Re: [PATCH 6/6] media: amlogic-c3: Add validations for ae and awb config

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
To: Ricardo Ribalda <ribalda@chromium.org>
Cc: Mauro Carvalho Chehab <mchehab@kernel.org>,
	Sakari Ailus <sakari.ailus@linux.intel.com>,
	Hans Verkuil <hverkuil@kernel.org>,
	Nas Chung <nas.chung@chipsnmedia.com>,
	Jackson Lee <jackson.lee@chipsnmedia.com>,
	Bingbu Cao <bingbu.cao@intel.com>,
	Tianshu Qiu <tian.shu.qiu@intel.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Keke Li <keke.li@amlogic.com>,
	linux-media@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-staging@lists.linux.dev,
	Jacopo Mondi <jacopo.mondi@ideasonboard.com>
Subject: Re: [PATCH 6/6] media: amlogic-c3: Add validations for ae and awb config
Date: Tue, 28 Apr 2026 16:26:49 +0300	[thread overview]
Message-ID: <20260428132649.GD120836@killaraus.ideasonboard.com> (raw)
In-Reply-To: <CANiDSCvaS-Jz9m5H2OHo2akD-o-sffsZyEw6_CrfUhD1BN+m2g@mail.gmail.com>

On Tue, Apr 28, 2026 at 03:14:21PM +0200, Ricardo Ribalda wrote:
> On Tue, 28 Apr 2026 at 15:10, Laurent Pinchart wrote:
> > On Tue, Apr 28, 2026 at 12:41:12PM +0000, Ricardo Ribalda wrote:
> > > Avoid invalid memory access if the zones_num is bigger than
> > > zone_weight.
> > >
> > > This patch fixes the following smatch errors:
> > > drivers/media/platform/amlogic/c3/isp/c3-isp-params.c:111 c3_isp_params_awb_wt() error: buffer overflow 'cfg->zone_weight' 768 <= u32max
> > > drivers/media/platform/amlogic/c3/isp/c3-isp-params.c:111 c3_isp_params_awb_wt() error: buffer overflow 'cfg->zone_weight' 768 <= u32max
> > > drivers/media/platform/amlogic/c3/isp/c3-isp-params.c:227 c3_isp_params_ae_wt() error: buffer overflow 'cfg->zone_weight' 255 <= u32max
> > > drivers/media/platform/amlogic/c3/isp/c3-isp-params.c:227 c3_isp_params_ae_wt() error: buffer overflow 'cfg->zone_weight' 255 <= u32max
> > >
> > > Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
> > > ---
> > >  drivers/media/platform/amlogic/c3/isp/c3-isp-params.c | 4 ++++
> > >  1 file changed, 4 insertions(+)
> > >
> > > diff --git a/drivers/media/platform/amlogic/c3/isp/c3-isp-params.c b/drivers/media/platform/amlogic/c3/isp/c3-isp-params.c
> > > index 6f9ca7a7dd88..42d780f684d1 100644
> > > --- a/drivers/media/platform/amlogic/c3/isp/c3-isp-params.c
> > > +++ b/drivers/media/platform/amlogic/c3/isp/c3-isp-params.c
> > > @@ -104,6 +104,8 @@ static void c3_isp_params_awb_wt(struct c3_isp_device *isp,
> > >       c3_isp_write(isp, ISP_AWB_BLK_WT_ADDR, 0);
> > >
> > >       zones_num = cfg->horiz_zones_num * cfg->vert_zones_num;
> > > +     if (WARN_ON(zones_num > C3_ISP_AWB_MAX_ZONES))
> >
> > This is triggerable by userspace, it shouldn't result in a WARN_ON().
> > Ideally the horiz_zones_num and vert_zones_num should be validated at
> > buf prepare time, and an error should be returned to userspace. That
> > will likely not fix your smatch issue though, I don't think it will be
> > able to understand that the values have been validated.
> 
> Based on the warnings from the other drivers I also suspect that if
> you have validated the data somewhere else smatch will understand it.
> 
> Even if you add a validate function I would suggest to keep the
> WARN_ON(), ideally it should never trigger, and if it triggers it will
> get a lot more attention to get it fixed.

