* [PATCH 0/2] media: venus: hfi_cmds: struct hfi_session_release_buffer_pkt
@ 2024-07-10 23:09 Kees Cook
2024-07-10 23:09 ` [PATCH 1/2] media: venus: hfi_cmds: struct hfi_session_release_buffer_pkt: Replace 1-element array with flexible array Kees Cook
` (2 more replies)
0 siblings, 3 replies; 12+ messages in thread
From: Kees Cook @ 2024-07-10 23:09 UTC (permalink / raw)
To: Stanimir Varbanov
Cc: Kees Cook, Vikash Garodia, Bryan O'Donoghue,
Mauro Carvalho Chehab, Gustavo A. R. Silva, linux-kernel,
linux-media, linux-arm-msm, linux-hardening
Hi,
This replaces the 1-element "fake" flexible array in struct
hfi_session_release_buffer_pkt with a modern flexible array and adds
the __counted_by annotation that was identified during the analysis.
Thanks!
-Kees
Kees Cook (2):
media: venus: hfi_cmds: struct hfi_session_release_buffer_pkt: Replace
1-element array with flexible array
media: venus: hfi_cmds: struct hfi_session_release_buffer_pkt: Add
__counted_by annotation
drivers/media/platform/qcom/venus/hfi_cmds.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--
2.34.1
^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH 1/2] media: venus: hfi_cmds: struct hfi_session_release_buffer_pkt: Replace 1-element array with flexible array
2024-07-10 23:09 [PATCH 0/2] media: venus: hfi_cmds: struct hfi_session_release_buffer_pkt Kees Cook
@ 2024-07-10 23:09 ` Kees Cook
2024-07-10 23:16 ` Gustavo A. R. Silva
` (3 more replies)
2024-07-10 23:09 ` [PATCH 2/2] media: venus: hfi_cmds: struct hfi_session_release_buffer_pkt: Add __counted_by annotation Kees Cook
2024-08-23 0:00 ` [PATCH 0/2] media: venus: hfi_cmds: struct hfi_session_release_buffer_pkt Kees Cook
2 siblings, 4 replies; 12+ messages in thread
From: Kees Cook @ 2024-07-10 23:09 UTC (permalink / raw)
To: Stanimir Varbanov
Cc: Kees Cook, Vikash Garodia, Bryan O'Donoghue,
Mauro Carvalho Chehab, Gustavo A. R. Silva, linux-media,
linux-arm-msm, linux-hardening, linux-kernel
Replace the deprecated[1] use of a 1-element array in
struct hfi_session_release_buffer_pkt with a modern flexible array.
No binary differences are present after this conversion.
Link: https://github.com/KSPP/linux/issues/79 [1]
Signed-off-by: Kees Cook <kees@kernel.org>
---
Cc: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
Cc: Vikash Garodia <quic_vgarodia@quicinc.com>
Cc: "Bryan O'Donoghue" <bryan.odonoghue@linaro.org>
Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: linux-media@vger.kernel.org
Cc: linux-arm-msm@vger.kernel.org
Cc: linux-hardening@vger.kernel.org
---
drivers/media/platform/qcom/venus/hfi_cmds.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/platform/qcom/venus/hfi_cmds.h b/drivers/media/platform/qcom/venus/hfi_cmds.h
index 20acd412ee7b..42825f07939d 100644
--- a/drivers/media/platform/qcom/venus/hfi_cmds.h
+++ b/drivers/media/platform/qcom/venus/hfi_cmds.h
@@ -227,7 +227,7 @@ struct hfi_session_release_buffer_pkt {
u32 extradata_size;
u32 response_req;
u32 num_buffers;
- u32 buffer_info[1];
+ u32 buffer_info[];
};
struct hfi_session_release_resources_pkt {
--
2.34.1
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 2/2] media: venus: hfi_cmds: struct hfi_session_release_buffer_pkt: Add __counted_by annotation
2024-07-10 23:09 [PATCH 0/2] media: venus: hfi_cmds: struct hfi_session_release_buffer_pkt Kees Cook
2024-07-10 23:09 ` [PATCH 1/2] media: venus: hfi_cmds: struct hfi_session_release_buffer_pkt: Replace 1-element array with flexible array Kees Cook
@ 2024-07-10 23:09 ` Kees Cook
2024-07-10 23:17 ` Gustavo A. R. Silva
` (3 more replies)
2024-08-23 0:00 ` [PATCH 0/2] media: venus: hfi_cmds: struct hfi_session_release_buffer_pkt Kees Cook
2 siblings, 4 replies; 12+ messages in thread
From: Kees Cook @ 2024-07-10 23:09 UTC (permalink / raw)
To: Stanimir Varbanov
Cc: Kees Cook, Vikash Garodia, Bryan O'Donoghue,
Mauro Carvalho Chehab, Gustavo A. R. Silva, linux-media,
linux-arm-msm, linux-hardening, linux-kernel
The only direct user of struct hfi_session_release_buffer_pkt is
pkt_session_unset_buffers() which sets "num_buffers" before using it
as a loop counter for accessing "buffer_info". Add the __counted_by
annotation to reflect the relationship.
Signed-off-by: Kees Cook <kees@kernel.org>
---
Cc: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
Cc: Vikash Garodia <quic_vgarodia@quicinc.com>
Cc: "Bryan O'Donoghue" <bryan.odonoghue@linaro.org>
Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: linux-media@vger.kernel.org
Cc: linux-arm-msm@vger.kernel.org
Cc: linux-hardening@vger.kernel.org
---
drivers/media/platform/qcom/venus/hfi_cmds.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/platform/qcom/venus/hfi_cmds.h b/drivers/media/platform/qcom/venus/hfi_cmds.h
index 42825f07939d..1adf2d2ae5f2 100644
--- a/drivers/media/platform/qcom/venus/hfi_cmds.h
+++ b/drivers/media/platform/qcom/venus/hfi_cmds.h
@@ -227,7 +227,7 @@ struct hfi_session_release_buffer_pkt {
u32 extradata_size;
u32 response_req;
u32 num_buffers;
- u32 buffer_info[];
+ u32 buffer_info[] __counted_by(num_buffers);
};
struct hfi_session_release_resources_pkt {
--
2.34.1
^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [PATCH 1/2] media: venus: hfi_cmds: struct hfi_session_release_buffer_pkt: Replace 1-element array with flexible array
2024-07-10 23:09 ` [PATCH 1/2] media: venus: hfi_cmds: struct hfi_session_release_buffer_pkt: Replace 1-element array with flexible array Kees Cook
@ 2024-07-10 23:16 ` Gustavo A. R. Silva
2024-07-11 12:19 ` Bryan O'Donoghue
` (2 subsequent siblings)
3 siblings, 0 replies; 12+ messages in thread
From: Gustavo A. R. Silva @ 2024-07-10 23:16 UTC (permalink / raw)
To: Kees Cook, Stanimir Varbanov
Cc: Vikash Garodia, Bryan O'Donoghue, Mauro Carvalho Chehab,
Gustavo A. R. Silva, linux-media, linux-arm-msm, linux-hardening,
linux-kernel
On 10/07/24 17:09, Kees Cook wrote:
> Replace the deprecated[1] use of a 1-element array in
> struct hfi_session_release_buffer_pkt with a modern flexible array.
>
> No binary differences are present after this conversion.
>
> Link: https://github.com/KSPP/linux/issues/79 [1]
> Signed-off-by: Kees Cook <kees@kernel.org>
> ---
> Cc: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
> Cc: Vikash Garodia <quic_vgarodia@quicinc.com>
> Cc: "Bryan O'Donoghue" <bryan.odonoghue@linaro.org>
> Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
> Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
> Cc: linux-media@vger.kernel.org
> Cc: linux-arm-msm@vger.kernel.org
> Cc: linux-hardening@vger.kernel.org
Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Thanks
--
Gustavo
> ---
> drivers/media/platform/qcom/venus/hfi_cmds.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/media/platform/qcom/venus/hfi_cmds.h b/drivers/media/platform/qcom/venus/hfi_cmds.h
> index 20acd412ee7b..42825f07939d 100644
> --- a/drivers/media/platform/qcom/venus/hfi_cmds.h
> +++ b/drivers/media/platform/qcom/venus/hfi_cmds.h
> @@ -227,7 +227,7 @@ struct hfi_session_release_buffer_pkt {
> u32 extradata_size;
> u32 response_req;
> u32 num_buffers;
> - u32 buffer_info[1];
> + u32 buffer_info[];
> };
>
> struct hfi_session_release_resources_pkt {
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 2/2] media: venus: hfi_cmds: struct hfi_session_release_buffer_pkt: Add __counted_by annotation
2024-07-10 23:09 ` [PATCH 2/2] media: venus: hfi_cmds: struct hfi_session_release_buffer_pkt: Add __counted_by annotation Kees Cook
@ 2024-07-10 23:17 ` Gustavo A. R. Silva
2024-07-11 12:19 ` Bryan O'Donoghue
` (2 subsequent siblings)
3 siblings, 0 replies; 12+ messages in thread
From: Gustavo A. R. Silva @ 2024-07-10 23:17 UTC (permalink / raw)
To: Kees Cook, Stanimir Varbanov
Cc: Vikash Garodia, Bryan O'Donoghue, Mauro Carvalho Chehab,
Gustavo A. R. Silva, linux-media, linux-arm-msm, linux-hardening,
linux-kernel
On 10/07/24 17:09, Kees Cook wrote:
> The only direct user of struct hfi_session_release_buffer_pkt is
> pkt_session_unset_buffers() which sets "num_buffers" before using it
> as a loop counter for accessing "buffer_info". Add the __counted_by
> annotation to reflect the relationship.
>
> Signed-off-by: Kees Cook <kees@kernel.org>
> ---
> Cc: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
> Cc: Vikash Garodia <quic_vgarodia@quicinc.com>
> Cc: "Bryan O'Donoghue" <bryan.odonoghue@linaro.org>
> Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
> Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
> Cc: linux-media@vger.kernel.org
> Cc: linux-arm-msm@vger.kernel.org
> Cc: linux-hardening@vger.kernel.org
Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Thanks
--
Gustavo
> ---
> drivers/media/platform/qcom/venus/hfi_cmds.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/media/platform/qcom/venus/hfi_cmds.h b/drivers/media/platform/qcom/venus/hfi_cmds.h
> index 42825f07939d..1adf2d2ae5f2 100644
> --- a/drivers/media/platform/qcom/venus/hfi_cmds.h
> +++ b/drivers/media/platform/qcom/venus/hfi_cmds.h
> @@ -227,7 +227,7 @@ struct hfi_session_release_buffer_pkt {
> u32 extradata_size;
> u32 response_req;
> u32 num_buffers;
> - u32 buffer_info[];
> + u32 buffer_info[] __counted_by(num_buffers);
> };
>
> struct hfi_session_release_resources_pkt {
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 1/2] media: venus: hfi_cmds: struct hfi_session_release_buffer_pkt: Replace 1-element array with flexible array
2024-07-10 23:09 ` [PATCH 1/2] media: venus: hfi_cmds: struct hfi_session_release_buffer_pkt: Replace 1-element array with flexible array Kees Cook
2024-07-10 23:16 ` Gustavo A. R. Silva
@ 2024-07-11 12:19 ` Bryan O'Donoghue
2024-07-12 13:27 ` Vikash Garodia
2024-08-08 7:39 ` Dikshita Agarwal
3 siblings, 0 replies; 12+ messages in thread
From: Bryan O'Donoghue @ 2024-07-11 12:19 UTC (permalink / raw)
To: Kees Cook, Stanimir Varbanov
Cc: Vikash Garodia, Mauro Carvalho Chehab, Gustavo A. R. Silva,
linux-media, linux-arm-msm, linux-hardening, linux-kernel
On 11/07/2024 00:09, Kees Cook wrote:
> Replace the deprecated[1] use of a 1-element array in
> struct hfi_session_release_buffer_pkt with a modern flexible array.
>
> No binary differences are present after this conversion.
>
> Link: https://github.com/KSPP/linux/issues/79 [1]
> Signed-off-by: Kees Cook <kees@kernel.org>
> ---
> Cc: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
> Cc: Vikash Garodia <quic_vgarodia@quicinc.com>
> Cc: "Bryan O'Donoghue" <bryan.odonoghue@linaro.org>
> Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
> Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
> Cc: linux-media@vger.kernel.org
> Cc: linux-arm-msm@vger.kernel.org
> Cc: linux-hardening@vger.kernel.org
> ---
> drivers/media/platform/qcom/venus/hfi_cmds.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/media/platform/qcom/venus/hfi_cmds.h b/drivers/media/platform/qcom/venus/hfi_cmds.h
> index 20acd412ee7b..42825f07939d 100644
> --- a/drivers/media/platform/qcom/venus/hfi_cmds.h
> +++ b/drivers/media/platform/qcom/venus/hfi_cmds.h
> @@ -227,7 +227,7 @@ struct hfi_session_release_buffer_pkt {
> u32 extradata_size;
> u32 response_req;
> u32 num_buffers;
> - u32 buffer_info[1];
> + u32 buffer_info[];
> };
>
> struct hfi_session_release_resources_pkt {
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 2/2] media: venus: hfi_cmds: struct hfi_session_release_buffer_pkt: Add __counted_by annotation
2024-07-10 23:09 ` [PATCH 2/2] media: venus: hfi_cmds: struct hfi_session_release_buffer_pkt: Add __counted_by annotation Kees Cook
2024-07-10 23:17 ` Gustavo A. R. Silva
@ 2024-07-11 12:19 ` Bryan O'Donoghue
2024-07-12 13:27 ` Vikash Garodia
2024-08-08 7:39 ` Dikshita Agarwal
3 siblings, 0 replies; 12+ messages in thread
From: Bryan O'Donoghue @ 2024-07-11 12:19 UTC (permalink / raw)
To: Kees Cook, Stanimir Varbanov
Cc: Vikash Garodia, Mauro Carvalho Chehab, Gustavo A. R. Silva,
linux-media, linux-arm-msm, linux-hardening, linux-kernel
On 11/07/2024 00:09, Kees Cook wrote:
> The only direct user of struct hfi_session_release_buffer_pkt is
> pkt_session_unset_buffers() which sets "num_buffers" before using it
> as a loop counter for accessing "buffer_info". Add the __counted_by
> annotation to reflect the relationship.
>
> Signed-off-by: Kees Cook <kees@kernel.org>
> ---
> Cc: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
> Cc: Vikash Garodia <quic_vgarodia@quicinc.com>
> Cc: "Bryan O'Donoghue" <bryan.odonoghue@linaro.org>
> Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
> Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
> Cc: linux-media@vger.kernel.org
> Cc: linux-arm-msm@vger.kernel.org
> Cc: linux-hardening@vger.kernel.org
> ---
> drivers/media/platform/qcom/venus/hfi_cmds.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/media/platform/qcom/venus/hfi_cmds.h b/drivers/media/platform/qcom/venus/hfi_cmds.h
> index 42825f07939d..1adf2d2ae5f2 100644
> --- a/drivers/media/platform/qcom/venus/hfi_cmds.h
> +++ b/drivers/media/platform/qcom/venus/hfi_cmds.h
> @@ -227,7 +227,7 @@ struct hfi_session_release_buffer_pkt {
> u32 extradata_size;
> u32 response_req;
> u32 num_buffers;
> - u32 buffer_info[];
> + u32 buffer_info[] __counted_by(num_buffers);
> };
>
> struct hfi_session_release_resources_pkt {
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 1/2] media: venus: hfi_cmds: struct hfi_session_release_buffer_pkt: Replace 1-element array with flexible array
2024-07-10 23:09 ` [PATCH 1/2] media: venus: hfi_cmds: struct hfi_session_release_buffer_pkt: Replace 1-element array with flexible array Kees Cook
2024-07-10 23:16 ` Gustavo A. R. Silva
2024-07-11 12:19 ` Bryan O'Donoghue
@ 2024-07-12 13:27 ` Vikash Garodia
2024-08-08 7:39 ` Dikshita Agarwal
3 siblings, 0 replies; 12+ messages in thread
From: Vikash Garodia @ 2024-07-12 13:27 UTC (permalink / raw)
To: Kees Cook, Stanimir Varbanov
Cc: Bryan O'Donoghue, Mauro Carvalho Chehab, Gustavo A. R. Silva,
linux-media, linux-arm-msm, linux-hardening, linux-kernel
On 7/11/2024 4:39 AM, Kees Cook wrote:
> Replace the deprecated[1] use of a 1-element array in
> struct hfi_session_release_buffer_pkt with a modern flexible array.
>
> No binary differences are present after this conversion.
>
> Link: https://github.com/KSPP/linux/issues/79 [1]
> Signed-off-by: Kees Cook <kees@kernel.org>
> ---
> Cc: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
> Cc: Vikash Garodia <quic_vgarodia@quicinc.com>
> Cc: "Bryan O'Donoghue" <bryan.odonoghue@linaro.org>
> Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
> Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
> Cc: linux-media@vger.kernel.org
> Cc: linux-arm-msm@vger.kernel.org
> Cc: linux-hardening@vger.kernel.org
> ---
> drivers/media/platform/qcom/venus/hfi_cmds.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/media/platform/qcom/venus/hfi_cmds.h b/drivers/media/platform/qcom/venus/hfi_cmds.h
> index 20acd412ee7b..42825f07939d 100644
> --- a/drivers/media/platform/qcom/venus/hfi_cmds.h
> +++ b/drivers/media/platform/qcom/venus/hfi_cmds.h
> @@ -227,7 +227,7 @@ struct hfi_session_release_buffer_pkt {
> u32 extradata_size;
> u32 response_req;
> u32 num_buffers;
> - u32 buffer_info[1];
> + u32 buffer_info[];
> };
>
> struct hfi_session_release_resources_pkt {
Reviewed-by: Vikash Garodia <quic_vgarodia@quicinc.com>
Regards,
Vikash
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 2/2] media: venus: hfi_cmds: struct hfi_session_release_buffer_pkt: Add __counted_by annotation
2024-07-10 23:09 ` [PATCH 2/2] media: venus: hfi_cmds: struct hfi_session_release_buffer_pkt: Add __counted_by annotation Kees Cook
2024-07-10 23:17 ` Gustavo A. R. Silva
2024-07-11 12:19 ` Bryan O'Donoghue
@ 2024-07-12 13:27 ` Vikash Garodia
2024-08-08 7:39 ` Dikshita Agarwal
3 siblings, 0 replies; 12+ messages in thread
From: Vikash Garodia @ 2024-07-12 13:27 UTC (permalink / raw)
To: Kees Cook, Stanimir Varbanov
Cc: Bryan O'Donoghue, Mauro Carvalho Chehab, Gustavo A. R. Silva,
linux-media, linux-arm-msm, linux-hardening, linux-kernel
On 7/11/2024 4:39 AM, Kees Cook wrote:
> The only direct user of struct hfi_session_release_buffer_pkt is
> pkt_session_unset_buffers() which sets "num_buffers" before using it
> as a loop counter for accessing "buffer_info". Add the __counted_by
> annotation to reflect the relationship.
>
> Signed-off-by: Kees Cook <kees@kernel.org>
> ---
> Cc: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
> Cc: Vikash Garodia <quic_vgarodia@quicinc.com>
> Cc: "Bryan O'Donoghue" <bryan.odonoghue@linaro.org>
> Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
> Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
> Cc: linux-media@vger.kernel.org
> Cc: linux-arm-msm@vger.kernel.org
> Cc: linux-hardening@vger.kernel.org
> ---
> drivers/media/platform/qcom/venus/hfi_cmds.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/media/platform/qcom/venus/hfi_cmds.h b/drivers/media/platform/qcom/venus/hfi_cmds.h
> index 42825f07939d..1adf2d2ae5f2 100644
> --- a/drivers/media/platform/qcom/venus/hfi_cmds.h
> +++ b/drivers/media/platform/qcom/venus/hfi_cmds.h
> @@ -227,7 +227,7 @@ struct hfi_session_release_buffer_pkt {
> u32 extradata_size;
> u32 response_req;
> u32 num_buffers;
> - u32 buffer_info[];
> + u32 buffer_info[] __counted_by(num_buffers);
> };
>
> struct hfi_session_release_resources_pkt {
Reviewed-by: Vikash Garodia <quic_vgarodia@quicinc.com>
Regards,
Vikash
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 1/2] media: venus: hfi_cmds: struct hfi_session_release_buffer_pkt: Replace 1-element array with flexible array
2024-07-10 23:09 ` [PATCH 1/2] media: venus: hfi_cmds: struct hfi_session_release_buffer_pkt: Replace 1-element array with flexible array Kees Cook
` (2 preceding siblings ...)
2024-07-12 13:27 ` Vikash Garodia
@ 2024-08-08 7:39 ` Dikshita Agarwal
3 siblings, 0 replies; 12+ messages in thread
From: Dikshita Agarwal @ 2024-08-08 7:39 UTC (permalink / raw)
To: Kees Cook, Stanimir Varbanov
Cc: Vikash Garodia, Bryan O'Donoghue, Mauro Carvalho Chehab,
Gustavo A. R. Silva, linux-media, linux-arm-msm, linux-hardening,
linux-kernel
On 7/11/2024 4:39 AM, Kees Cook wrote:
> Replace the deprecated[1] use of a 1-element array in
> struct hfi_session_release_buffer_pkt with a modern flexible array.
>
> No binary differences are present after this conversion.
>
> Link: https://github.com/KSPP/linux/issues/79 [1]
> Signed-off-by: Kees Cook <kees@kernel.org>
> ---
> Cc: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
> Cc: Vikash Garodia <quic_vgarodia@quicinc.com>
> Cc: "Bryan O'Donoghue" <bryan.odonoghue@linaro.org>
> Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
> Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
> Cc: linux-media@vger.kernel.org
> Cc: linux-arm-msm@vger.kernel.org
> Cc: linux-hardening@vger.kernel.org
> ---
> drivers/media/platform/qcom/venus/hfi_cmds.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/media/platform/qcom/venus/hfi_cmds.h b/drivers/media/platform/qcom/venus/hfi_cmds.h
> index 20acd412ee7b..42825f07939d 100644
> --- a/drivers/media/platform/qcom/venus/hfi_cmds.h
> +++ b/drivers/media/platform/qcom/venus/hfi_cmds.h
> @@ -227,7 +227,7 @@ struct hfi_session_release_buffer_pkt {
> u32 extradata_size;
> u32 response_req;
> u32 num_buffers;
> - u32 buffer_info[1];
> + u32 buffer_info[];
> };
>
> struct hfi_session_release_resources_pkt {
Reviewed-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
Thanks,
Dikshita
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 2/2] media: venus: hfi_cmds: struct hfi_session_release_buffer_pkt: Add __counted_by annotation
2024-07-10 23:09 ` [PATCH 2/2] media: venus: hfi_cmds: struct hfi_session_release_buffer_pkt: Add __counted_by annotation Kees Cook
` (2 preceding siblings ...)
2024-07-12 13:27 ` Vikash Garodia
@ 2024-08-08 7:39 ` Dikshita Agarwal
3 siblings, 0 replies; 12+ messages in thread
From: Dikshita Agarwal @ 2024-08-08 7:39 UTC (permalink / raw)
To: Kees Cook, Stanimir Varbanov
Cc: Vikash Garodia, Bryan O'Donoghue, Mauro Carvalho Chehab,
Gustavo A. R. Silva, linux-media, linux-arm-msm, linux-hardening,
linux-kernel
On 7/11/2024 4:39 AM, Kees Cook wrote:
> The only direct user of struct hfi_session_release_buffer_pkt is
> pkt_session_unset_buffers() which sets "num_buffers" before using it
> as a loop counter for accessing "buffer_info". Add the __counted_by
> annotation to reflect the relationship.
>
> Signed-off-by: Kees Cook <kees@kernel.org>
> ---
> Cc: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
> Cc: Vikash Garodia <quic_vgarodia@quicinc.com>
> Cc: "Bryan O'Donoghue" <bryan.odonoghue@linaro.org>
> Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
> Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
> Cc: linux-media@vger.kernel.org
> Cc: linux-arm-msm@vger.kernel.org
> Cc: linux-hardening@vger.kernel.org
> ---
> drivers/media/platform/qcom/venus/hfi_cmds.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/media/platform/qcom/venus/hfi_cmds.h b/drivers/media/platform/qcom/venus/hfi_cmds.h
> index 42825f07939d..1adf2d2ae5f2 100644
> --- a/drivers/media/platform/qcom/venus/hfi_cmds.h
> +++ b/drivers/media/platform/qcom/venus/hfi_cmds.h
> @@ -227,7 +227,7 @@ struct hfi_session_release_buffer_pkt {
> u32 extradata_size;
> u32 response_req;
> u32 num_buffers;
> - u32 buffer_info[];
> + u32 buffer_info[] __counted_by(num_buffers);
> };
>
> struct hfi_session_release_resources_pkt {
Reviewed-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
Thanks,
Dikshita
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 0/2] media: venus: hfi_cmds: struct hfi_session_release_buffer_pkt
2024-07-10 23:09 [PATCH 0/2] media: venus: hfi_cmds: struct hfi_session_release_buffer_pkt Kees Cook
2024-07-10 23:09 ` [PATCH 1/2] media: venus: hfi_cmds: struct hfi_session_release_buffer_pkt: Replace 1-element array with flexible array Kees Cook
2024-07-10 23:09 ` [PATCH 2/2] media: venus: hfi_cmds: struct hfi_session_release_buffer_pkt: Add __counted_by annotation Kees Cook
@ 2024-08-23 0:00 ` Kees Cook
2 siblings, 0 replies; 12+ messages in thread
From: Kees Cook @ 2024-08-23 0:00 UTC (permalink / raw)
To: Stanimir Varbanov, Kees Cook
Cc: Vikash Garodia, Bryan O'Donoghue, Mauro Carvalho Chehab,
Gustavo A. R. Silva, linux-kernel, linux-media, linux-arm-msm,
linux-hardening
On Wed, 10 Jul 2024 16:09:11 -0700, Kees Cook wrote:
> This replaces the 1-element "fake" flexible array in struct
> hfi_session_release_buffer_pkt with a modern flexible array and adds
> the __counted_by annotation that was identified during the analysis.
>
> Thanks!
>
> -Kees
>
> [...]
Applied to for-next/hardening, thanks!
[1/2] media: venus: hfi_cmds: struct hfi_session_release_buffer_pkt: Replace 1-element array with flexible array
https://git.kernel.org/kees/c/c93452777f53
[2/2] media: venus: hfi_cmds: struct hfi_session_release_buffer_pkt: Add __counted_by annotation
https://git.kernel.org/kees/c/32ef4b710cbe
Take care,
--
Kees Cook
^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2024-08-23 0:00 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-07-10 23:09 [PATCH 0/2] media: venus: hfi_cmds: struct hfi_session_release_buffer_pkt Kees Cook
2024-07-10 23:09 ` [PATCH 1/2] media: venus: hfi_cmds: struct hfi_session_release_buffer_pkt: Replace 1-element array with flexible array Kees Cook
2024-07-10 23:16 ` Gustavo A. R. Silva
2024-07-11 12:19 ` Bryan O'Donoghue
2024-07-12 13:27 ` Vikash Garodia
2024-08-08 7:39 ` Dikshita Agarwal
2024-07-10 23:09 ` [PATCH 2/2] media: venus: hfi_cmds: struct hfi_session_release_buffer_pkt: Add __counted_by annotation Kees Cook
2024-07-10 23:17 ` Gustavo A. R. Silva
2024-07-11 12:19 ` Bryan O'Donoghue
2024-07-12 13:27 ` Vikash Garodia
2024-08-08 7:39 ` Dikshita Agarwal
2024-08-23 0:00 ` [PATCH 0/2] media: venus: hfi_cmds: struct hfi_session_release_buffer_pkt Kees Cook
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).