public inbox for linux-tegra@vger.kernel.org
 help / color / mirror / Atom feed
* [PATCH 1/2] staging: media: tegra-video: fix wrong return type in tegra_get_format_fourcc_by_idx()
@ 2026-04-11 21:10 Alexandru Hossu
  2026-04-11 21:10 ` [PATCH 2/2] staging: media: tegra-video: add missing error checks in vi_tpg_fmts_bitmap_init() Alexandru Hossu
  0 siblings, 1 reply; 4+ messages in thread
From: Alexandru Hossu @ 2026-04-11 21:10 UTC (permalink / raw)
  To: Thierry Reding, Sowjanya Komatineni
  Cc: Jonathan Hunter, Luca Ceresoli, Mauro Carvalho Chehab,
	Greg Kroah-Hartman, linux-media, linux-tegra, linux-staging,
	linux-kernel, Alexandru Hossu

The function is declared to return u32, but returns -EINVAL on the error
path. Due to implicit conversion, -EINVAL (-22) becomes 0xFFFFFFEA as u32,
which is an invalid V4L2 pixel format value.

The caller tegra_channel_enum_format() assigns this garbage value directly
to f->pixelformat and returns 0 (success) to userspace via VIDIOC_ENUM_FMT,
giving applications a silently wrong format descriptor instead of an error.

Fix this by changing the return type to int and propagating the error
correctly in the caller.

Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
---
 drivers/staging/media/tegra-video/vi.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/drivers/staging/media/tegra-video/vi.c b/drivers/staging/media/tegra-video/vi.c
index 9c0b38585d63..afc7327ef318 100644
--- a/drivers/staging/media/tegra-video/vi.c
+++ b/drivers/staging/media/tegra-video/vi.c
@@ -77,13 +77,13 @@ static int tegra_get_format_idx_by_code(struct tegra_vi *vi,
 	return -1;
 }
 
-static u32 tegra_get_format_fourcc_by_idx(struct tegra_vi *vi,
+static int tegra_get_format_fourcc_by_idx(struct tegra_vi *vi,
 					  unsigned int index)
 {
 	if (index >= vi->soc->nformats)
 		return -EINVAL;
 
-	return vi->soc->video_formats[index].fourcc;
+	return (int)vi->soc->video_formats[index].fourcc;
 }
 
 static const struct tegra_video_format *
@@ -395,6 +395,7 @@ static int tegra_channel_enum_format(struct file *file, void *fh,
 	struct tegra_vi_channel *chan = video_drvdata(file);
 	unsigned int index = 0, i;
 	unsigned long *fmts_bitmap = chan->tpg_fmts_bitmap;
+	int ret;
 
 	if (!IS_ENABLED(CONFIG_VIDEO_TEGRA_TPG))
 		fmts_bitmap = chan->fmts_bitmap;
@@ -405,7 +406,11 @@ static int tegra_channel_enum_format(struct file *file, void *fh,
 	for (i = 0; i < f->index + 1; i++, index++)
 		index = find_next_bit(fmts_bitmap, MAX_FORMAT_NUM, index);
 
-	f->pixelformat = tegra_get_format_fourcc_by_idx(chan->vi, index - 1);
+	ret = tegra_get_format_fourcc_by_idx(chan->vi, index - 1);
+	if (ret < 0)
+		return ret;
+
+	f->pixelformat = ret;
 
 	return 0;
 }
-- 
2.53.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [PATCH 2/2] staging: media: tegra-video: add missing error checks in vi_tpg_fmts_bitmap_init()
  2026-04-11 21:10 [PATCH 1/2] staging: media: tegra-video: fix wrong return type in tegra_get_format_fourcc_by_idx() Alexandru Hossu
@ 2026-04-11 21:10 ` Alexandru Hossu
  2026-04-12  4:52   ` Greg Kroah-Hartman
  0 siblings, 1 reply; 4+ messages in thread
From: Alexandru Hossu @ 2026-04-11 21:10 UTC (permalink / raw)
  To: Thierry Reding, Sowjanya Komatineni
  Cc: Jonathan Hunter, Luca Ceresoli, Mauro Carvalho Chehab,
	Greg Kroah-Hartman, linux-media, linux-tegra, linux-staging,
	linux-kernel, Alexandru Hossu

tegra_get_format_idx_by_code() returns -1 when the requested format is
not found in the SoC format table. vi_tpg_fmts_bitmap_init() does not
check this return value before passing it to bitmap_set(). A negative
index converted to unsigned would result in an out-of-bounds memory
access, corrupting adjacent kernel memory.

Add WARN_ON() guards so that any future SoC addition or Kconfig change
that exposes this path fails loudly rather than silently corrupting memory.

Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
---
 drivers/staging/media/tegra-video/vi.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/staging/media/tegra-video/vi.c b/drivers/staging/media/tegra-video/vi.c
index afc7327ef318..e6416ea8503e 100644
--- a/drivers/staging/media/tegra-video/vi.c
+++ b/drivers/staging/media/tegra-video/vi.c
@@ -1025,11 +1025,15 @@ static void vi_tpg_fmts_bitmap_init(struct tegra_vi_channel *chan)
 
 	index = tegra_get_format_idx_by_code(chan->vi,
 					     MEDIA_BUS_FMT_SRGGB10_1X10, 0);
+	if (WARN_ON(index < 0))
+		return;
 	bitmap_set(chan->tpg_fmts_bitmap, index, 1);
 
 	index = tegra_get_format_idx_by_code(chan->vi,
 					     MEDIA_BUS_FMT_RGB888_1X32_PADHI,
 					     0);
+	if (WARN_ON(index < 0))
+		return;
 	bitmap_set(chan->tpg_fmts_bitmap, index, 1);
 }
 
-- 
2.53.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH 2/2] staging: media: tegra-video: add missing error checks in vi_tpg_fmts_bitmap_init()
  2026-04-11 21:10 ` [PATCH 2/2] staging: media: tegra-video: add missing error checks in vi_tpg_fmts_bitmap_init() Alexandru Hossu
@ 2026-04-12  4:52   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 4+ messages in thread
From: Greg Kroah-Hartman @ 2026-04-12  4:52 UTC (permalink / raw)
  To: Alexandru Hossu
  Cc: Thierry Reding, Sowjanya Komatineni, Jonathan Hunter,
	Luca Ceresoli, Mauro Carvalho Chehab, linux-media, linux-tegra,
	linux-staging, linux-kernel

On Sat, Apr 11, 2026 at 11:10:05PM +0200, Alexandru Hossu wrote:
> tegra_get_format_idx_by_code() returns -1 when the requested format is
> not found in the SoC format table. vi_tpg_fmts_bitmap_init() does not
> check this return value before passing it to bitmap_set(). A negative
> index converted to unsigned would result in an out-of-bounds memory
> access, corrupting adjacent kernel memory.
> 
> Add WARN_ON() guards so that any future SoC addition or Kconfig change
> that exposes this path fails loudly rather than silently corrupting memory.

That is not "failing" that is "rebooting the box and loosing all of the
user's data" for when panic-on-warn is set, that will happen.

Please don't do that, if this can be handled by logic, then handle it,
report the error, and move on.  Don't crash systems.

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [PATCH 2/2] staging: media: tegra-video: add missing error checks in vi_tpg_fmts_bitmap_init()
       [not found] <20260412045245.GA2019381@kroah.com>
@ 2026-04-12  8:48 ` Alexandru Hossu
  0 siblings, 0 replies; 4+ messages in thread
From: Alexandru Hossu @ 2026-04-12  8:48 UTC (permalink / raw)
  To: Greg Kroah-Hartman, Thierry Reding, Sowjanya Komatineni
  Cc: Jonathan Hunter, Luca Ceresoli, Mauro Carvalho Chehab,
	linux-media, linux-tegra, linux-staging, linux-kernel,
	Alexandru Hossu

tegra_get_format_idx_by_code() returns -1 when the requested format is
not found in the SoC format table. vi_tpg_fmts_bitmap_init() does not
check this return value before passing it to bitmap_set(). A negative
index converted to unsigned would result in an out-of-bounds memory
access, corrupting adjacent kernel memory.

Add WARN_ON() guards so that any future SoC addition or Kconfig change
that exposes this path fails loudly rather than silently corrupting memory.

Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
---
 drivers/staging/media/tegra-video/vi.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/drivers/staging/media/tegra-video/vi.c b/drivers/staging/media/tegra-video/vi.c
index afc7327ef318..d1d934e361f7 100644
--- a/drivers/staging/media/tegra-video/vi.c
+++ b/drivers/staging/media/tegra-video/vi.c
@@ -1017,7 +1017,7 @@ static int tegra_channel_setup_ctrl_handler(struct tegra_vi_channel *chan)
 }
 
 /* VI only support 2 formats in TPG mode */
-static void vi_tpg_fmts_bitmap_init(struct tegra_vi_channel *chan)
+static int vi_tpg_fmts_bitmap_init(struct tegra_vi_channel *chan)
 {
 	int index;
 
@@ -1025,12 +1025,22 @@ static void vi_tpg_fmts_bitmap_init(struct tegra_vi_channel *chan)
 
 	index = tegra_get_format_idx_by_code(chan->vi,
 					     MEDIA_BUS_FMT_SRGGB10_1X10, 0);
+	if (index < 0) {
+		dev_err(chan->vi->dev, "format SRGGB10_1X10 not found\n");
+		return -EINVAL;
+	}
 	bitmap_set(chan->tpg_fmts_bitmap, index, 1);
 
 	index = tegra_get_format_idx_by_code(chan->vi,
 					     MEDIA_BUS_FMT_RGB888_1X32_PADHI,
 					     0);
+	if (index < 0) {
+		dev_err(chan->vi->dev, "format RGB888_1X32_PADHI not found\n");
+		return -EINVAL;
+	}
 	bitmap_set(chan->tpg_fmts_bitmap, index, 1);
+
+	return 0;
 }
 
 static int vi_fmts_bitmap_init(struct tegra_vi_channel *chan)
@@ -1410,7 +1420,9 @@ int tegra_v4l2_nodes_setup_tpg(struct tegra_video_device *vid)
 			goto cleanup;
 
 		v4l2_set_subdev_hostdata(&csi_chan->subdev, vi_chan);
-		vi_tpg_fmts_bitmap_init(vi_chan);
+		ret = vi_tpg_fmts_bitmap_init(vi_chan);
+		if (ret < 0)
+			goto cleanup;
 		csi_chan = list_next_entry(csi_chan, list);
 	}
 
-- 
2.53.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-04-12  8:49 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-11 21:10 [PATCH 1/2] staging: media: tegra-video: fix wrong return type in tegra_get_format_fourcc_by_idx() Alexandru Hossu
2026-04-11 21:10 ` [PATCH 2/2] staging: media: tegra-video: add missing error checks in vi_tpg_fmts_bitmap_init() Alexandru Hossu
2026-04-12  4:52   ` Greg Kroah-Hartman
     [not found] <20260412045245.GA2019381@kroah.com>
2026-04-12  8:48 ` Alexandru Hossu

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox