]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
projects / thirdparty / kernel / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 79aef69)
media: staging: ipu3-imgu: Add range check for imgu_css_cfg_acc_stripe
authorRicardo Ribalda <ribalda@chromium.org>
Thu, 7 May 2026 20:58:10 +0000 (20:58 +0000)
committerHans Verkuil <hverkuil+cisco@kernel.org>
Tue, 12 May 2026 07:39:02 +0000 (09:39 +0200)
If the driver's stripe information is invalid it can result in an integer
underflow. Add a range check to avoid this kind of error.

This patch fixes the following smatch error:
drivers/staging/media/ipu3/ipu3-css-params.c:1792 imgu_css_cfg_acc_stripe() warn: 'acc->stripe.bds_out_stripes[0]->width - 2 * f' 4294967168 can't fit into 65535 'acc->stripe.bds_out_stripes[1]->offset'

Cc: stable@vger.kernel.org
Fixes: e11110a5b744 ("media: staging/intel-ipu3: css: Compute and program ccs")
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
drivers/staging/media/ipu3/ipu3-css-params.c patch | blob | blame | history

diff --git a/drivers/staging/media/ipu3/ipu3-css-params.c b/drivers/staging/media/ipu3/ipu3-css-params.c
index 2c48d57a3180f855cd9e9c0cd525d82367b2db8e..92cce31e35c5de6618fad6b92e2c1bec367db639 100644 (file)
--- a/drivers/staging/media/ipu3/ipu3-css-params.c
+++ b/drivers/staging/media/ipu3/ipu3-css-params.c
@@ -1770,6 +1770,8 @@ static int imgu_css_cfg_acc_stripe(struct imgu_css *css, unsigned int pipe,
                acc->stripe.bds_out_stripes[0].width =
                        ALIGN(css_pipe->rect[IPU3_CSS_RECT_BDS].width, f);
        } else {
+               u32 offset;
+
                /* Image processing is divided into two stripes */
                acc->stripe.bds_out_stripes[0].width =
                        acc->stripe.bds_out_stripes[1].width =
@@ -1788,8 +1790,10 @@ static int imgu_css_cfg_acc_stripe(struct imgu_css *css, unsigned int pipe,
                        acc->stripe.bds_out_stripes[1].width += f;
                }
                /* Overlap between stripes is IPU3_UAPI_ISP_VEC_ELEMS * 4 */
-               acc->stripe.bds_out_stripes[1].offset =
-                       acc->stripe.bds_out_stripes[0].width - 2 * f;
+               offset = acc->stripe.bds_out_stripes[0].width - 2 * f;
+               if (offset > 65535)
+                       return -EINVAL;
+               acc->stripe.bds_out_stripes[1].offset = offset;
        }
 
        acc->stripe.effective_stripes[0].height =
A mirror of Linus' kernel repository