[PATCH] staging: media: atomisp: prefer kcalloc over kzalloc with multiply

[PATCH] staging: media: atomisp: prefer kcalloc over kzalloc with multiply

[Andrew Soto]

Optimize memory allocation layout in sh_css_params.c by replacing the raw multiplication inside kzalloc() with a type-safe kcalloc() array allocation wrapper.

This prevents potential integer overflow vulnerabilities by validating the array size calculations before interacting with the kernel heap allocator, aligning the driver with modern kernel memory allocation standards.

Signed-off-by: Andrew Soto <linux@notrealandy.dev>
---
 drivers/staging/media/atomisp/pci/sh_css_params.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/media/atomisp/pci/sh_css_params.c b/drivers/staging/media/atomisp/pci/sh_css_params.c
index fcebace11..9147ca047 100644
--- a/drivers/staging/media/atomisp/pci/sh_css_params.c
+++ b/drivers/staging/media/atomisp/pci/sh_css_params.c
@@ -3716,7 +3716,7 @@ ia_css_ptr sh_css_store_sp_group_to_ddr(void)
 
 	IA_CSS_ENTER_LEAVE_PRIVATE("void");
 
-	write_buf = kzalloc(sizeof(u8) * 8192, GFP_KERNEL);
+	write_buf = kcalloc(8192, sizeof(u8), GFP_KERNEL);
 	if (!write_buf)
 		return 0;
 
-- 
2.53.0

Re: [PATCH] staging: media: atomisp: prefer kcalloc over kzalloc with multiply

[sashiko-bot]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Ignored memory allocation failure leads to null-equivalent pointer passed to SP firmware.
--

commit 967be0a2dfa51f2c0edc88c4aa3976bc41aab85d
Author: Andrew Soto <linux@notrealandy.dev>

staging: media: atomisp: prefer kcalloc over kzalloc with multiply

This commit replaces a raw multiplication inside kzalloc() with a kcalloc()
array allocation in sh_css_params.c. This validates the array size
calculations to prevent potential integer overflow vulnerabilities before
interacting with the kernel heap allocator.

> diff --git a/drivers/staging/media/atomisp/pci/sh_css_params.c b/drivers/staging/media/atomisp/pci/sh_css_params.c
> index fcebace11daf6..9147ca0474ad2 100644
> --- a/drivers/staging/media/atomisp/pci/sh_css_params.c
> +++ b/drivers/staging/media/atomisp/pci/sh_css_params.c
> @@ -3716,7 +3716,7 @@ ia_css_ptr sh_css_store_sp_group_to_ddr(void)
>  
>  	IA_CSS_ENTER_LEAVE_PRIVATE("void");
>  
> -	write_buf = kzalloc(sizeof(u8) * 8192, GFP_KERNEL);
> +	write_buf = kcalloc(8192, sizeof(u8), GFP_KERNEL);
>  	if (!write_buf)
>  		return 0;

[Severity: High]
This isn't a bug introduced by this patch, but is it possible that this early
return causes the firmware to crash under memory pressure?

If kcalloc() fails, sh_css_store_sp_group_to_ddr() returns 0, which acts as
a null-equivalent for an ia_css_ptr.

Looking at the caller in drivers/staging/media/atomisp/pci/sh_css_sp.c:

store_sp_group_data() {
    ...
    per_frame_data.sp_group_addr = sh_css_store_sp_group_to_ddr();
    ...
}

The return value is unconditionally assigned to per_frame_data.sp_group_addr
without any validation. When this 0 is sent directly to the per-frame
hardware configuration, will the SP firmware crash or lock up the hardware
when attempting to access address 0 for its group configuration?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260606234427.9902-1-linux@notrealandy.dev?part=1

Re: [PATCH] staging: media: atomisp: prefer kcalloc over kzalloc with multiply

[Andy Shevchenko]

On Sun, Jun 7, 2026 at 2:45 AM Andrew Soto <linux@notrealandy.dev> wrote:
>
> Optimize memory allocation layout in sh_css_params.c by replacing the raw multiplication inside kzalloc() with a type-safe kcalloc() array allocation wrapper.
>
> This prevents potential integer overflow vulnerabilities by validating the array size calculations before interacting with the kernel heap allocator, aligning the driver with modern kernel memory allocation standards.

Wrap the commit message around 72 characters per line.

...

Is this the only case like this in the entire driver?

-- 
With Best Regards,
Andy Shevchenko

[PATCH v2] staging: media: atomisp: prefer kcalloc over kzalloc with multiply

[Andrew Soto]

Optimize memory allocation layout in sh_css_params.c by replacing
the raw multiplication inside kzalloc() with a type-safe kcalloc()
array allocation wrapper.

This prevents potential integer overflow vulnerabilities by validating
the array size calculations before interacting
with the kernel heap allocator, aligning the driver with modern kernel
memory allocation standards.

Signed-off-by: Andrew Soto <linux@notrealandy.dev>
---
 drivers/staging/media/atomisp/pci/sh_css_params.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/media/atomisp/pci/sh_css_params.c b/drivers/staging/media/atomisp/pci/sh_css_params.c
index fcebace11..9147ca047 100644
--- a/drivers/staging/media/atomisp/pci/sh_css_params.c
+++ b/drivers/staging/media/atomisp/pci/sh_css_params.c
@@ -3716,7 +3716,7 @@ ia_css_ptr sh_css_store_sp_group_to_ddr(void)
 
 	IA_CSS_ENTER_LEAVE_PRIVATE("void");
 
-	write_buf = kzalloc(sizeof(u8) * 8192, GFP_KERNEL);
+	write_buf = kcalloc(8192, sizeof(u8), GFP_KERNEL);
 	if (!write_buf)
 		return 0;
 
-- 
2.53.0

Fwd: [PATCH] staging: media: atomisp: prefer kcalloc over kzalloc with multiply

[Andy Shevchenko]

I just noticed you also replied privately, no, please do the
development and communications publicly.

---------- Forwarded message ---------
From: Andy Shevchenko <andy.shevchenko@gmail.com>
Date: Sun, Jun 7, 2026 at 9:48 PM
Subject: Re: [PATCH] staging: media: atomisp: prefer kcalloc over
kzalloc with multiply
To: <linux@notrealandy.dev>


On Sun, Jun 7, 2026 at 3:27 PM <linux@notrealandy.dev> wrote:

> Yes, I ran grep across the entire atomisp directory and this was the only instance of a raw multiplication inside a standard kzalloc() call. The other files already use kzalloc_obj().

https://elixir.bootlin.com/linux/v7.1-rc6/source/drivers/staging/media/atomisp/pci/sh_css_params.c#L4209
In the same file...
And maybe more, please try again. I suggest using coccinelle to find
all the places like this.

> I have submitted PATCH V2 with the commit message lines wrapping under 72 characters.

You also have to reply wrapping the lines accordingly and do not top-post!

> > On Jun 7, 2026, at 9:42 AM, Andy Shevchenko <andy.shevchenko@gmail.com> wrote:
> > On Sun, Jun 7, 2026 at 2:45 AM Andrew Soto <linux@notrealandy.dev> wrote:
> >>
> >> Optimize memory allocation layout in sh_css_params.c by replacing the raw multiplication inside kzalloc() with a type-safe kcalloc() array allocation wrapper.
> >>
> >> This prevents potential integer overflow vulnerabilities by validating the array size calculations before interacting with the kernel heap allocator, aligning the driver with modern kernel memory allocation standards.
> >
> > Wrap the commit message around 72 characters per line.

...

> > Is this the only case like this in the entire driver?

-- 
With Best Regards,
Andy Shevchenko

Re: [PATCH v2] staging: media: atomisp: prefer kcalloc over kzalloc with multiply

[Andy Shevchenko]

On Sun, Jun 7, 2026 at 3:19 PM Andrew Soto <linux@notrealandy.dev> wrote:
>
> Optimize memory allocation layout in sh_css_params.c by replacing
> the raw multiplication inside kzalloc() with a type-safe kcalloc()
> array allocation wrapper.
>
> This prevents potential integer overflow vulnerabilities by validating
> the array size calculations before interacting
> with the kernel heap allocator, aligning the driver with modern kernel
> memory allocation standards.

See my reply to v1.

...

> -       write_buf = kzalloc(sizeof(u8) * 8192, GFP_KERNEL);
> +       write_buf = kcalloc(8192, sizeof(u8), GFP_KERNEL);

While at it, you can switch to a more robust sizeof(*write_buf).

-- 
With Best Regards,
Andy Shevchenko