We could keep the WARN_ON() if we first validate the data, but the
driver doesn't currently :-/ I expect there could be more similar
issues.

> > Jacopo, do we need to add a validate function pointer to
> > v4l2_isp_params_block_type_info ?
> >
> > > +             zones_num = C3_ISP_AWB_MAX_ZONES;
> > >
> > >       /* Need to write 8 weights at once */
> > >       for (i = 0; i < zones_num / 8; i++) {
> > > @@ -220,6 +222,8 @@ static void c3_isp_params_ae_wt(struct c3_isp_device *isp,
> > >       c3_isp_write(isp, ISP_AE_BLK_WT_ADDR, 0);
> > >
> > >       zones_num = cfg->horiz_zones_num * cfg->vert_zones_num;
> > > +     if (WARN_ON(zones_num > C3_ISP_AE_MAX_ZONES))
> > > +             zones_num = C3_ISP_AE_MAX_ZONES;
> > >
> > >       /* Need to write 8 weights at once */
> > >       for (i = 0; i < zones_num / 8; i++) {

-- 
Regards,

Laurent Pinchart

next prev parent reply	other threads:[~2026-04-28 13:26 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-28 12:41 [PATCH 0/6] media: Fix new smatch warnings Ricardo Ribalda
2026-04-28 12:41 ` [PATCH 1/6] media: v4l2-dev: Add range check for vdev->minor Ricardo Ribalda
2026-04-29  7:38   ` Hans Verkuil
2026-04-29  7:43   ` Sakari Ailus
2026-04-29  7:53     ` Hans Verkuil
2026-04-29  8:52       ` Sakari Ailus
2026-04-28 12:41 ` [PATCH 2/6] media: i2c: mt9p031: Rewrite a bitwise mask Ricardo Ribalda
2026-04-28 13:25   ` Laurent Pinchart
2026-04-28 13:37     ` Ricardo Ribalda
2026-04-28 12:41 ` [PATCH 3/6] media: i2c: adv7604: Add range checks for chip info Ricardo Ribalda
2026-04-29  7:40   ` Hans Verkuil
2026-04-28 12:41 ` [PATCH 4/6] media: chips-media: wave5: Add range checks for dec_output_info Ricardo Ribalda
2026-04-28 12:41 ` [PATCH 5/6] media: staging: ipu3-imgu: Add range check for imgu_css_cfg_acc_stripe Ricardo Ribalda
2026-04-28 13:13   ` Laurent Pinchart
2026-04-28 13:17     ` Ricardo Ribalda
2026-04-28 12:41 ` [PATCH 6/6] media: amlogic-c3: Add validations for ae and awb config Ricardo Ribalda
2026-04-28 13:10   ` Laurent Pinchart
2026-04-28 13:14     ` Ricardo Ribalda
2026-04-28 13:15       ` Ricardo Ribalda
2026-04-28 13:26       ` Laurent Pinchart [this message]
2026-04-28 13:49         ` Ricardo Ribalda
2026-04-29  6:15           ` Jacopo Mondi
2026-04-29  6:44             ` Ricardo Ribalda
2026-04-29  6:55               ` Jacopo Mondi
2026-04-29  7:15                 ` Ricardo Ribalda
2026-04-29  7:30                   ` Jacopo Mondi
2026-04-28 13:52 ` [PATCH 0/6] media: Fix new smatch warnings Dan Carpenter
2026-04-28 13:58   ` Ricardo Ribalda
2026-04-29  7:23     ` Laurent Pinchart
2026-04-29 10:31     ` Dan Carpenter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260428132649.GD120836@killaraus.ideasonboard.com \
    --to=laurent.pinchart@ideasonboard.com \
    --cc=bingbu.cao@intel.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=hverkuil@kernel.org \
    --cc=jackson.lee@chipsnmedia.com \
    --cc=jacopo.mondi@ideasonboard.com \
    --cc=keke.li@amlogic.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-media@vger.kernel.org \
    --cc=linux-staging@lists.linux.dev \
    --cc=mchehab@kernel.org \
    --cc=nas.chung@chipsnmedia.com \
    --cc=ribalda@chromium.org \
    --cc=sakari.ailus@linux.intel.com \
    --cc=tian.shu.qiu@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.