From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Cc: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
devel@driverdev.osuosl.org,
Sakari Ailus <sakari.ailus@linux.intel.com>
Subject: [PATCH 11/11] media: atomisp: fix size of delay_frames array
Date: Mon, 25 May 2020 08:56:10 +0200 [thread overview]
Message-ID: <0357fca3c06faf1fbae5f33a3fa09420f64aad93.1590389536.git.mchehab+huawei@kernel.org> (raw)
In-Reply-To: <cover.1590389536.git.mchehab+huawei@kernel.org>
Right now, the variables that define the max number of
delay frames is defined as:
#define VIDEO_FRAME_DELAY 2
#define MAX_NUM_VIDEO_DELAY_FRAMES (VIDEO_FRAME_DELAY + 1)
#define NUM_PREVIEW_DVS_FRAMES (2)
#define MAX_NUM_DELAY_FRAMES MAX(MAX_NUM_VIDEO_DELAY_FRAMES, NUM_PREVIEW_DVS_FRAMES)
In other words, we have:
MAX_NUM_VIDEO_DELAY_FRAMES = 3
MAX_NUM_DELAY_FRAMES = 2
The MAX_NUM_DELAY_FRAMES macro is used only only when allocating
memory. On all other parts, including looping over such array,
MAX_NUM_VIDEO_DELAY_FRAMES is used instead, like:
void sh_css_binary_args_reset(struct sh_css_binary_args *args)
{
unsigned int i;
...
for (i = 0; i < MAX_NUM_VIDEO_DELAY_FRAMES; i++)
args->delay_frames[i] = NULL;
Which will cause buffer overflows, with may override the next array
(tnr_frames[]).
In practice, this may not be causing real issues, as the code
checks for num_delay_frames on some parts (but not everywhere).
So, get rid of the smallest value.
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
---
drivers/staging/media/atomisp/pci/ia_css_pipe.h | 2 +-
drivers/staging/media/atomisp/pci/sh_css_defs.h | 2 --
2 files changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/staging/media/atomisp/pci/ia_css_pipe.h b/drivers/staging/media/atomisp/pci/ia_css_pipe.h
index 91653952f1a7..9c9e1264feb0 100644
--- a/drivers/staging/media/atomisp/pci/ia_css_pipe.h
+++ b/drivers/staging/media/atomisp/pci/ia_css_pipe.h
@@ -31,7 +31,7 @@ struct ia_css_preview_settings {
struct ia_css_binary vf_pp_binary;
/* 2401 only for these two - do we in fact use them for anything real */
- struct ia_css_frame *delay_frames[MAX_NUM_DELAY_FRAMES];
+ struct ia_css_frame *delay_frames[MAX_NUM_VIDEO_DELAY_FRAMES];
struct ia_css_frame *tnr_frames[NUM_TNR_FRAMES];
struct ia_css_pipe *copy_pipe;
diff --git a/drivers/staging/media/atomisp/pci/sh_css_defs.h b/drivers/staging/media/atomisp/pci/sh_css_defs.h
index fcd5081edf82..d444af82c309 100644
--- a/drivers/staging/media/atomisp/pci/sh_css_defs.h
+++ b/drivers/staging/media/atomisp/pci/sh_css_defs.h
@@ -225,8 +225,6 @@ RGB[0,8191],coef[-8192,8191] -> RGB[0,8191]
#define NUM_VIDEO_TNR_FRAMES 2
-#define MAX_NUM_DELAY_FRAMES MAX(MAX_NUM_VIDEO_DELAY_FRAMES, NUM_PREVIEW_DVS_FRAMES)
-
/* Note that this is the define used to configure all data structures common for all modes */
/* It should be equal or bigger to the max number of DVS frames for all possible modes */
/* Rules: these implement logic shared between the host code and ISP firmware.
--
2.26.2
_______________________________________________
devel mailing list
devel@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
next prev parent reply other threads:[~2020-05-25 6:56 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-25 6:55 [PATCH 00/11] Some fixes and cleanups for atomisp driver Mauro Carvalho Chehab
2020-05-25 6:56 ` [PATCH 01/11] media: atomisp: get rid of hmm_vm.c Mauro Carvalho Chehab
2020-05-27 9:35 ` kbuild test robot
2020-05-25 6:56 ` [PATCH 02/11] media: atomisp: reduce debug printk rate when IRQs are received Mauro Carvalho Chehab
2020-05-25 6:56 ` [PATCH 03/11] media: atomisp: avoid a copy of v4l2_mbus_framefmt at stack Mauro Carvalho Chehab
2020-05-25 6:56 ` [PATCH 04/11] media: atomisp: improve debug messages for set format Mauro Carvalho Chehab
2020-05-25 6:56 ` [PATCH 05/11] media: atomisp: don't flood dmesg with -EAGAIN return codes Mauro Carvalho Chehab
2020-05-25 6:56 ` [PATCH 06/11] media: atomisp: update TODO list Mauro Carvalho Chehab
2020-05-26 7:21 ` Sakari Ailus
2020-05-25 6:56 ` [PATCH 07/11] media: atomisp: get rid of some old broken debug code Mauro Carvalho Chehab
2020-05-25 6:56 ` [PATCH 08/11] media: atomisp: make it use dbg_level to control debug level Mauro Carvalho Chehab
2020-05-25 6:56 ` [PATCH 09/11] media: atomisp: partially get rid of one abstraction layer Mauro Carvalho Chehab
2020-05-26 7:26 ` Sakari Ailus
2020-05-26 8:41 ` Mauro Carvalho Chehab
2020-05-25 6:56 ` [PATCH 10/11] media: atomisp: drop a cast for a const argument Mauro Carvalho Chehab
2020-05-25 6:56 ` Mauro Carvalho Chehab [this message]
2020-05-26 7:35 ` [PATCH 00/11] Some fixes and cleanups for atomisp driver Sakari Ailus
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0357fca3c06faf1fbae5f33a3fa09420f64aad93.1590389536.git.mchehab+huawei@kernel.org \
--to=mchehab+huawei@kernel.org \
--cc=devel@driverdev.osuosl.org \
--cc=gregkh@linuxfoundation.org \
--cc=sakari.ailus@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).