* [bug report] media: synopsys: add driver for the designware mipi csi-2 receiver [not found] <caa37f28-a2e8-4e0a-a9ce-a365ce805e4b@stanley.mountain> @ 2026-02-06 13:39 ` Dan Carpenter 2026-02-06 13:39 ` [bug report] media: rockchip: rkcif: add support for rk3568 vicap mipi capture Dan Carpenter ` (2 subsequent siblings) 3 siblings, 0 replies; 6+ messages in thread From: Dan Carpenter @ 2026-02-06 13:39 UTC (permalink / raw) To: Michael Riesch; +Cc: linux-media, linux-kernel [ Smatch checking is paused while we raise funding. #SadFace https://lore.kernel.org/all/aTaiGSbWZ9DJaGo7@stanley.mountain/ -dan ] Hello Michael Riesch, Commit 355a11004066 ("media: synopsys: add driver for the designware mipi csi-2 receiver") from Jan 20, 2026 (linux-next), leads to the following Smatch static checker warning: drivers/media/platform/synopsys/dw-mipi-csi2rx.c:307 dw_mipi_csi2rx_enum_mbus_code() warn: array off by one? 'csi2->formats[code->index]' drivers/media/platform/synopsys/dw-mipi-csi2rx.c 286 static int 287 dw_mipi_csi2rx_enum_mbus_code(struct v4l2_subdev *sd, 288 struct v4l2_subdev_state *sd_state, 289 struct v4l2_subdev_mbus_code_enum *code) 290 { 291 struct dw_mipi_csi2rx_device *csi2 = to_csi2(sd); 292 293 switch (code->pad) { 294 case DW_MIPI_CSI2RX_PAD_SRC: 295 if (code->index) 296 return -EINVAL; 297 298 code->code = 299 v4l2_subdev_state_get_format(sd_state, 300 DW_MIPI_CSI2RX_PAD_SINK)->code; 301 302 return 0; 303 case DW_MIPI_CSI2RX_PAD_SINK: 304 if (code->index > csi2->formats_num) This should be >=. 305 return -EINVAL; 306 --> 307 code->code = csi2->formats[code->index].code; 308 return 0; 309 default: 310 return -EINVAL; 311 } 312 } regards, dan carpenter ^ permalink raw reply [flat|nested] 6+ messages in thread
* [bug report] media: rockchip: rkcif: add support for rk3568 vicap mipi capture [not found] <caa37f28-a2e8-4e0a-a9ce-a365ce805e4b@stanley.mountain> 2026-02-06 13:39 ` [bug report] media: synopsys: add driver for the designware mipi csi-2 receiver Dan Carpenter @ 2026-02-06 13:39 ` Dan Carpenter 2026-02-16 13:33 ` Michael Riesch 2026-02-06 13:39 ` [bug report] media: iris: gen1: Destroy internal buffers after FW releases Dan Carpenter 2026-02-06 13:40 ` [bug report] media: chips-media: wave5: Fix Null reference while testing fluster Dan Carpenter 3 siblings, 1 reply; 6+ messages in thread From: Dan Carpenter @ 2026-02-06 13:39 UTC (permalink / raw) To: Michael Riesch; +Cc: linux-media, linux-rockchip, linux-kernel [ Smatch checking is paused while we raise funding. #SadFace https://lore.kernel.org/all/aTaiGSbWZ9DJaGo7@stanley.mountain/ -dan ] Hello Michael Riesch, Commit 1f2353f5a1af ("media: rockchip: rkcif: add support for rk3568 vicap mipi capture") from Nov 14, 2025 (linux-next), leads to the following Smatch static checker warning: drivers/media/platform/rockchip/rkcif/rkcif-capture-mipi.c:519 rkcif_mipi_id_get_reg() index hardmax out of bounds 'rkcif->match_data->mipi->regs_id[id]' size=4 max='4' rl='0-u32max' drivers/media/platform/rockchip/rkcif/rkcif-capture-mipi.c:519 rkcif_mipi_id_get_reg() index hardmax out of bounds 'rkcif->match_data->mipi->regs_id[id][index]' size=11 max='11' rl='0-11' drivers/media/platform/rockchip/rkcif/rkcif-capture-mipi.c 504 static inline unsigned int rkcif_mipi_id_get_reg(struct rkcif_stream *stream, 505 unsigned int index) 506 { 507 struct rkcif_device *rkcif = stream->rkcif; 508 unsigned int block, id, offset, reg; 509 510 block = stream->interface->index - RKCIF_MIPI_BASE; 511 id = stream->id; 512 513 if (WARN_ON_ONCE(block > RKCIF_MIPI_MAX - RKCIF_MIPI_BASE) || 514 WARN_ON_ONCE(id > RKCIF_ID_MAX) || 515 WARN_ON_ONCE(index > RKCIF_MIPI_ID_REGISTER_MAX)) The id and index checks should be >=. Not sure about block but I assume it's off by one as well. 516 return RKCIF_REGISTER_NOTSUPPORTED; 517 518 offset = rkcif->match_data->mipi->blocks[block].offset; --> 519 reg = rkcif->match_data->mipi->regs_id[id][index]; 520 if (reg == RKCIF_REGISTER_NOTSUPPORTED) 521 return reg; 522 523 return offset + reg; 524 } regards, dan carpenter ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [bug report] media: rockchip: rkcif: add support for rk3568 vicap mipi capture 2026-02-06 13:39 ` [bug report] media: rockchip: rkcif: add support for rk3568 vicap mipi capture Dan Carpenter @ 2026-02-16 13:33 ` Michael Riesch 0 siblings, 0 replies; 6+ messages in thread From: Michael Riesch @ 2026-02-16 13:33 UTC (permalink / raw) To: Dan Carpenter; +Cc: linux-media, linux-rockchip, linux-kernel Hi Dan, On 2/6/26 14:39, Dan Carpenter wrote: > [ Smatch checking is paused while we raise funding. #SadFace > https://lore.kernel.org/all/aTaiGSbWZ9DJaGo7@stanley.mountain/ -dan ] > > Hello Michael Riesch, > > Commit 1f2353f5a1af ("media: rockchip: rkcif: add support for rk3568 > vicap mipi capture") from Nov 14, 2025 (linux-next), leads to the > following Smatch static checker warning: > > drivers/media/platform/rockchip/rkcif/rkcif-capture-mipi.c:519 rkcif_mipi_id_get_reg() > index hardmax out of bounds 'rkcif->match_data->mipi->regs_id[id]' size=4 max='4' rl='0-u32max' > > drivers/media/platform/rockchip/rkcif/rkcif-capture-mipi.c:519 rkcif_mipi_id_get_reg() > index hardmax out of bounds 'rkcif->match_data->mipi->regs_id[id][index]' size=11 max='11' rl='0-11' > > drivers/media/platform/rockchip/rkcif/rkcif-capture-mipi.c > 504 static inline unsigned int rkcif_mipi_id_get_reg(struct rkcif_stream *stream, > 505 unsigned int index) > 506 { > 507 struct rkcif_device *rkcif = stream->rkcif; > 508 unsigned int block, id, offset, reg; > 509 > 510 block = stream->interface->index - RKCIF_MIPI_BASE; > 511 id = stream->id; > 512 > 513 if (WARN_ON_ONCE(block > RKCIF_MIPI_MAX - RKCIF_MIPI_BASE) || > 514 WARN_ON_ONCE(id > RKCIF_ID_MAX) || > 515 WARN_ON_ONCE(index > RKCIF_MIPI_ID_REGISTER_MAX)) > > > The id and index checks should be >=. Not sure about block but I assume > it's off by one as well. Thanks for the heads up. I started fixing this and then recalled some previous work on that issue. I found that you submitted a patch that fixes exactly this, but this patch hasn't been applied for whatever reason. Since I have some other fixes for the rkcif driver, I'll give your patch another spin in the scope of that series -- hope this is OK for you! Best regards, Michael > > 516 return RKCIF_REGISTER_NOTSUPPORTED; > 517 > 518 offset = rkcif->match_data->mipi->blocks[block].offset; > --> 519 reg = rkcif->match_data->mipi->regs_id[id][index]; > 520 if (reg == RKCIF_REGISTER_NOTSUPPORTED) > 521 return reg; > 522 > 523 return offset + reg; > 524 } > > regards, > dan carpenter ^ permalink raw reply [flat|nested] 6+ messages in thread
* [bug report] media: iris: gen1: Destroy internal buffers after FW releases [not found] <caa37f28-a2e8-4e0a-a9ce-a365ce805e4b@stanley.mountain> 2026-02-06 13:39 ` [bug report] media: synopsys: add driver for the designware mipi csi-2 receiver Dan Carpenter 2026-02-06 13:39 ` [bug report] media: rockchip: rkcif: add support for rk3568 vicap mipi capture Dan Carpenter @ 2026-02-06 13:39 ` Dan Carpenter 2026-02-06 13:40 ` [bug report] media: chips-media: wave5: Fix Null reference while testing fluster Dan Carpenter 3 siblings, 0 replies; 6+ messages in thread From: Dan Carpenter @ 2026-02-06 13:39 UTC (permalink / raw) To: Dikshita Agarwal; +Cc: Abhinav Kumar, linux-media, linux-arm-msm, linux-kernel [ Smatch checking is paused while we raise funding. #SadFace https://lore.kernel.org/all/aTaiGSbWZ9DJaGo7@stanley.mountain/ -dan ] Hello Dikshita Agarwal, Commit 1dabf00ee206 ("media: iris: gen1: Destroy internal buffers after FW releases") from Dec 29, 2025 (linux-next), leads to the following Smatch static checker warning: drivers/media/platform/qcom/iris/iris_buffer.c:588 iris_release_internal_buffers() error: dereferencing freed memory 'buffer' (line 585) drivers/media/platform/qcom/iris/iris_buffer.c 572 static int iris_release_internal_buffers(struct iris_inst *inst, 573 enum iris_buffer_type buffer_type) 574 { 575 const struct iris_hfi_command_ops *hfi_ops = inst->core->hfi_ops; 576 struct iris_buffers *buffers = &inst->buffers[buffer_type]; 577 struct iris_buffer *buffer, *next; 578 int ret; 579 580 list_for_each_entry_safe(buffer, next, &buffers->list, list) { 581 if (buffer->attr & BUF_ATTR_PENDING_RELEASE) 582 continue; 583 if (!(buffer->attr & BUF_ATTR_QUEUED)) 584 continue; 585 ret = hfi_ops->session_release_buf(inst, buffer); The commit adds a free of buffer to ->session_release_buf(). 586 if (ret) 587 return ret; --> 588 buffer->attr |= BUF_ATTR_PENDING_RELEASE; ^^^^^^^^^^^^ Use after free. 589 } 590 591 return 0; 592 } regards, dan carpenter ^ permalink raw reply [flat|nested] 6+ messages in thread
* [bug report] media: chips-media: wave5: Fix Null reference while testing fluster [not found] <caa37f28-a2e8-4e0a-a9ce-a365ce805e4b@stanley.mountain> ` (2 preceding siblings ...) 2026-02-06 13:39 ` [bug report] media: iris: gen1: Destroy internal buffers after FW releases Dan Carpenter @ 2026-02-06 13:40 ` Dan Carpenter 2026-02-11 7:59 ` Nas Chung 3 siblings, 1 reply; 6+ messages in thread From: Dan Carpenter @ 2026-02-06 13:40 UTC (permalink / raw) To: Jackson Lee; +Cc: linux-media, linux-kernel [ Smatch checking is paused while we raise funding. #SadFace https://lore.kernel.org/all/aTaiGSbWZ9DJaGo7@stanley.mountain/ -dan ] Hello Jackson Lee, Commit e66ff2b08e4e ("media: chips-media: wave5: Fix Null reference while testing fluster") from Nov 19, 2025 (linux-next), leads to the following Smatch static checker warning: drivers/media/platform/chips-media/wave5/wave5-vpu.c:415 wave5_vpu_probe() error: 'dev->irq_thread' dereferencing possible ERR_PTR() drivers/media/platform/chips-media/wave5/wave5-vpu.c 261 static int wave5_vpu_probe(struct platform_device *pdev) 262 { 263 int ret; 264 struct vpu_device *dev; 265 const struct wave5_match_data *match_data; 266 u32 fw_revision; 267 268 match_data = device_get_match_data(&pdev->dev); 269 if (!match_data) { 270 dev_err(&pdev->dev, "missing device match data\n"); 271 return -EINVAL; 272 } 273 274 /* physical addresses limited to 32 bits */ 275 ret = dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(32)); 276 if (ret) { 277 dev_err(&pdev->dev, "Failed to set DMA mask: %d\n", ret); 278 return ret; 279 } 280 281 dev = devm_kzalloc(&pdev->dev, sizeof(*dev), GFP_KERNEL); 282 if (!dev) 283 return -ENOMEM; 284 285 dev->vdb_register = devm_platform_ioremap_resource(pdev, 0); 286 if (IS_ERR(dev->vdb_register)) 287 return PTR_ERR(dev->vdb_register); 288 ida_init(&dev->inst_ida); 289 290 mutex_init(&dev->dev_lock); 291 mutex_init(&dev->hw_lock); 292 mutex_init(&dev->irq_lock); 293 spin_lock_init(&dev->irq_spinlock); 294 dev_set_drvdata(&pdev->dev, dev); 295 dev->dev = &pdev->dev; 296 297 dev->resets = devm_reset_control_array_get_optional_exclusive(&pdev->dev); 298 if (IS_ERR(dev->resets)) { 299 return dev_err_probe(&pdev->dev, PTR_ERR(dev->resets), 300 "Failed to get reset control\n"); 301 } 302 303 ret = reset_control_deassert(dev->resets); 304 if (ret) 305 return dev_err_probe(&pdev->dev, ret, "Failed to deassert resets\n"); 306 307 ret = devm_clk_bulk_get_all(&pdev->dev, &dev->clks); 308 309 /* continue without clock, assume externally managed */ 310 if (ret < 0) { 311 dev_warn(&pdev->dev, "Getting clocks, fail: %d\n", ret); 312 ret = 0; 313 } 314 dev->num_clks = ret; 315 316 ret = clk_bulk_prepare_enable(dev->num_clks, dev->clks); 317 if (ret) { 318 dev_err(&pdev->dev, "Enabling clocks, fail: %d\n", ret); 319 goto err_reset_assert; 320 } 321 322 dev->sram_pool = of_gen_pool_get(pdev->dev.of_node, "sram", 0); 323 if (!dev->sram_pool) 324 dev_warn(&pdev->dev, "sram node not found\n"); 325 326 dev->sram_size = match_data->sram_size; 327 328 dev->product_code = wave5_vdi_read_register(dev, VPU_PRODUCT_CODE_REGISTER); 329 ret = wave5_vdi_init(&pdev->dev); 330 if (ret < 0) { 331 dev_err(&pdev->dev, "wave5_vdi_init, fail: %d\n", ret); 332 goto err_clk_dis; 333 } 334 dev->product = wave5_vpu_get_product_id(dev); 335 336 INIT_LIST_HEAD(&dev->instances); 337 338 dev->irq = platform_get_irq(pdev, 0); 339 if (dev->irq < 0) { 340 dev_err(&pdev->dev, "failed to get irq resource, falling back to polling\n"); 341 sema_init(&dev->irq_sem, 1); 342 dev->irq_thread = kthread_run(irq_thread, dev, "irq thread"); Add error checking for if kthread_run() fails? 343 hrtimer_setup(&dev->hrtimer, &wave5_vpu_timer_callback, CLOCK_MONOTONIC, 344 HRTIMER_MODE_REL_PINNED); 345 dev->worker = kthread_run_worker(0, "vpu_irq_thread"); 346 if (IS_ERR(dev->worker)) { 347 dev_err(&pdev->dev, "failed to create vpu irq worker\n"); 348 ret = PTR_ERR(dev->worker); 349 goto err_vdi_release; 350 } 351 dev->vpu_poll_interval = vpu_poll_interval; 352 kthread_init_work(&dev->work, wave5_vpu_irq_work_fn); 353 } else { 354 ret = devm_request_threaded_irq(&pdev->dev, dev->irq, wave5_vpu_irq, 355 wave5_vpu_irq_thread, IRQF_ONESHOT, "vpu_irq", dev); 356 if (ret) { 357 dev_err(&pdev->dev, "Register interrupt handler, fail: %d\n", ret); 358 goto err_enc_unreg; 359 } 360 } 361 362 ret = v4l2_device_register(&pdev->dev, &dev->v4l2_dev); 363 if (ret) { 364 dev_err(&pdev->dev, "v4l2_device_register, fail: %d\n", ret); 365 goto err_irq_release; 366 } 367 368 if (match_data->flags & WAVE5_IS_DEC) { 369 ret = wave5_vpu_dec_register_device(dev); 370 if (ret) { 371 dev_err(&pdev->dev, "wave5_vpu_dec_register_device, fail: %d\n", ret); 372 goto err_v4l2_unregister; 373 } 374 } 375 if (match_data->flags & WAVE5_IS_ENC) { 376 ret = wave5_vpu_enc_register_device(dev); 377 if (ret) { 378 dev_err(&pdev->dev, "wave5_vpu_enc_register_device, fail: %d\n", ret); 379 goto err_dec_unreg; 380 } 381 } 382 383 ret = wave5_vpu_load_firmware(&pdev->dev, match_data->fw_name, &fw_revision); 384 if (ret) { 385 dev_err(&pdev->dev, "wave5_vpu_load_firmware, fail: %d\n", ret); 386 goto err_enc_unreg; 387 } 388 389 dev_info(&pdev->dev, "Added wave5 driver with caps: %s %s\n", 390 (match_data->flags & WAVE5_IS_ENC) ? "'ENCODE'" : "", 391 (match_data->flags & WAVE5_IS_DEC) ? "'DECODE'" : ""); 392 dev_info(&pdev->dev, "Product Code: 0x%x\n", dev->product_code); 393 dev_info(&pdev->dev, "Firmware Revision: %u\n", fw_revision); 394 395 pm_runtime_set_autosuspend_delay(&pdev->dev, 500); 396 pm_runtime_use_autosuspend(&pdev->dev); 397 pm_runtime_enable(&pdev->dev); 398 wave5_vpu_sleep_wake(&pdev->dev, true, NULL, 0); 399 400 return 0; 401 402 err_enc_unreg: 403 if (match_data->flags & WAVE5_IS_ENC) 404 wave5_vpu_enc_unregister_device(dev); 405 err_dec_unreg: 406 if (match_data->flags & WAVE5_IS_DEC) 407 wave5_vpu_dec_unregister_device(dev); 408 err_v4l2_unregister: 409 v4l2_device_unregister(&dev->v4l2_dev); 410 err_irq_release: 411 if (dev->irq < 0) 412 kthread_destroy_worker(dev->worker); 413 err_vdi_release: 414 if (dev->irq_thread) { --> 415 kthread_stop(dev->irq_thread); 416 up(&dev->irq_sem); 417 dev->irq_thread = NULL; 418 } 419 wave5_vdi_release(&pdev->dev); 420 err_clk_dis: 421 clk_bulk_disable_unprepare(dev->num_clks, dev->clks); 422 err_reset_assert: 423 reset_control_assert(dev->resets); 424 425 return ret; 426 } regards, dan carpenter ^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: [bug report] media: chips-media: wave5: Fix Null reference while testing fluster 2026-02-06 13:40 ` [bug report] media: chips-media: wave5: Fix Null reference while testing fluster Dan Carpenter @ 2026-02-11 7:59 ` Nas Chung 0 siblings, 0 replies; 6+ messages in thread From: Nas Chung @ 2026-02-11 7:59 UTC (permalink / raw) To: Dan Carpenter; +Cc: linux-media@vger.kernel.org, linux-kernel, jackson.lee Hi, Dan. >-----Original Message----- >From: Dan Carpenter <dan.carpenter@linaro.org> >Sent: Friday, February 6, 2026 10:41 PM >To: jackson.lee <jackson.lee@chipsnmedia.com> >Cc: linux-media@vger.kernel.org; linux-kernel <linux- >kernel@vger.kernel.org> >Subject: [bug report] media: chips-media: wave5: Fix Null reference while >testing fluster > >[ Smatch checking is paused while we raise funding. #SadFace > https://lore.kernel.org/all/aTaiGSbWZ9DJaGo7@stanley.mountain/ -dan ] > >Hello Jackson Lee, > >Commit e66ff2b08e4e ("media: chips-media: wave5: Fix Null reference >while testing fluster") from Nov 19, 2025 (linux-next), leads to the >following Smatch static checker warning: > > drivers/media/platform/chips-media/wave5/wave5-vpu.c:415 >wave5_vpu_probe() > error: 'dev->irq_thread' dereferencing possible ERR_PTR() > >drivers/media/platform/chips-media/wave5/wave5-vpu.c > 327 > 328 dev->product_code = wave5_vdi_read_register(dev, >VPU_PRODUCT_CODE_REGISTER); > 329 ret = wave5_vdi_init(&pdev->dev); > 330 if (ret < 0) { > 331 dev_err(&pdev->dev, "wave5_vdi_init, fail: %d\n", ret); > 332 goto err_clk_dis; > 333 } > 334 dev->product = wave5_vpu_get_product_id(dev); > 335 > 336 INIT_LIST_HEAD(&dev->instances); > 337 > 338 dev->irq = platform_get_irq(pdev, 0); > 339 if (dev->irq < 0) { > 340 dev_err(&pdev->dev, "failed to get irq resource, falling >back to polling\n"); > 341 sema_init(&dev->irq_sem, 1); > 342 dev->irq_thread = kthread_run(irq_thread, dev, "irq >thread"); > >Add error checking for if kthread_run() fails? Thanks for the report. A fix has been proposed by Alper Ak in a separate thread: https://lore.kernel.org/all/20260207103224.609938-1-alperyasinak1@gmail.com/ I'm going to check it and run tests on my side. Thanks. Nas. > > 343 hrtimer_setup(&dev->hrtimer, &wave5_vpu_timer_callback, >CLOCK_MONOTONIC, > 344 HRTIMER_MODE_REL_PINNED); > >regards, >dan carpenter ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2026-02-16 13:33 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <caa37f28-a2e8-4e0a-a9ce-a365ce805e4b@stanley.mountain>
2026-02-06 13:39 ` [bug report] media: synopsys: add driver for the designware mipi csi-2 receiver Dan Carpenter
2026-02-06 13:39 ` [bug report] media: rockchip: rkcif: add support for rk3568 vicap mipi capture Dan Carpenter
2026-02-16 13:33 ` Michael Riesch
2026-02-06 13:39 ` [bug report] media: iris: gen1: Destroy internal buffers after FW releases Dan Carpenter
2026-02-06 13:40 ` [bug report] media: chips-media: wave5: Fix Null reference while testing fluster Dan Carpenter
2026-02-11 7:59 ` Nas Chung
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox