* [bug report] media: synopsys: add driver for the designware mipi csi-2 receiver
[not found] <caa37f28-a2e8-4e0a-a9ce-a365ce805e4b@stanley.mountain>
@ 2026-02-06 13:39 ` Dan Carpenter
2026-02-06 13:39 ` [bug report] media: rockchip: rkcif: add support for rk3568 vicap mipi capture Dan Carpenter
` (2 subsequent siblings)
3 siblings, 0 replies; 6+ messages in thread
From: Dan Carpenter @ 2026-02-06 13:39 UTC (permalink / raw)
To: Michael Riesch; +Cc: linux-media, linux-kernel
[ Smatch checking is paused while we raise funding. #SadFace
https://lore.kernel.org/all/aTaiGSbWZ9DJaGo7@stanley.mountain/ -dan ]
Hello Michael Riesch,
Commit 355a11004066 ("media: synopsys: add driver for the designware
mipi csi-2 receiver") from Jan 20, 2026 (linux-next), leads to the
following Smatch static checker warning:
drivers/media/platform/synopsys/dw-mipi-csi2rx.c:307 dw_mipi_csi2rx_enum_mbus_code()
warn: array off by one? 'csi2->formats[code->index]'
drivers/media/platform/synopsys/dw-mipi-csi2rx.c
286 static int
287 dw_mipi_csi2rx_enum_mbus_code(struct v4l2_subdev *sd,
288 struct v4l2_subdev_state *sd_state,
289 struct v4l2_subdev_mbus_code_enum *code)
290 {
291 struct dw_mipi_csi2rx_device *csi2 = to_csi2(sd);
292
293 switch (code->pad) {
294 case DW_MIPI_CSI2RX_PAD_SRC:
295 if (code->index)
296 return -EINVAL;
297
298 code->code =
299 v4l2_subdev_state_get_format(sd_state,
300 DW_MIPI_CSI2RX_PAD_SINK)->code;
301
302 return 0;
303 case DW_MIPI_CSI2RX_PAD_SINK:
304 if (code->index > csi2->formats_num)
This should be >=.
305 return -EINVAL;
306
--> 307 code->code = csi2->formats[code->index].code;
308 return 0;
309 default:
310 return -EINVAL;
311 }
312 }
regards,
dan carpenter
^ permalink raw reply [flat|nested] 6+ messages in thread
* [bug report] media: rockchip: rkcif: add support for rk3568 vicap mipi capture
[not found] <caa37f28-a2e8-4e0a-a9ce-a365ce805e4b@stanley.mountain>
2026-02-06 13:39 ` [bug report] media: synopsys: add driver for the designware mipi csi-2 receiver Dan Carpenter
@ 2026-02-06 13:39 ` Dan Carpenter
2026-02-16 13:33 ` Michael Riesch
2026-02-06 13:39 ` [bug report] media: iris: gen1: Destroy internal buffers after FW releases Dan Carpenter
2026-02-06 13:40 ` [bug report] media: chips-media: wave5: Fix Null reference while testing fluster Dan Carpenter
3 siblings, 1 reply; 6+ messages in thread
From: Dan Carpenter @ 2026-02-06 13:39 UTC (permalink / raw)
To: Michael Riesch; +Cc: linux-media, linux-rockchip, linux-kernel
[ Smatch checking is paused while we raise funding. #SadFace
https://lore.kernel.org/all/aTaiGSbWZ9DJaGo7@stanley.mountain/ -dan ]
Hello Michael Riesch,
Commit 1f2353f5a1af ("media: rockchip: rkcif: add support for rk3568
vicap mipi capture") from Nov 14, 2025 (linux-next), leads to the
following Smatch static checker warning:
drivers/media/platform/rockchip/rkcif/rkcif-capture-mipi.c:519 rkcif_mipi_id_get_reg()
index hardmax out of bounds 'rkcif->match_data->mipi->regs_id[id]' size=4 max='4' rl='0-u32max'
drivers/media/platform/rockchip/rkcif/rkcif-capture-mipi.c:519 rkcif_mipi_id_get_reg()
index hardmax out of bounds 'rkcif->match_data->mipi->regs_id[id][index]' size=11 max='11' rl='0-11'
drivers/media/platform/rockchip/rkcif/rkcif-capture-mipi.c
504 static inline unsigned int rkcif_mipi_id_get_reg(struct rkcif_stream *stream,
505 unsigned int index)
506 {
507 struct rkcif_device *rkcif = stream->rkcif;
508 unsigned int block, id, offset, reg;
509
510 block = stream->interface->index - RKCIF_MIPI_BASE;
511 id = stream->id;
512
513 if (WARN_ON_ONCE(block > RKCIF_MIPI_MAX - RKCIF_MIPI_BASE) ||
514 WARN_ON_ONCE(id > RKCIF_ID_MAX) ||
515 WARN_ON_ONCE(index > RKCIF_MIPI_ID_REGISTER_MAX))
The id and index checks should be >=. Not sure about block but I assume
it's off by one as well.
516 return RKCIF_REGISTER_NOTSUPPORTED;
517
518 offset = rkcif->match_data->mipi->blocks[block].offset;
--> 519 reg = rkcif->match_data->mipi->regs_id[id][index];
520 if (reg == RKCIF_REGISTER_NOTSUPPORTED)
521 return reg;
522
523 return offset + reg;
524 }
regards,
dan carpenter
^ permalink raw reply [flat|nested] 6+ messages in thread
* [bug report] media: iris: gen1: Destroy internal buffers after FW releases
[not found] <caa37f28-a2e8-4e0a-a9ce-a365ce805e4b@stanley.mountain>
2026-02-06 13:39 ` [bug report] media: synopsys: add driver for the designware mipi csi-2 receiver Dan Carpenter
2026-02-06 13:39 ` [bug report] media: rockchip: rkcif: add support for rk3568 vicap mipi capture Dan Carpenter
@ 2026-02-06 13:39 ` Dan Carpenter
2026-02-06 13:40 ` [bug report] media: chips-media: wave5: Fix Null reference while testing fluster Dan Carpenter
3 siblings, 0 replies; 6+ messages in thread
From: Dan Carpenter @ 2026-02-06 13:39 UTC (permalink / raw)
To: Dikshita Agarwal; +Cc: Abhinav Kumar, linux-media, linux-arm-msm, linux-kernel
[ Smatch checking is paused while we raise funding. #SadFace
https://lore.kernel.org/all/aTaiGSbWZ9DJaGo7@stanley.mountain/ -dan ]
Hello Dikshita Agarwal,
Commit 1dabf00ee206 ("media: iris: gen1: Destroy internal buffers
after FW releases") from Dec 29, 2025 (linux-next), leads to the
following Smatch static checker warning:
drivers/media/platform/qcom/iris/iris_buffer.c:588 iris_release_internal_buffers()
error: dereferencing freed memory 'buffer' (line 585)
drivers/media/platform/qcom/iris/iris_buffer.c
572 static int iris_release_internal_buffers(struct iris_inst *inst,
573 enum iris_buffer_type buffer_type)
574 {
575 const struct iris_hfi_command_ops *hfi_ops = inst->core->hfi_ops;
576 struct iris_buffers *buffers = &inst->buffers[buffer_type];
577 struct iris_buffer *buffer, *next;
578 int ret;
579
580 list_for_each_entry_safe(buffer, next, &buffers->list, list) {
581 if (buffer->attr & BUF_ATTR_PENDING_RELEASE)
582 continue;
583 if (!(buffer->attr & BUF_ATTR_QUEUED))
584 continue;
585 ret = hfi_ops->session_release_buf(inst, buffer);
The commit adds a free of buffer to ->session_release_buf().
586 if (ret)
587 return ret;
--> 588 buffer->attr |= BUF_ATTR_PENDING_RELEASE;
^^^^^^^^^^^^
Use after free.
589 }
590
591 return 0;
592 }
regards,
dan carpenter
^ permalink raw reply [flat|nested] 6+ messages in thread
* [bug report] media: chips-media: wave5: Fix Null reference while testing fluster
[not found] <caa37f28-a2e8-4e0a-a9ce-a365ce805e4b@stanley.mountain>
` (2 preceding siblings ...)
2026-02-06 13:39 ` [bug report] media: iris: gen1: Destroy internal buffers after FW releases Dan Carpenter
@ 2026-02-06 13:40 ` Dan Carpenter
2026-02-11 7:59 ` Nas Chung
3 siblings, 1 reply; 6+ messages in thread
From: Dan Carpenter @ 2026-02-06 13:40 UTC (permalink / raw)
To: Jackson Lee; +Cc: linux-media, linux-kernel
[ Smatch checking is paused while we raise funding. #SadFace
https://lore.kernel.org/all/aTaiGSbWZ9DJaGo7@stanley.mountain/ -dan ]
Hello Jackson Lee,
Commit e66ff2b08e4e ("media: chips-media: wave5: Fix Null reference
while testing fluster") from Nov 19, 2025 (linux-next), leads to the
following Smatch static checker warning:
drivers/media/platform/chips-media/wave5/wave5-vpu.c:415 wave5_vpu_probe()
error: 'dev->irq_thread' dereferencing possible ERR_PTR()
drivers/media/platform/chips-media/wave5/wave5-vpu.c
261 static int wave5_vpu_probe(struct platform_device *pdev)
262 {
263 int ret;
264 struct vpu_device *dev;
265 const struct wave5_match_data *match_data;
266 u32 fw_revision;
267
268 match_data = device_get_match_data(&pdev->dev);
269 if (!match_data) {
270 dev_err(&pdev->dev, "missing device match data\n");
271 return -EINVAL;
272 }
273
274 /* physical addresses limited to 32 bits */
275 ret = dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(32));
276 if (ret) {
277 dev_err(&pdev->dev, "Failed to set DMA mask: %d\n", ret);
278 return ret;
279 }
280
281 dev = devm_kzalloc(&pdev->dev, sizeof(*dev), GFP_KERNEL);
282 if (!dev)
283 return -ENOMEM;
284
285 dev->vdb_register = devm_platform_ioremap_resource(pdev, 0);
286 if (IS_ERR(dev->vdb_register))
287 return PTR_ERR(dev->vdb_register);
288 ida_init(&dev->inst_ida);
289
290 mutex_init(&dev->dev_lock);
291 mutex_init(&dev->hw_lock);
292 mutex_init(&dev->irq_lock);
293 spin_lock_init(&dev->irq_spinlock);
294 dev_set_drvdata(&pdev->dev, dev);
295 dev->dev = &pdev->dev;
296
297 dev->resets = devm_reset_control_array_get_optional_exclusive(&pdev->dev);
298 if (IS_ERR(dev->resets)) {
299 return dev_err_probe(&pdev->dev, PTR_ERR(dev->resets),
300 "Failed to get reset control\n");
301 }
302
303 ret = reset_control_deassert(dev->resets);
304 if (ret)
305 return dev_err_probe(&pdev->dev, ret, "Failed to deassert resets\n");
306
307 ret = devm_clk_bulk_get_all(&pdev->dev, &dev->clks);
308
309 /* continue without clock, assume externally managed */
310 if (ret < 0) {
311 dev_warn(&pdev->dev, "Getting clocks, fail: %d\n", ret);
312 ret = 0;
313 }
314 dev->num_clks = ret;
315
316 ret = clk_bulk_prepare_enable(dev->num_clks, dev->clks);
317 if (ret) {
318 dev_err(&pdev->dev, "Enabling clocks, fail: %d\n", ret);
319 goto err_reset_assert;
320 }
321
322 dev->sram_pool = of_gen_pool_get(pdev->dev.of_node, "sram", 0);
323 if (!dev->sram_pool)
324 dev_warn(&pdev->dev, "sram node not found\n");
325
326 dev->sram_size = match_data->sram_size;
327
328 dev->product_code = wave5_vdi_read_register(dev, VPU_PRODUCT_CODE_REGISTER);
329 ret = wave5_vdi_init(&pdev->dev);
330 if (ret < 0) {
331 dev_err(&pdev->dev, "wave5_vdi_init, fail: %d\n", ret);
332 goto err_clk_dis;
333 }
334 dev->product = wave5_vpu_get_product_id(dev);
335
336 INIT_LIST_HEAD(&dev->instances);
337
338 dev->irq = platform_get_irq(pdev, 0);
339 if (dev->irq < 0) {
340 dev_err(&pdev->dev, "failed to get irq resource, falling back to polling\n");
341 sema_init(&dev->irq_sem, 1);
342 dev->irq_thread = kthread_run(irq_thread, dev, "irq thread");
Add error checking for if kthread_run() fails?
343 hrtimer_setup(&dev->hrtimer, &wave5_vpu_timer_callback, CLOCK_MONOTONIC,
344 HRTIMER_MODE_REL_PINNED);
345 dev->worker = kthread_run_worker(0, "vpu_irq_thread");
346 if (IS_ERR(dev->worker)) {
347 dev_err(&pdev->dev, "failed to create vpu irq worker\n");
348 ret = PTR_ERR(dev->worker);
349 goto err_vdi_release;
350 }
351 dev->vpu_poll_interval = vpu_poll_interval;
352 kthread_init_work(&dev->work, wave5_vpu_irq_work_fn);
353 } else {
354 ret = devm_request_threaded_irq(&pdev->dev, dev->irq, wave5_vpu_irq,
355 wave5_vpu_irq_thread, IRQF_ONESHOT, "vpu_irq", dev);
356 if (ret) {
357 dev_err(&pdev->dev, "Register interrupt handler, fail: %d\n", ret);
358 goto err_enc_unreg;
359 }
360 }
361
362 ret = v4l2_device_register(&pdev->dev, &dev->v4l2_dev);
363 if (ret) {
364 dev_err(&pdev->dev, "v4l2_device_register, fail: %d\n", ret);
365 goto err_irq_release;
366 }
367
368 if (match_data->flags & WAVE5_IS_DEC) {
369 ret = wave5_vpu_dec_register_device(dev);
370 if (ret) {
371 dev_err(&pdev->dev, "wave5_vpu_dec_register_device, fail: %d\n", ret);
372 goto err_v4l2_unregister;
373 }
374 }
375 if (match_data->flags & WAVE5_IS_ENC) {
376 ret = wave5_vpu_enc_register_device(dev);
377 if (ret) {
378 dev_err(&pdev->dev, "wave5_vpu_enc_register_device, fail: %d\n", ret);
379 goto err_dec_unreg;
380 }
381 }
382
383 ret = wave5_vpu_load_firmware(&pdev->dev, match_data->fw_name, &fw_revision);
384 if (ret) {
385 dev_err(&pdev->dev, "wave5_vpu_load_firmware, fail: %d\n", ret);
386 goto err_enc_unreg;
387 }
388
389 dev_info(&pdev->dev, "Added wave5 driver with caps: %s %s\n",
390 (match_data->flags & WAVE5_IS_ENC) ? "'ENCODE'" : "",
391 (match_data->flags & WAVE5_IS_DEC) ? "'DECODE'" : "");
392 dev_info(&pdev->dev, "Product Code: 0x%x\n", dev->product_code);
393 dev_info(&pdev->dev, "Firmware Revision: %u\n", fw_revision);
394
395 pm_runtime_set_autosuspend_delay(&pdev->dev, 500);
396 pm_runtime_use_autosuspend(&pdev->dev);
397 pm_runtime_enable(&pdev->dev);
398 wave5_vpu_sleep_wake(&pdev->dev, true, NULL, 0);
399
400 return 0;
401
402 err_enc_unreg:
403 if (match_data->flags & WAVE5_IS_ENC)
404 wave5_vpu_enc_unregister_device(dev);
405 err_dec_unreg:
406 if (match_data->flags & WAVE5_IS_DEC)
407 wave5_vpu_dec_unregister_device(dev);
408 err_v4l2_unregister:
409 v4l2_device_unregister(&dev->v4l2_dev);
410 err_irq_release:
411 if (dev->irq < 0)
412 kthread_destroy_worker(dev->worker);
413 err_vdi_release:
414 if (dev->irq_thread) {
--> 415 kthread_stop(dev->irq_thread);
416 up(&dev->irq_sem);
417 dev->irq_thread = NULL;
418 }
419 wave5_vdi_release(&pdev->dev);
420 err_clk_dis:
421 clk_bulk_disable_unprepare(dev->num_clks, dev->clks);
422 err_reset_assert:
423 reset_control_assert(dev->resets);
424
425 return ret;
426 }
regards,
dan carpenter
^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: [bug report] media: chips-media: wave5: Fix Null reference while testing fluster
2026-02-06 13:40 ` [bug report] media: chips-media: wave5: Fix Null reference while testing fluster Dan Carpenter
@ 2026-02-11 7:59 ` Nas Chung
0 siblings, 0 replies; 6+ messages in thread
From: Nas Chung @ 2026-02-11 7:59 UTC (permalink / raw)
To: Dan Carpenter; +Cc: linux-media@vger.kernel.org, linux-kernel, jackson.lee
Hi, Dan.
>-----Original Message-----
>From: Dan Carpenter <dan.carpenter@linaro.org>
>Sent: Friday, February 6, 2026 10:41 PM
>To: jackson.lee <jackson.lee@chipsnmedia.com>
>Cc: linux-media@vger.kernel.org; linux-kernel <linux-
>kernel@vger.kernel.org>
>Subject: [bug report] media: chips-media: wave5: Fix Null reference while
>testing fluster
>
>[ Smatch checking is paused while we raise funding. #SadFace
> https://lore.kernel.org/all/aTaiGSbWZ9DJaGo7@stanley.mountain/ -dan ]
>
>Hello Jackson Lee,
>
>Commit e66ff2b08e4e ("media: chips-media: wave5: Fix Null reference
>while testing fluster") from Nov 19, 2025 (linux-next), leads to the
>following Smatch static checker warning:
>
> drivers/media/platform/chips-media/wave5/wave5-vpu.c:415
>wave5_vpu_probe()
> error: 'dev->irq_thread' dereferencing possible ERR_PTR()
>
>drivers/media/platform/chips-media/wave5/wave5-vpu.c
> 327
> 328 dev->product_code = wave5_vdi_read_register(dev,
>VPU_PRODUCT_CODE_REGISTER);
> 329 ret = wave5_vdi_init(&pdev->dev);
> 330 if (ret < 0) {
> 331 dev_err(&pdev->dev, "wave5_vdi_init, fail: %d\n", ret);
> 332 goto err_clk_dis;
> 333 }
> 334 dev->product = wave5_vpu_get_product_id(dev);
> 335
> 336 INIT_LIST_HEAD(&dev->instances);
> 337
> 338 dev->irq = platform_get_irq(pdev, 0);
> 339 if (dev->irq < 0) {
> 340 dev_err(&pdev->dev, "failed to get irq resource, falling
>back to polling\n");
> 341 sema_init(&dev->irq_sem, 1);
> 342 dev->irq_thread = kthread_run(irq_thread, dev, "irq
>thread");
>
>Add error checking for if kthread_run() fails?
Thanks for the report.
A fix has been proposed by Alper Ak in a separate thread:
https://lore.kernel.org/all/20260207103224.609938-1-alperyasinak1@gmail.com/
I'm going to check it and run tests on my side.
Thanks.
Nas.
>
> 343 hrtimer_setup(&dev->hrtimer, &wave5_vpu_timer_callback,
>CLOCK_MONOTONIC,
> 344 HRTIMER_MODE_REL_PINNED);
>
>regards,
>dan carpenter
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [bug report] media: rockchip: rkcif: add support for rk3568 vicap mipi capture
2026-02-06 13:39 ` [bug report] media: rockchip: rkcif: add support for rk3568 vicap mipi capture Dan Carpenter
@ 2026-02-16 13:33 ` Michael Riesch
0 siblings, 0 replies; 6+ messages in thread
From: Michael Riesch @ 2026-02-16 13:33 UTC (permalink / raw)
To: Dan Carpenter; +Cc: linux-media, linux-rockchip, linux-kernel
Hi Dan,
On 2/6/26 14:39, Dan Carpenter wrote:
> [ Smatch checking is paused while we raise funding. #SadFace
> https://lore.kernel.org/all/aTaiGSbWZ9DJaGo7@stanley.mountain/ -dan ]
>
> Hello Michael Riesch,
>
> Commit 1f2353f5a1af ("media: rockchip: rkcif: add support for rk3568
> vicap mipi capture") from Nov 14, 2025 (linux-next), leads to the
> following Smatch static checker warning:
>
> drivers/media/platform/rockchip/rkcif/rkcif-capture-mipi.c:519 rkcif_mipi_id_get_reg()
> index hardmax out of bounds 'rkcif->match_data->mipi->regs_id[id]' size=4 max='4' rl='0-u32max'
>
> drivers/media/platform/rockchip/rkcif/rkcif-capture-mipi.c:519 rkcif_mipi_id_get_reg()
> index hardmax out of bounds 'rkcif->match_data->mipi->regs_id[id][index]' size=11 max='11' rl='0-11'
>
> drivers/media/platform/rockchip/rkcif/rkcif-capture-mipi.c
> 504 static inline unsigned int rkcif_mipi_id_get_reg(struct rkcif_stream *stream,
> 505 unsigned int index)
> 506 {
> 507 struct rkcif_device *rkcif = stream->rkcif;
> 508 unsigned int block, id, offset, reg;
> 509
> 510 block = stream->interface->index - RKCIF_MIPI_BASE;
> 511 id = stream->id;
> 512
> 513 if (WARN_ON_ONCE(block > RKCIF_MIPI_MAX - RKCIF_MIPI_BASE) ||
> 514 WARN_ON_ONCE(id > RKCIF_ID_MAX) ||
> 515 WARN_ON_ONCE(index > RKCIF_MIPI_ID_REGISTER_MAX))
>
>
> The id and index checks should be >=. Not sure about block but I assume
> it's off by one as well.
Thanks for the heads up. I started fixing this and then recalled some
previous work on that issue.
I found that you submitted a patch that fixes exactly this, but this
patch hasn't been applied for whatever reason.
Since I have some other fixes for the rkcif driver, I'll give your patch
another spin in the scope of that series -- hope this is OK for you!
Best regards,
Michael
>
> 516 return RKCIF_REGISTER_NOTSUPPORTED;
> 517
> 518 offset = rkcif->match_data->mipi->blocks[block].offset;
> --> 519 reg = rkcif->match_data->mipi->regs_id[id][index];
> 520 if (reg == RKCIF_REGISTER_NOTSUPPORTED)
> 521 return reg;
> 522
> 523 return offset + reg;
> 524 }
>
> regards,
> dan carpenter
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2026-02-16 13:33 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <caa37f28-a2e8-4e0a-a9ce-a365ce805e4b@stanley.mountain>
2026-02-06 13:39 ` [bug report] media: synopsys: add driver for the designware mipi csi-2 receiver Dan Carpenter
2026-02-06 13:39 ` [bug report] media: rockchip: rkcif: add support for rk3568 vicap mipi capture Dan Carpenter
2026-02-16 13:33 ` Michael Riesch
2026-02-06 13:39 ` [bug report] media: iris: gen1: Destroy internal buffers after FW releases Dan Carpenter
2026-02-06 13:40 ` [bug report] media: chips-media: wave5: Fix Null reference while testing fluster Dan Carpenter
2026-02-11 7:59 ` Nas Chung
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox