From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
To: Ricardo Ribalda <ribalda@chromium.org>
Cc: Mauro Carvalho Chehab <mchehab@kernel.org>,
Sakari Ailus <sakari.ailus@linux.intel.com>,
Hans Verkuil <hverkuil@kernel.org>,
Nas Chung <nas.chung@chipsnmedia.com>,
Jackson Lee <jackson.lee@chipsnmedia.com>,
Bingbu Cao <bingbu.cao@intel.com>,
Tianshu Qiu <tian.shu.qiu@intel.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Keke Li <keke.li@amlogic.com>, Yong Zhi <yong.zhi@intel.com>,
Jacopo Mondi <jacopo.mondi@ideasonboard.com>,
linux-media@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-staging@lists.linux.dev,
Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Subject: Re: [PATCH v3 1/6] media: v4l2-dev: Add range check for vdev->minor
Date: Wed, 6 May 2026 14:18:38 +0300 [thread overview]
Message-ID: <20260506111838.GL1598374@killaraus.ideasonboard.com> (raw)
In-Reply-To: <CANiDSCtwPC1ihe5u=HuDG0f261zq76=TL90oMqfP8VQ6UK771g@mail.gmail.com>
On Wed, May 06, 2026 at 08:48:06AM +0200, Ricardo Ribalda wrote:
> On Wed, 6 May 2026 at 01:12, Laurent Pinchart wrote:
> > On Mon, May 04, 2026 at 06:54:04AM +0000, Ricardo Ribalda wrote:
> > > If the fixed minor ranges are not properly set we could end up in a
> > > situation where the calculated minor is invalid. Add a check for this in
> > > the code to make it more robust.
> >
> > If it was just for that, we could define the ranges in a way that could
> > not lead to future programmatic errors.
> >
> > > This check also fixes the following false positive smatch warning:
> > >
> > > drivers/media/v4l2-core/v4l2-dev.c:1036 __video_register_device() error: buffer overflow 'video_devices' 256 <= 288
> > > drivers/media/v4l2-core/v4l2-dev.c:1043 __video_register_device() error: buffer overflow 'video_devices' 256 <= 288
> > > drivers/media/v4l2-core/v4l2-dev.c:1101 __video_register_device() error: buffer overflow 'video_devices' 256 <= 288
> > >
> > > Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
> > > ---
> > > drivers/media/v4l2-core/v4l2-dev.c | 5 +++++
> > > 1 file changed, 5 insertions(+)
> > >
> > > diff --git a/drivers/media/v4l2-core/v4l2-dev.c b/drivers/media/v4l2-core/v4l2-dev.c
> > > index 6ce623a1245a..5516b2bbb08f 100644
> > > --- a/drivers/media/v4l2-core/v4l2-dev.c
> > > +++ b/drivers/media/v4l2-core/v4l2-dev.c
> > > @@ -1032,6 +1032,11 @@ int __video_register_device(struct video_device *vdev,
> > > vdev->minor = i + minor_offset;
> > > vdev->num = nr;
> > >
> > > + if (WARN_ON(vdev->minor >= VIDEO_NUM_DEVICES)) {
> > > + mutex_unlock(&videodev_lock);
> >
> > I may get tempted to convert code to using scoped guards at some point.
> >
> > > + return -EINVAL;
> > > + }
> > > +
> >
> > I'm annoyed by the proliferation of workarounds for smatch false
> > positives that generate useless code :-/ This is in particular is not a
> > big deal though, so
> >
> > Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
> >
> > but I don't want to continue in this direction with every new kernel
> > release. We need a way to tell smatch that this is safe with incurring
> > an runtime cost.
>
> To provide some context, in this release alone we have found two "Fixes:".
>
> Do you have any data regarding the runtime cost of these new checks?
> Most of the time, the compiler simply optimizes them out, so the
> impact is either zero or minimal.
If the compiler can optimize them out, then I expect the static analysis
tools to also get the ability to avoid those false positives.
> The added checks make the code more robust for future refactoring and
> serve as useful documentation.
In this specific case, if we want to make the code more robust, I think
we should have an array of minor offsets and calculate the minor ranges
based on that. It would avoid offsets and ranges getting out of sync. I
don't think it's worth it though, because I don't foresee we will ever
change ranges for the fixed minors case.
> Furthermore, when false positives occur
> in new code, they force the author to write more idiomatic code, which
> improves maintainability.
Up to a point only. Sometimes guarantees are provided in a very remote
place. For instance, control values have ranges that are set when
creating the control, and enforced by the control framework. Adding
range checks to .s_ctrl() is redundant, but I don't expect static
analysis tools to be able to understand that the value is guaranteed to
be within the range (especially given that we support modifying ranges
at runtime). How can we avoid those redundant checks (or mask
operations, as in the mt9p031 patch in this series) ?
> We have a deficit of maintainers, not
> authors.
>
> So, I DO want to continue in this direction. I am very grateful for
> these static analysis tools; they truly make our code more
> maintainable.
I do like smatch a lot, it points out real issues. My concern is that we
have code that offers guarantees in ways that are not visible to static
analysis tools (or to compilers), and having to add more runtime checks
everywhere to silence warning is not nice. Those checks can over time
become redundant (because tools improve, or because we remove the code),
and will likely not be removed because nobody notices.
There's a broader question here of how to connect pieces of code where
one piece offers a guarantee that the other piece depends on, in a way
that can be exposed to tools.
> > > /* Should not happen since we thought this minor was free */
> > > if (WARN_ON(video_devices[vdev->minor])) {
> > > mutex_unlock(&videodev_lock);
> > >
--
Regards,
Laurent Pinchart
next prev parent reply other threads:[~2026-05-06 11:18 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-04 6:54 [PATCH v3 0/6] media: Fix new smatch warnings Ricardo Ribalda
2026-05-04 6:54 ` [PATCH v3 1/6] media: v4l2-dev: Add range check for vdev->minor Ricardo Ribalda
2026-05-05 23:12 ` Laurent Pinchart
2026-05-06 6:48 ` Ricardo Ribalda
2026-05-06 11:18 ` Laurent Pinchart [this message]
2026-05-06 12:12 ` Ricardo Ribalda
2026-05-04 6:54 ` [PATCH v3 2/6] media: i2c: mt9p031: Rewrite assignment to make smatch happy Ricardo Ribalda
2026-05-05 22:41 ` Laurent Pinchart
2026-05-04 6:54 ` [PATCH v3 3/6] media: i2c: adv7604: Add range checks for chip info Ricardo Ribalda
2026-05-04 6:54 ` [PATCH v3 4/6] media: chips-media: wave5: Add range checks for dec_output_info Ricardo Ribalda
2026-05-04 6:54 ` [PATCH v3 5/6] media: staging: ipu3-imgu: Add range check for imgu_css_cfg_acc_stripe Ricardo Ribalda
2026-05-04 6:54 ` [PATCH v3 6/6] media: amlogic-c3: Add validations for ae and awb config Ricardo Ribalda
2026-05-04 7:19 ` Jacopo Mondi
2026-05-05 23:17 ` Laurent Pinchart
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260506111838.GL1598374@killaraus.ideasonboard.com \
--to=laurent.pinchart@ideasonboard.com \
--cc=bingbu.cao@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=hverkuil@kernel.org \
--cc=jackson.lee@chipsnmedia.com \
--cc=jacopo.mondi@ideasonboard.com \
--cc=keke.li@amlogic.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=linux-staging@lists.linux.dev \
--cc=mchehab+samsung@kernel.org \
--cc=mchehab@kernel.org \
--cc=nas.chung@chipsnmedia.com \
--cc=ribalda@chromium.org \
--cc=sakari.ailus@linux.intel.com \
--cc=tian.shu.qiu@intel.com \
--cc=yong.zhi@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox