From: sashiko-bot@kernel.org
To: "Sven Püschel" <s.pueschel@pengutronix.de>
Cc: devicetree@vger.kernel.org, robh@kernel.org, krzk+dt@kernel.org,
conor+dt@kernel.org
Subject: Re: [PATCH v6 22/28] media: rockchip: rga: remove size from rga_frame
Date: Fri, 15 May 2026 16:21:24 +0000 [thread overview]
Message-ID: <20260515162124.B36E8C2BCB0@smtp.kernel.org> (raw)
In-Reply-To: <20260515-spu-rga3-v6-22-e547152eb9c9@pengutronix.de>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Critical] Heap buffer overflow in DMA descriptor array due to incorrect size calculation and off-by-one bounds check
--
commit 80a8417d4cdd0685a8b6425bf5882684584c9ac7
Author: Sven Püschel <s.pueschel@pengutronix.de>
media: rockchip: rga: remove size from rga_frame
This commit removes the size member from the rga_frame structure, as it
is only used for MMU page table mapping. Instead, the size is calculated
in-place within rga_buf_init() by iterating over the planes.
> diff --git a/drivers/media/platform/rockchip/rga/rga-buf.c b/drivers/media/platform/rockchip/rga/rga-buf.c
> index cd6904d5fe5a6..092c2bdf6b672 100644
> --- a/drivers/media/platform/rockchip/rga/rga-buf.c
> +++ b/drivers/media/platform/rockchip/rga/rga-buf.c
> @@ -79,6 +79,8 @@ static int rga_buf_init(struct vb2_buffer *vb)
> struct rockchip_rga *rga = ctx->rga;
> struct rga_frame *f = rga_get_frame(ctx, vb->vb2_queue->type);
> size_t n_desc = 0;
> + u32 size = 0;
> + u8 i;
>
> if (IS_ERR(f))
> return PTR_ERR(f);
> @@ -86,7 +88,9 @@ static int rga_buf_init(struct vb2_buffer *vb)
> if (!rga_has_internal_iommu(rga))
> return 0;
>
> - n_desc = DIV_ROUND_UP(f->size, PAGE_SIZE);
> + for (i = 0; i < f->pix.num_planes; i++)
> + size += f->pix.plane_fmt[i].sizeimage;
> + n_desc = DIV_ROUND_UP(size, PAGE_SIZE);
Does this calculation under-allocate the descriptor array if userspace uses
VIDIOC_CREATE_BUFS to request buffers larger than sizeimage?
While this behavior wasn't introduced by this patch, inlining the
calculation here preserves an existing regression in the buffer allocation
logic.
Since vb2 can provision larger scatterlists than the format's sizeimage,
rbuf->n_desc might be smaller than the actual buffer length.
If fill_descriptors() uses a check like "if (n_desc > max_desc)", could a
plane sized to exactly rbuf->n_desc + 1 pages bypass the check and write
one entry out of bounds?
When the second plane is mapped, could max_desc (which would be
rbuf->n_desc - curr_desc) underflow? This might bypass remaining bounds
checks and allow the scatterlist of the second plane to sequentially
overwrite adjacent kernel heap memory.
>
> rbuf->n_desc = n_desc;
> rbuf->dma_desc = dma_alloc_coherent(rga->dev,
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260515-spu-rga3-v6-0-e547152eb9c9@pengutronix.de?part=22
next prev parent reply other threads:[~2026-05-15 16:21 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-15 15:32 [PATCH v6 00/28] media: platform: rga: Add RGA3 support Sven Püschel
2026-05-15 15:32 ` [PATCH v6 01/28] media: dt-bindings: media: rockchip-rga: add rockchip,rk3588-rga3 Sven Püschel
2026-05-15 15:32 ` [PATCH v6 02/28] media: v4l2-common: sort RGB formats in v4l2_format_info Sven Püschel
2026-05-15 15:32 ` [PATCH v6 03/28] media: v4l2-common: add missing 1 and 2 byte RGB formats to v4l2_format_info Sven Püschel
2026-05-15 15:32 ` [PATCH v6 04/28] media: v4l2-common: add has_alpha " Sven Püschel
2026-05-15 15:32 ` [PATCH v6 05/28] media: v4l2-common: add v4l2_fill_pixfmt_mp_aligned helper Sven Püschel
2026-05-15 15:58 ` sashiko-bot
2026-05-15 15:32 ` [PATCH v6 06/28] media: rockchip: rga: fix too small buffer size Sven Püschel
2026-05-15 15:32 ` [PATCH v6 07/28] media: rockchip: rga: use clk_bulk api Sven Püschel
2026-05-15 15:54 ` sashiko-bot
2026-05-15 15:32 ` [PATCH v6 08/28] media: rockchip: rga: use stride for offset calculation Sven Püschel
2026-05-15 15:32 ` [PATCH v6 09/28] media: rockchip: rga: remove redundant rga_frame variables Sven Püschel
2026-05-15 15:32 ` [PATCH v6 10/28] media: rockchip: rga: announce and sync colorimetry Sven Püschel
2026-05-15 16:14 ` sashiko-bot
2026-05-15 15:32 ` [PATCH v6 11/28] media: rockchip: rga: move hw specific parts to a dedicated struct Sven Püschel
2026-05-15 16:05 ` sashiko-bot
2026-05-15 15:32 ` [PATCH v6 12/28] media: rockchip: rga: avoid odd frame sizes for YUV formats Sven Püschel
2026-05-15 15:32 ` [PATCH v6 13/28] media: rockchip: rga: calculate x_div/y_div using v4l2_format_info Sven Püschel
2026-05-15 15:32 ` [PATCH v6 14/28] media: rockchip: rga: move cmdbuf to rga_ctx Sven Püschel
2026-05-15 16:12 ` sashiko-bot
2026-05-15 15:32 ` [PATCH v6 15/28] media: rockchip: rga: align stride to 4 bytes Sven Püschel
2026-05-15 16:17 ` sashiko-bot
2026-05-15 15:32 ` [PATCH v6 16/28] media: rockchip: rga: reuse cmdbuf contents Sven Püschel
2026-05-15 15:59 ` sashiko-bot
2026-05-15 15:32 ` [PATCH v6 17/28] media: rockchip: rga: check scaling factor Sven Püschel
2026-05-15 16:54 ` sashiko-bot
2026-05-15 15:32 ` [PATCH v6 18/28] media: rockchip: rga: use card type to specify rga type Sven Püschel
2026-05-15 16:00 ` sashiko-bot
2026-05-15 15:32 ` [PATCH v6 19/28] media: rockchip: rga: change offset to dma_addresses Sven Püschel
2026-05-15 15:59 ` sashiko-bot
2026-05-15 15:32 ` [PATCH v6 20/28] media: rockchip: rga: support external iommus Sven Püschel
2026-05-15 16:08 ` sashiko-bot
2026-05-15 15:32 ` [PATCH v6 21/28] media: rockchip: rga: share the interrupt when an external iommu is used Sven Püschel
2026-05-15 16:11 ` sashiko-bot
2026-05-15 15:32 ` [PATCH v6 22/28] media: rockchip: rga: remove size from rga_frame Sven Püschel
2026-05-15 16:21 ` sashiko-bot [this message]
2026-05-15 15:32 ` [PATCH v6 23/28] media: rockchip: rga: remove stride " Sven Püschel
2026-05-15 15:32 ` [PATCH v6 24/28] media: rockchip: rga: move rga_fmt to rga-hw.h Sven Püschel
2026-05-15 15:32 ` [PATCH v6 25/28] media: rockchip: rga: add feature flags Sven Püschel
2026-05-15 16:22 ` sashiko-bot
2026-05-15 15:32 ` [PATCH v6 26/28] media: rockchip: rga: disable multi-core support Sven Püschel
2026-05-15 15:32 ` [PATCH v6 27/28] media: rockchip: rga: add rga3 support Sven Püschel
2026-05-15 16:34 ` sashiko-bot
2026-05-15 15:32 ` [PATCH v6 28/28] arm64: dts: rockchip: add rga3 dt nodes Sven Püschel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260515162124.B36E8C2BCB0@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=krzk+dt@kernel.org \
--cc=robh@kernel.org \
--cc=s.pueschel@pengutronix.de \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox