media: v4l2-dev: Add range check for vdev->minor

If the fixed minor ranges are not properly set we could end up in a
situation where the calculated minor is invalid. Add a check for this in
the code to make it more robust.

This check also fixes the following false positive smatch warning:

drivers/media/v4l2-core/v4l2-dev.c:1036 __video_register_device() error: buffer overflow 'video_devices' 256 <= 288
drivers/media/v4l2-core/v4l2-dev.c:1043 __video_register_device() error: buffer overflow 'video_devices' 256 <= 288
drivers/media/v4l2-core/v4l2-dev.c:1101 __video_register_device() error: buffer overflow 'video_devices' 256 <= 288

Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>

diff --git a/drivers/media/v4l2-core/v4l2-dev.c b/drivers/media/v4l2-core/v4l2-dev.c
index 6ce623a1245a457a6653afad2c4067c84503f592..5516b2bbb08f094d72b2f08fc49802a49f0b7eb3 100644 (file)
--- a/drivers/media/v4l2-core/v4l2-dev.c
+++ b/drivers/media/v4l2-core/v4l2-dev.c
@@ -1032,6 +1032,11 @@ int __video_register_device(struct video_device *vdev,
        vdev->minor = i + minor_offset;
        vdev->num = nr;
 
+       if (WARN_ON(vdev->minor >= VIDEO_NUM_DEVICES)) {
+               mutex_unlock(&videodev_lock);
+               return -EINVAL;
+       }
+
        /* Should not happen since we thought this minor was free */
        if (WARN_ON(video_devices[vdev->minor])) {
                mutex_unlock(&videodev_lock);