media: vidtv: fix pass-by-value structs causing MSAN warnings

vidtv_ts_null_write_into() and vidtv_ts_pcr_write_into() take their
argument structs by value, causing MSAN to report uninit-value warnings.
While only vidtv_ts_null_write_into() has triggered a report so far,
both functions share the same issue.

Fix by passing both structs by const pointer instead, avoiding the
stack copy of the struct along with its MSAN shadow and origin metadata.
The functions do not modify the structs, which is enforced by the const
qualifier.

Fixes: f90cf6079bf67 ("media: vidtv: add a bridge driver")
Cc: stable@vger.kernel.org
Reported-by: syzbot+96f901260a0b2d29cd1a@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=96f901260a0b2d29cd1a
Tested-by: syzbot+96f901260a0b2d29cd1a@syzkaller.appspotmail.com
Suggested-by: Yihan Ding <dingyihan@uniontech.com>
Signed-off-by: Abd-Alrhman Masalkhi <abd.masalkhi@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>

diff --git a/drivers/media/test-drivers/vidtv/vidtv_mux.c b/drivers/media/test-drivers/vidtv/vidtv_mux.c
index 403fbedb86636015347be7f9fc1ea1f96dc29bb7..f0134e38a1fb8dfadafd1c4f0842a2d880cd1b55 100644 (file)
--- a/drivers/media/test-drivers/vidtv/vidtv_mux.c
+++ b/drivers/media/test-drivers/vidtv/vidtv_mux.c
@@ -233,7 +233,7 @@ static u32 vidtv_mux_push_pcr(struct vidtv_mux *m)
        /* the 27Mhz clock will feed both parts of the PCR bitfield */
        args.pcr = m->timing.clk;
 
-       nbytes += vidtv_ts_pcr_write_into(args);
+       nbytes += vidtv_ts_pcr_write_into(&args);
        m->mux_buf_offset += nbytes;
 
        m->num_streamed_pcr++;
@@ -363,7 +363,7 @@ static u32 vidtv_mux_pad_with_nulls(struct vidtv_mux *m, u32 npkts)
        args.continuity_counter = &ctx->cc;
 
        for (i = 0; i < npkts; ++i) {
-               m->mux_buf_offset += vidtv_ts_null_write_into(args);
+               m->mux_buf_offset += vidtv_ts_null_write_into(&args);
                args.dest_offset  = m->mux_buf_offset;
        }
 

diff --git a/drivers/media/test-drivers/vidtv/vidtv_ts.c b/drivers/media/test-drivers/vidtv/vidtv_ts.c
index ca4bb9c40b78ef12e6116965942cc36c3f536408..cbe9aff9ffb56431e9aba0c3d40a76d698eace27 100644 (file)
--- a/drivers/media/test-drivers/vidtv/vidtv_ts.c
+++ b/drivers/media/test-drivers/vidtv/vidtv_ts.c
@@ -48,7 +48,7 @@ void vidtv_ts_inc_cc(u8 *continuity_counter)
                *continuity_counter = 0;
 }
 
-u32 vidtv_ts_null_write_into(struct null_packet_write_args args)
+u32 vidtv_ts_null_write_into(const struct null_packet_write_args *args)
 {
        u32 nbytes = 0;
        struct vidtv_mpeg_ts ts_header = {};
@@ -56,21 +56,21 @@ u32 vidtv_ts_null_write_into(struct null_packet_write_args args)
        ts_header.sync_byte          = TS_SYNC_BYTE;
        ts_header.bitfield           = cpu_to_be16(TS_NULL_PACKET_PID);
        ts_header.payload            = 1;
-       ts_header.continuity_counter = *args.continuity_counter;
+       ts_header.continuity_counter = *args->continuity_counter;
 
        /* copy TS header */
-       nbytes += vidtv_memcpy(args.dest_buf,
-                              args.dest_offset + nbytes,
-                              args.buf_sz,
+       nbytes += vidtv_memcpy(args->dest_buf,
+                              args->dest_offset + nbytes,
+                              args->buf_sz,
                               &ts_header,
                               sizeof(ts_header));
 
-       vidtv_ts_inc_cc(args.continuity_counter);
+       vidtv_ts_inc_cc(args->continuity_counter);
 
        /* fill the rest with empty data */
-       nbytes += vidtv_memset(args.dest_buf,
-                              args.dest_offset + nbytes,
-                              args.buf_sz,
+       nbytes += vidtv_memset(args->dest_buf,
+                              args->dest_offset + nbytes,
+                              args->buf_sz,
                               TS_FILL_BYTE,
                               TS_PACKET_LEN - nbytes);
 
@@ -83,17 +83,17 @@ u32 vidtv_ts_null_write_into(struct null_packet_write_args args)
        return nbytes;
 }
 
-u32 vidtv_ts_pcr_write_into(struct pcr_write_args args)
+u32 vidtv_ts_pcr_write_into(const struct pcr_write_args *args)
 {
        u32 nbytes = 0;
        struct vidtv_mpeg_ts ts_header = {};
        struct vidtv_mpeg_ts_adaption ts_adap = {};
 
        ts_header.sync_byte     = TS_SYNC_BYTE;
-       ts_header.bitfield      = cpu_to_be16(args.pid);
+       ts_header.bitfield      = cpu_to_be16(args->pid);
        ts_header.scrambling    = 0;
        /* cc is not incremented, but it is needed. see 13818-1 clause 2.4.3.3 */
-       ts_header.continuity_counter = *args.continuity_counter;
+       ts_header.continuity_counter = *args->continuity_counter;
        ts_header.payload            = 0;
        ts_header.adaptation_field   = 1;
 
@@ -102,27 +102,27 @@ u32 vidtv_ts_pcr_write_into(struct pcr_write_args args)
        ts_adap.PCR    = 1;
 
        /* copy TS header */
-       nbytes += vidtv_memcpy(args.dest_buf,
-                              args.dest_offset + nbytes,
-                              args.buf_sz,
+       nbytes += vidtv_memcpy(args->dest_buf,
+                              args->dest_offset + nbytes,
+                              args->buf_sz,
                               &ts_header,
                               sizeof(ts_header));
 
        /* write the adap after the TS header */
-       nbytes += vidtv_memcpy(args.dest_buf,
-                              args.dest_offset + nbytes,
-                              args.buf_sz,
+       nbytes += vidtv_memcpy(args->dest_buf,
+                              args->dest_offset + nbytes,
+                              args->buf_sz,
                               &ts_adap,
                               sizeof(ts_adap));
 
        /* write the PCR optional */
-       nbytes += vidtv_ts_write_pcr_bits(args.dest_buf,
-                                         args.dest_offset + nbytes,
-                                         args.pcr);
+       nbytes += vidtv_ts_write_pcr_bits(args->dest_buf,
+                                         args->dest_offset + nbytes,
+                                         args->pcr);
 
-       nbytes += vidtv_memset(args.dest_buf,
-                              args.dest_offset + nbytes,
-                              args.buf_sz,
+       nbytes += vidtv_memset(args->dest_buf,
+                              args->dest_offset + nbytes,
+                              args->buf_sz,
                               TS_FILL_BYTE,
                               TS_PACKET_LEN - nbytes);
 

diff --git a/drivers/media/test-drivers/vidtv/vidtv_ts.h b/drivers/media/test-drivers/vidtv/vidtv_ts.h
index 09b4ffd0282921f55aae2dd8484684da0a837f68..3606398e160d9f16a177f11d70d021adf4add7aa 100644 (file)
--- a/drivers/media/test-drivers/vidtv/vidtv_ts.h
+++ b/drivers/media/test-drivers/vidtv/vidtv_ts.h
@@ -90,7 +90,7 @@ void vidtv_ts_inc_cc(u8 *continuity_counter);
  *
  * Return: The number of bytes written into the buffer.
  */
-u32 vidtv_ts_null_write_into(struct null_packet_write_args args);
+u32 vidtv_ts_null_write_into(const struct null_packet_write_args *args);
 
 /**
  * vidtv_ts_pcr_write_into - Write a PCR  packet into a buffer.
@@ -101,6 +101,6 @@ u32 vidtv_ts_null_write_into(struct null_packet_write_args args);
  *
  * Return: The number of bytes written into the buffer.
  */
-u32 vidtv_ts_pcr_write_into(struct pcr_write_args args);
+u32 vidtv_ts_pcr_write_into(const struct pcr_write_args *args);
 
 #endif //VIDTV_TS_H