0x208, 0x7B9, 0x5C7, + 0x7FF, 0x53B, 0x029, + 0x48E, 0x4C4, 0x367, + 0x684 }; static u16 dib8000_get_init_prbs(struct dib8000_state *state, u16 subchannel) { int sub_channel_prbs_group = 0; + int prbs_group; - sub_channel_prbs_group = (subchannel / 3) + 1; - dprintk("sub_channel_prbs_group = %d , subchannel =%d prbs = 0x%04x\n", sub_channel_prbs_group, subchannel, lut_prbs_8k[sub_channel_prbs_group]); + sub_channel_prbs_group = subchannel / 3; + if (sub_channel_prbs_group >= ARRAY_SIZE(lut_prbs_2k)) + return 0; switch (state->fe[0]->dtv_property_cache.transmission_mode) { case TRANSMISSION_MODE_2K: - return lut_prbs_2k[sub_channel_prbs_group]; + prbs_group = lut_prbs_2k[sub_channel_prbs_group]; + break; case TRANSMISSION_MODE_4K: - return lut_prbs_4k[sub_channel_prbs_group]; + prbs_group = lut_prbs_4k[sub_channel_prbs_group]; + break; default: case TRANSMISSION_MODE_8K: - return lut_prbs_8k[sub_channel_prbs_group]; + prbs_group = lut_prbs_8k[sub_channel_prbs_group]; } + + dprintk("sub_channel_prbs_group = %d , subchannel =%d prbs = 0x%04x\n", + sub_channel_prbs_group, subchannel, prbs_group); + + return prbs_group; } static void dib8000_set_13seg_channel(struct dib8000_state *state) @@ -2409,10 +2430,8 @@ static void dib8000_set_isdbt_common_channel(struct dib8000_state *state, u8 seq /* TSB or ISDBT ? apply it now */ if (c->isdbt_sb_mode) { dib8000_set_sb_channel(state); - if (c->isdbt_sb_subchannel < 14) - init_prbs = dib8000_get_init_prbs(state, c->isdbt_sb_subchannel); - else - init_prbs = 0; + init_prbs = dib8000_get_init_prbs(state, + c->isdbt_sb_subchannel); } else { dib8000_set_13seg_channel(state); init_prbs = 0xfff; @@ -3004,6 +3023,7 @@ static int dib8000_tune(struct dvb_frontend *fe) unsigned long *timeout = &state->timeout; unsigned long now = jiffies; + u16 init_prbs; #ifdef DIB8000_AGC_FREEZE u16 agc1, agc2; #endif @@ -3302,8 +3322,10 @@ static int dib8000_tune(struct dvb_frontend *fe) break; case CT_DEMOD_STEP_11: /* 41 : init prbs autosearch */ - if (state->subchannel <= 41) { - dib8000_set_subchannel_prbs(state, dib8000_get_init_prbs(state, state->subchannel)); + init_prbs = dib8000_get_init_prbs(state, state->subchannel); + + if (init_prbs) { + dib8000_set_subchannel_prbs(state, init_prbs); *tune_state = CT_DEMOD_STEP_9; } else { *tune_state = CT_DEMOD_STOP; From patchwork Mon Jun 21 11:56:46 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mauro Carvalho Chehab X-Patchwork-Id: 12334663 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A341CC4743C for ; Mon, 21 Jun 2021 11:56:59 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8821C6124B for ; Mon, 21 Jun 2021 11:56:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230047AbhFUL7M (ORCPT ); Mon, 21 Jun 2021 07:59:12 -0400 Received: from mail.kernel.org ([198.145.29.99]:34236 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229651AbhFUL7H (ORCPT ); Mon, 21 Jun 2021 07:59:07 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 26EFF610C7; Mon, 21 Jun 2021 11:56:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1624276613; bh=kxakYSNRVuDodkZft6TScXV0U+zp0Xa4cGVu/The1dU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=TmB/MoKPWOaf/pdMvYiOZa8kjJWQ5vpVHBW39bJmGlOdQ/uXHWdj5cqJiTBoYoHIo 9/3dOpo4IJRvl3MkXLhN9Xr/0/jwHfZk/VbnaWPWXCv9DERctvHb47ygiD0mDRkzvc w9ovzNLsN+IuR5gya5of8ONctsPU6UdlWW93g62HbtRnZ+u5VFz31pDz303F5z5vVh vdkaQn92q5MMN0ufs6p/jxKM9VAv6NC29WlG+S6jVG3GsrtsEQ01T5x3qFkH/YyHEW grNd2oIHYE/6MVVOO1NqpgXque0TO3L2rh/ZhjBw2EnpQSjUOVScP4kTGC3IliDfo3 poDwsOWWHc/jg== Received: by mail.kernel.org with local (Exim 4.94.2) (envelope-from ) id 1lvIXq-000Hck-U8; Mon, 21 Jun 2021 13:56:50 +0200 From: Mauro Carvalho Chehab Cc: linuxarm@huawei.com, mauro.chehab@huawei.com, Mauro Carvalho Chehab , Laurent Pinchart , Mauro Carvalho Chehab , linux-kernel@vger.kernel.org, linux-media@vger.kernel.org Subject: [PATCH 2/5] media: uvc: don't do DMA on stack Date: Mon, 21 Jun 2021 13:56:46 +0200 Message-Id: X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 Sender: Mauro Carvalho Chehab To: unlisted-recipients:; (no To-header on input) Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org As warned by smatch: drivers/media/usb/uvc/uvc_v4l2.c:911 uvc_ioctl_g_input() error: doing dma on the stack (&i) drivers/media/usb/uvc/uvc_v4l2.c:943 uvc_ioctl_s_input() error: doing dma on the stack (&i) those two functions call uvc_query_ctrl passing a pointer to a data at the DMA stack. those are used to send URBs via usb_control_msg(). Using DMA stack is not supported and should not work anymore on modern Linux versions. So, use a temporary buffer, allocated together with struct uvc_video_chain. Signed-off-by: Mauro Carvalho Chehab --- drivers/media/usb/uvc/uvc_v4l2.c | 10 ++++------ drivers/media/usb/uvc/uvcvideo.h | 3 +++ 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c index 252136cc885c..e60d4675881a 100644 --- a/drivers/media/usb/uvc/uvc_v4l2.c +++ b/drivers/media/usb/uvc/uvc_v4l2.c @@ -900,7 +900,6 @@ static int uvc_ioctl_g_input(struct file *file, void *fh, unsigned int *input) struct uvc_fh *handle = fh; struct uvc_video_chain *chain = handle->chain; int ret; - u8 i; if (chain->selector == NULL || (chain->dev->quirks & UVC_QUIRK_IGNORE_SELECTOR_UNIT)) { @@ -910,11 +909,11 @@ static int uvc_ioctl_g_input(struct file *file, void *fh, unsigned int *input) ret = uvc_query_ctrl(chain->dev, UVC_GET_CUR, chain->selector->id, chain->dev->intfnum, UVC_SU_INPUT_SELECT_CONTROL, - &i, 1); + &chain->input, 1); if (ret < 0) return ret; - *input = i - 1; + *input = chain->input - 1; return 0; } @@ -923,7 +922,6 @@ static int uvc_ioctl_s_input(struct file *file, void *fh, unsigned int input) struct uvc_fh *handle = fh; struct uvc_video_chain *chain = handle->chain; int ret; - u32 i; ret = uvc_acquire_privileges(handle); if (ret < 0) @@ -939,10 +937,10 @@ static int uvc_ioctl_s_input(struct file *file, void *fh, unsigned int input) if (input >= chain->selector->bNrInPins) return -EINVAL; - i = input + 1; + chain->input = input + 1; return uvc_query_ctrl(chain->dev, UVC_SET_CUR, chain->selector->id, chain->dev->intfnum, UVC_SU_INPUT_SELECT_CONTROL, - &i, 1); + &chain->input, 1); } static int uvc_ioctl_queryctrl(struct file *file, void *fh, diff --git a/drivers/media/usb/uvc/uvcvideo.h b/drivers/media/usb/uvc/uvcvideo.h index cce5e38133cd..3c0ed90d6912 100644 --- a/drivers/media/usb/uvc/uvcvideo.h +++ b/drivers/media/usb/uvc/uvcvideo.h @@ -475,6 +475,9 @@ struct uvc_video_chain { struct mutex ctrl_mutex; /* Protects ctrl.info */ struct v4l2_prio_state prio; /* V4L2 priority state */ + + u8 input; /* buffer for set/get input */ + u32 caps; /* V4L2 chain-wide caps */ }; From patchwork Mon Jun 21 11:56:47 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mauro Carvalho Chehab X-Patchwork-Id: 12334657 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A4ECEC48BC2 for ; Mon, 21 Jun 2021 11:56:55 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8BAA56135F for ; Mon, 21 Jun 2021 11:56:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230013AbhFUL7I (ORCPT ); Mon, 21 Jun 2021 07:59:08 -0400 Received: from mail.kernel.org ([198.145.29.99]:34234 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229610AbhFUL7H (ORCPT ); Mon, 21 Jun 2021 07:59:07 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 2496461153; Mon, 21 Jun 2021 11:56:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1624276613; bh=uwGsDLBM94wlH08xSFR21Av3pUOHYUbttrYJhv47Jjk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=M2VJW0ElDZvi62c5dBfx9jvQeL4z7PgZ24MY/B4Gb4D4A9bPE3i/woCKhLWFDED/7 4HwBf5ohJMa7Jjax54eCixgLNbbCGdUMxO/ozyGkNeEBllEtguytwhg/2uciWVfDWX W1gPbrqazNlRHC3cBWMd8tFqaLxTDbts4L6En3vbStVOFskX2rMP31nWK0Tc8pPVY5 es1rJo4furoAdzcvdXoy1coexag8DjbaU0fqyJlYr9izu6+BPQgdbTAT61Nvar/kwi lb+SxQ+TMZHWxVIPO0lnzLk6UF7/t6JhfPCN5R0xmc5Q6N2YqekaMSidPm48kvvd3A wggMwDJy/JgCg== Received: by mail.kernel.org with local (Exim 4.94.2) (envelope-from ) id 1lvIXq-000Hco-Vr; Mon, 21 Jun 2021 13:56:50 +0200 From: Mauro Carvalho Chehab Cc: linuxarm@huawei.com, mauro.chehab@huawei.com, Mauro Carvalho Chehab , Mauro Carvalho Chehab , linux-kernel@vger.kernel.org, linux-media@vger.kernel.org Subject: [PATCH 3/5] media: v4l2-flash-led-class: drop an useless check Date: Mon, 21 Jun 2021 13:56:47 +0200 Message-Id: X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 Sender: Mauro Carvalho Chehab To: unlisted-recipients:; (no To-header on input) Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org As pointed by smatch: drivers/media/v4l2-core/v4l2-flash-led-class.c:264 v4l2_flash_s_ctrl() error: we previously assumed 'fled_cdev' could be null (see line 197) It is too late to check if fled_cdev is NULL there. If such check is needed, it should be, instead, inside v4l2_flash_init(). On other words, if v4l2_flash->fled_cdev() is NULL at v4l2_flash_s_ctrl(), all led_*() function calls inside the function would try to de-reference a NULL pointer, as the logic won't prevent it. So, remove the useless check. Signed-off-by: Mauro Carvalho Chehab --- drivers/media/v4l2-core/v4l2-flash-led-class.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/v4l2-core/v4l2-flash-led-class.c b/drivers/media/v4l2-core/v4l2-flash-led-class.c index 10ddcc48aa17..a1653c635d82 100644 --- a/drivers/media/v4l2-core/v4l2-flash-led-class.c +++ b/drivers/media/v4l2-core/v4l2-flash-led-class.c @@ -194,7 +194,7 @@ static int v4l2_flash_s_ctrl(struct v4l2_ctrl *c) { struct v4l2_flash *v4l2_flash = v4l2_ctrl_to_v4l2_flash(c); struct led_classdev_flash *fled_cdev = v4l2_flash->fled_cdev; - struct led_classdev *led_cdev = fled_cdev ? &fled_cdev->led_cdev : NULL; + struct led_classdev *led_cdev = &fled_cdev->led_cdev; struct v4l2_ctrl **ctrls = v4l2_flash->ctrls; bool external_strobe; int ret = 0; From patchwork Mon Jun 21 11:56:48 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mauro Carvalho Chehab X-Patchwork-Id: 12334665 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id F0886C49EA4 for ; Mon, 21 Jun 2021 11:57:01 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id D644D61206 for ; Mon, 21 Jun 2021 11:57:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230103AbhFUL7O (ORCPT ); Mon, 21 Jun 2021 07:59:14 -0400 Received: from mail.kernel.org ([198.145.29.99]:34260 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229789AbhFUL7H (ORCPT ); Mon, 21 Jun 2021 07:59:07 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 2FBBC61245; Mon, 21 Jun 2021 11:56:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1624276613; bh=11eW0KcqaEnwVcqSAzyPNAdsSG+zIv8WUhOkdsd8c6A=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jmBWtdlwqBDKNAm0dTHfHk3uqCFK1ZsHbkjcsduKsXqVvOuPet+GLsoDYXPdjlrHI ck08bAldltzViQVZn+i1HyTKGKPchxS0WT6ipRn2IehNUswLZOyO91AbbVceEUlmkQ 12I+mXI7BXnIcZEfIpSCni2VR8SXYy6OnyECYPvDvpgcM16IXowGfQ1YvNoaTGttbM 5ttJwJzQyGLB+6U2ZBTy1aSWJ8GgtkamPMz6skmPi5S70ZwyO7UJAd2r0gomfwDWoE NdkTvEDKY2JqJfK5vXrUzDHlb2Bh1Jexz2V6/8nG839FdrFaxkHqcjWH3kfR83FSDD DXhKyvRindZfA== Received: by mail.kernel.org with local (Exim 4.94.2) (envelope-from ) id 1lvIXr-000Hcs-0m; Mon, 21 Jun 2021 13:56:51 +0200 From: Mauro Carvalho Chehab Cc: linuxarm@huawei.com, mauro.chehab@huawei.com, Mauro Carvalho Chehab , Andy Walls , Mauro Carvalho Chehab , linux-kernel@vger.kernel.org, linux-media@vger.kernel.org Subject: [PATCH 4/5] media: ivtv: prevent going past the hw arrays Date: Mon, 21 Jun 2021 13:56:48 +0200 Message-Id: <94334c02c246fad023ec04a02c43b708d853b0cc.1624276138.git.mchehab+huawei@kernel.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 Sender: Mauro Carvalho Chehab To: unlisted-recipients:; (no To-header on input) Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org As warned by smatch: drivers/media/pci/ivtv/ivtv-i2c.c:245 ivtv_i2c_register() error: buffer overflow 'hw_devicenames' 21 <= 31 drivers/media/pci/ivtv/ivtv-i2c.c:266 ivtv_i2c_register() error: buffer overflow 'hw_addrs' 21 <= 31 drivers/media/pci/ivtv/ivtv-i2c.c:269 ivtv_i2c_register() error: buffer overflow 'hw_addrs' 21 <= 31 drivers/media/pci/ivtv/ivtv-i2c.c:275 ivtv_i2c_register() error: buffer overflow 'hw_addrs' 21 <= 31 drivers/media/pci/ivtv/ivtv-i2c.c:280 ivtv_i2c_register() error: buffer overflow 'hw_addrs' 21 <= 31 drivers/media/pci/ivtv/ivtv-i2c.c:290 ivtv_i2c_register() error: buffer overflow 'hw_addrs' 21 <= 31 The logic at ivtv_i2c_register() could let buffer overflows at hw_devicenames and hw_addrs arrays. This won't happen in practice due to a carefully-contructed logic, but it is not error-prune. Change the logic in a way that will make clearer that the I2C hardware flags will affect the size of those two arrays, and add an explicit check to avoid buffer overflows. While here, use the bit macro. Signed-off-by: Mauro Carvalho Chehab --- drivers/media/pci/ivtv/ivtv-cards.h | 68 ++++++++++++++++++++--------- drivers/media/pci/ivtv/ivtv-i2c.c | 16 ++++--- 2 files changed, 58 insertions(+), 26 deletions(-) diff --git a/drivers/media/pci/ivtv/ivtv-cards.h b/drivers/media/pci/ivtv/ivtv-cards.h index f3e2c5634962..494982e4165d 100644 --- a/drivers/media/pci/ivtv/ivtv-cards.h +++ b/drivers/media/pci/ivtv/ivtv-cards.h @@ -78,27 +78,53 @@ #define IVTV_PCI_ID_SONY 0x104d /* hardware flags, no gaps allowed */ -#define IVTV_HW_CX25840 (1 << 0) -#define IVTV_HW_SAA7115 (1 << 1) -#define IVTV_HW_SAA7127 (1 << 2) -#define IVTV_HW_MSP34XX (1 << 3) -#define IVTV_HW_TUNER (1 << 4) -#define IVTV_HW_WM8775 (1 << 5) -#define IVTV_HW_CS53L32A (1 << 6) -#define IVTV_HW_TVEEPROM (1 << 7) -#define IVTV_HW_SAA7114 (1 << 8) -#define IVTV_HW_UPD64031A (1 << 9) -#define IVTV_HW_UPD6408X (1 << 10) -#define IVTV_HW_SAA717X (1 << 11) -#define IVTV_HW_WM8739 (1 << 12) -#define IVTV_HW_VP27SMPX (1 << 13) -#define IVTV_HW_M52790 (1 << 14) -#define IVTV_HW_GPIO (1 << 15) -#define IVTV_HW_I2C_IR_RX_AVER (1 << 16) -#define IVTV_HW_I2C_IR_RX_HAUP_EXT (1 << 17) /* External before internal */ -#define IVTV_HW_I2C_IR_RX_HAUP_INT (1 << 18) -#define IVTV_HW_Z8F0811_IR_HAUP (1 << 19) -#define IVTV_HW_I2C_IR_RX_ADAPTEC (1 << 20) +enum ivtv_hw_bits { + IVTV_HW_BIT_CX25840 = 0, + IVTV_HW_BIT_SAA7115 = 1, + IVTV_HW_BIT_SAA7127 = 2, + IVTV_HW_BIT_MSP34XX = 3, + IVTV_HW_BIT_TUNER = 4, + IVTV_HW_BIT_WM8775 = 5, + IVTV_HW_BIT_CS53L32A = 6, + IVTV_HW_BIT_TVEEPROM = 7, + IVTV_HW_BIT_SAA7114 = 8, + IVTV_HW_BIT_UPD64031A = 9, + IVTV_HW_BIT_UPD6408X = 10, + IVTV_HW_BIT_SAA717X = 11, + IVTV_HW_BIT_WM8739 = 12, + IVTV_HW_BIT_VP27SMPX = 13, + IVTV_HW_BIT_M52790 = 14, + IVTV_HW_BIT_GPIO = 15, + IVTV_HW_BIT_I2C_IR_RX_AVER = 16, + IVTV_HW_BIT_I2C_IR_RX_HAUP_EXT = 17, /* External before internal */ + IVTV_HW_BIT_I2C_IR_RX_HAUP_INT = 18, + IVTV_HW_BIT_Z8F0811_IR_HAUP = 19, + IVTV_HW_BIT_I2C_IR_RX_ADAPTEC = 20, + + IVTV_HW_MAX_BITS = 21 /* Should be the last bit + 1 */ +}; + +#define IVTV_HW_CX25840 BIT(IVTV_HW_BIT_CX25840) +#define IVTV_HW_SAA7115 BIT(IVTV_HW_BIT_SAA7115) +#define IVTV_HW_SAA7127 BIT(IVTV_HW_BIT_SAA7127) +#define IVTV_HW_MSP34XX BIT(IVTV_HW_BIT_MSP34XX) +#define IVTV_HW_TUNER BIT(IVTV_HW_BIT_TUNER) +#define IVTV_HW_WM8775 BIT(IVTV_HW_BIT_WM8775) +#define IVTV_HW_CS53L32A BIT(IVTV_HW_BIT_CS53L32A) +#define IVTV_HW_TVEEPROM BIT(IVTV_HW_BIT_TVEEPROM) +#define IVTV_HW_SAA7114 BIT(IVTV_HW_BIT_SAA7114) +#define IVTV_HW_UPD64031A BIT(IVTV_HW_BIT_UPD64031A) +#define IVTV_HW_UPD6408X BIT(IVTV_HW_BIT_UPD6408X) +#define IVTV_HW_SAA717X BIT(IVTV_HW_BIT_SAA717X) +#define IVTV_HW_WM8739 BIT(IVTV_HW_BIT_WM8739) +#define IVTV_HW_VP27SMPX BIT(IVTV_HW_BIT_VP27SMPX) +#define IVTV_HW_M52790 BIT(IVTV_HW_BIT_M52790) +#define IVTV_HW_GPIO BIT(IVTV_HW_BIT_GPIO) +#define IVTV_HW_I2C_IR_RX_AVER BIT(IVTV_HW_BIT_I2C_IR_RX_AVER) +#define IVTV_HW_I2C_IR_RX_HAUP_EXT BIT(IVTV_HW_BIT_I2C_IR_RX_HAUP_EXT) +#define IVTV_HW_I2C_IR_RX_HAUP_INT BIT(IVTV_HW_BIT_I2C_IR_RX_HAUP_INT) +#define IVTV_HW_Z8F0811_IR_HAUP BIT(IVTV_HW_BIT_Z8F0811_IR_HAUP) +#define IVTV_HW_I2C_IR_RX_ADAPTEC BIT(IVTV_HW_BIT_I2C_IR_RX_ADAPTEC) #define IVTV_HW_SAA711X (IVTV_HW_SAA7115 | IVTV_HW_SAA7114) diff --git a/drivers/media/pci/ivtv/ivtv-i2c.c b/drivers/media/pci/ivtv/ivtv-i2c.c index 982045c4eea8..c052c57c6dce 100644 --- a/drivers/media/pci/ivtv/ivtv-i2c.c +++ b/drivers/media/pci/ivtv/ivtv-i2c.c @@ -85,7 +85,7 @@ #define IVTV_ADAPTEC_IR_ADDR 0x6b /* This array should match the IVTV_HW_ defines */ -static const u8 hw_addrs[] = { +static const u8 hw_addrs[IVTV_HW_MAX_BITS] = { IVTV_CX25840_I2C_ADDR, IVTV_SAA7115_I2C_ADDR, IVTV_SAA7127_I2C_ADDR, @@ -110,7 +110,7 @@ static const u8 hw_addrs[] = { }; /* This array should match the IVTV_HW_ defines */ -static const char * const hw_devicenames[] = { +static const char * const hw_devicenames[IVTV_HW_MAX_BITS] = { "cx25840", "saa7115", "saa7127_auto", /* saa7127 or saa7129 */ @@ -240,10 +240,16 @@ void ivtv_i2c_new_ir_legacy(struct ivtv *itv) int ivtv_i2c_register(struct ivtv *itv, unsigned idx) { - struct v4l2_subdev *sd; struct i2c_adapter *adap = &itv->i2c_adap; - const char *type = hw_devicenames[idx]; - u32 hw = 1 << idx; + struct v4l2_subdev *sd; + const char *type; + u32 hw; + + if (idx >= IVTV_HW_MAX_BITS) + return -ENODEV; + + type = hw_devicenames[idx]; + hw = 1 << idx; if (hw == IVTV_HW_TUNER) { /* special tuner handling */ From patchwork Mon Jun 21 11:56:49 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mauro Carvalho Chehab X-Patchwork-Id: 12334655 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A3055C4743C for ; Mon, 21 Jun 2021 11:56:54 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 7A1696135F for ; Mon, 21 Jun 2021 11:56:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229945AbhFUL7H (ORCPT ); Mon, 21 Jun 2021 07:59:07 -0400 Received: from mail.kernel.org ([198.145.29.99]:34232 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229640AbhFUL7H (ORCPT ); Mon, 21 Jun 2021 07:59:07 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 2179661108; Mon, 21 Jun 2021 11:56:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1624276613; bh=eKQAKkLLipiPydD36jq5fQOg8fFfg7eqxulZXVht4ac=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hVX9hvurJiChkgzV1uDiAOYCLzGabkN66JjHWqDHrWZd1/+WCcxVs/SH0DOxZq8Kv U+konUGRUxfz5aT4jAYSTzX7Ib0wsr3RNXx5rnV/AyiBnIL3Sy2AS5d5DaafdvTIhS kmJDIkiE2APzZ8szgzvRe5A7/f9yEE0dMG4JtooLcZpxjlRnYCouIOLXOX3tkGGaFM gd/XbSx0+DJmFK6aK9x7prjXkbuLKkdbQX42Qa535Sf5nJYwxrPvAy1cRxdKgMjNmC SNekzqR+U+TB4Y0v3nGNLQ/+vWSytzILq5eJ/nezNrSFRJ9cAIyYiH4pmtCxXalUG2 n19sCkSOiE+Sg== Received: by mail.kernel.org with local (Exim 4.94.2) (envelope-from ) id 1lvIXr-000Hcw-2Y; Mon, 21 Jun 2021 13:56:51 +0200 From: Mauro Carvalho Chehab Cc: linuxarm@huawei.com, mauro.chehab@huawei.com, Mauro Carvalho Chehab , Hugues Fruchet , Mauro Carvalho Chehab , linux-kernel@vger.kernel.org, linux-media@vger.kernel.org Subject: [PATCH 5/5] media: sti: don't copy past the size Date: Mon, 21 Jun 2021 13:56:49 +0200 Message-Id: <1c043f5c26b9cf5b4520241e2015feeae8445f58.1624276138.git.mchehab+huawei@kernel.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 Sender: Mauro Carvalho Chehab To: unlisted-recipients:; (no To-header on input) Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org The logic at delta_ipc_open() tries to copy past the size of the name passed to it: drivers/media/platform/sti/delta/delta-ipc.c:178 delta_ipc_open() error: __memcpy() 'name' too small (17 vs 32) Basically,this function is called just one with: ret = delta_ipc_open(pctx, "JPEG_DECODER_HW0", ...); The string used there has just 17 bytes. Yet, the logic tries to copy the entire name size (32 bytes), which is plain wrong. Replace it by strscpy, which is good enough to copy the string, warranting that this will be NUL-terminated. Signed-off-by: Mauro Carvalho Chehab --- drivers/media/platform/sti/delta/delta-ipc.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/media/platform/sti/delta/delta-ipc.c b/drivers/media/platform/sti/delta/delta-ipc.c index 186d88f02ecd..21d3e08e259a 100644 --- a/drivers/media/platform/sti/delta/delta-ipc.c +++ b/drivers/media/platform/sti/delta/delta-ipc.c @@ -175,8 +175,7 @@ int delta_ipc_open(struct delta_ctx *pctx, const char *name, msg.ipc_buf_size = ipc_buf_size; msg.ipc_buf_paddr = ctx->ipc_buf->paddr; - memcpy(msg.name, name, sizeof(msg.name)); - msg.name[sizeof(msg.name) - 1] = 0; + strscpy(msg.name, name, sizeof(msg.name)); msg.param_size = param->size; memcpy(ctx->ipc_buf->vaddr, param->data, msg.param_size);