From patchwork Sun Jun 12 16:05:54 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hans de Goede X-Patchwork-Id: 83859 Received: from vger.kernel.org ([23.128.96.18]) by www.linuxtv.org with esmtp (Exim 4.92) (envelope-from ) id 1o0Q6W-000ahv-Sa; Sun, 12 Jun 2022 16:06:21 +0000 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232539AbiFLQGT (ORCPT + 1 other); Sun, 12 Jun 2022 12:06:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43106 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231872AbiFLQGR (ORCPT ); Sun, 12 Jun 2022 12:06:17 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 38ED7167E9 for ; Sun, 12 Jun 2022 09:06:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1655049975; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Aov6pXO+yzf9WmB8y7bNLe3J7gyFYKqaeJT3/heNZac=; b=dbrvkfMlNnaLWq2tSvqfp3Rj3XLtUT/JIGvQW/V1emhg65r1aLcbGGG1/opZIboRNTpi8t /fYyvCPam92y+HGEk1sN37x8nmmgMBm8DRY/wYKOSDL5vVilb1/u0847K0SOhlw8/5AJIy VwWWmLiw6fwf56rigU0MMTclhZHEtbM= Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-146-oJL0rW8wP4mlEauxzn5S-A-1; Sun, 12 Jun 2022 12:06:08 -0400 X-MC-Unique: oJL0rW8wP4mlEauxzn5S-A-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 2D5901C00AC3; Sun, 12 Jun 2022 16:06:08 +0000 (UTC) Received: from localhost.localdomain (unknown [10.39.192.31]) by smtp.corp.redhat.com (Postfix) with ESMTP id AB25E2166B26; Sun, 12 Jun 2022 16:06:06 +0000 (UTC) From: Hans de Goede To: Mauro Carvalho Chehab , Sakari Ailus Cc: Hans de Goede , Tsuchiya Yuto , Andy Shevchenko , Yury Luneff , Nable , andrey.i.trufanov@gmail.com, Fabio Aiuto , linux-media@vger.kernel.org, linux-staging@lists.linux.dev Subject: [PATCH 1/3] media: atomisp: revert "don't pass a pointer to a local variable" Date: Sun, 12 Jun 2022 18:05:54 +0200 Message-Id: <20220612160556.108264-2-hdegoede@redhat.com> In-Reply-To: <20220612160556.108264-1-hdegoede@redhat.com> References: <20220612160556.108264-1-hdegoede@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-Spam-Status: No, score=-3.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org X-LSpam-Score: -2.5 (--) X-LSpam-Report: No, score=-2.5 required=5.0 tests=BAYES_00=-1.9,DKIMWL_WL_HIGH=0.001,DKIM_SIGNED=0.1,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,HEADER_FROM_DIFFERENT_DOMAINS=0.5,MAILING_LIST_MULTI=-1 autolearn=ham autolearn_force=no The gcc is warning about returning a pointer to a local variable is a false positive. The type of handle is "struct ia_css_rmgr_vbuf_handle **" and "h.vptr" is left to NULL, so the "if ((*handle)->vptr == 0x0)" check always succeeds when the "*handle = &h;" statement which gcc warns about executes. Leading to this statement being executed: rmgr_pop_handle(pool, handle); If that succeeds, then *handle has been set to point to one of the pre-allocated array of handles, so it no longer points to h. If that fails the following statement will be executed: /* Note that handle will change to an internally maintained one */ ia_css_rmgr_refcount_retain_vbuf(handle); Which allocated a new handle from the array of pre-allocated handles and then makes *handle point to this. So the address of h is actually never returned. The fix for the false-postive compiler warning actually breaks the code, the new: **handle = h; is part of a "if (pool->copy_on_write) { ... }" which means that the handle where *handle points to should be treated read-only, IOW **handle must never be set, instead *handle must be set to point to a new handle (with a copy of the contents of the old handle). The old code correctly did this and the new fixed code gets this wrong. Note there is another patch in this series, which fixes the warning in another way. Fixes: fa1451374ebf ("media: atomisp: don't pass a pointer to a local variable") Signed-off-by: Hans de Goede --- .../staging/media/atomisp/pci/runtime/rmgr/src/rmgr_vbuf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/staging/media/atomisp/pci/runtime/rmgr/src/rmgr_vbuf.c b/drivers/staging/media/atomisp/pci/runtime/rmgr/src/rmgr_vbuf.c index 39604752785b..d96aaa4bc75d 100644 --- a/drivers/staging/media/atomisp/pci/runtime/rmgr/src/rmgr_vbuf.c +++ b/drivers/staging/media/atomisp/pci/runtime/rmgr/src/rmgr_vbuf.c @@ -254,7 +254,7 @@ void rmgr_pop_handle(struct ia_css_rmgr_vbuf_pool *pool, void ia_css_rmgr_acq_vbuf(struct ia_css_rmgr_vbuf_pool *pool, struct ia_css_rmgr_vbuf_handle **handle) { - struct ia_css_rmgr_vbuf_handle h = { 0 }; + struct ia_css_rmgr_vbuf_handle h; if ((!pool) || (!handle) || (!*handle)) { IA_CSS_LOG("Invalid inputs"); @@ -272,7 +272,7 @@ void ia_css_rmgr_acq_vbuf(struct ia_css_rmgr_vbuf_pool *pool, h.size = (*handle)->size; /* release ref to current buffer */ ia_css_rmgr_refcount_release_vbuf(handle); - **handle = h; + *handle = &h; } /* get new buffer for needed size */ if ((*handle)->vptr == 0x0) { From patchwork Sun Jun 12 16:05:55 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hans de Goede X-Patchwork-Id: 83857 Received: from vger.kernel.org ([23.128.96.18]) by www.linuxtv.org with esmtp (Exim 4.92) (envelope-from ) id 1o0Q6T-000ahv-RG; Sun, 12 Jun 2022 16:06:18 +0000 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231368AbiFLQGQ (ORCPT + 1 other); Sun, 12 Jun 2022 12:06:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42978 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229452AbiFLQGP (ORCPT ); Sun, 12 Jun 2022 12:06:15 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id E0124167E9 for ; Sun, 12 Jun 2022 09:06:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1655049974; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=R24OZyQrcyRhkFauw7Kvxld/7xBF8Aox8sK8q+KrwDE=; b=AGnVtL2Jcqvrto5pAjKN337ejQsbBaxlzbddziM+QNndLB8uYMHDGwidKxZacl8VrgG69w IufkwSEiwU1HLTcplN1Tu9AwYJKDXIyFSMltDfcQaOwG2ZzaO0UN4B8OHPntPgZKVh97LA NnJYdvEX8OKJz/9il8awICJjYDwVths= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-479-cS-ftVLbP0CtG_BAQxVgzA-1; Sun, 12 Jun 2022 12:06:10 -0400 X-MC-Unique: cS-ftVLbP0CtG_BAQxVgzA-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id DC87D803B22; Sun, 12 Jun 2022 16:06:09 +0000 (UTC) Received: from localhost.localdomain (unknown [10.39.192.31]) by smtp.corp.redhat.com (Postfix) with ESMTP id 62CDB2166B26; Sun, 12 Jun 2022 16:06:08 +0000 (UTC) From: Hans de Goede To: Mauro Carvalho Chehab , Sakari Ailus Cc: Hans de Goede , Tsuchiya Yuto , Andy Shevchenko , Yury Luneff , Nable , andrey.i.trufanov@gmail.com, Fabio Aiuto , linux-media@vger.kernel.org, linux-staging@lists.linux.dev Subject: [PATCH 2/3] media: atomisp: fix uninitialized stack mem usage in ia_css_rmgr_acq_vbuf() Date: Sun, 12 Jun 2022 18:05:55 +0200 Message-Id: <20220612160556.108264-3-hdegoede@redhat.com> In-Reply-To: <20220612160556.108264-1-hdegoede@redhat.com> References: <20220612160556.108264-1-hdegoede@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-Spam-Status: No, score=-3.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org X-LSpam-Score: -2.5 (--) X-LSpam-Report: No, score=-2.5 required=5.0 tests=BAYES_00=-1.9,DKIMWL_WL_HIGH=0.001,DKIM_SIGNED=0.1,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,HEADER_FROM_DIFFERENT_DOMAINS=0.5,MAILING_LIST_MULTI=-1 autolearn=ham autolearn_force=no When ia_css_rmgr_acq_vbuf() enters the code path where it uses the local "struct ia_css_rmgr_vbuf_handle v" on the stack it relies on v.count==0 so that ia_css_rmgr_refcount_retain_vbuf allocates a new handle. Explicitly set v.count to 0 rather then it being whatever was on the stack. Signed-off-by: Hans de Goede --- drivers/staging/media/atomisp/pci/runtime/rmgr/src/rmgr_vbuf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/media/atomisp/pci/runtime/rmgr/src/rmgr_vbuf.c b/drivers/staging/media/atomisp/pci/runtime/rmgr/src/rmgr_vbuf.c index d96aaa4bc75d..afe2d22c603f 100644 --- a/drivers/staging/media/atomisp/pci/runtime/rmgr/src/rmgr_vbuf.c +++ b/drivers/staging/media/atomisp/pci/runtime/rmgr/src/rmgr_vbuf.c @@ -254,7 +254,7 @@ void rmgr_pop_handle(struct ia_css_rmgr_vbuf_pool *pool, void ia_css_rmgr_acq_vbuf(struct ia_css_rmgr_vbuf_pool *pool, struct ia_css_rmgr_vbuf_handle **handle) { - struct ia_css_rmgr_vbuf_handle h; + struct ia_css_rmgr_vbuf_handle h = { 0 }; if ((!pool) || (!handle) || (!*handle)) { IA_CSS_LOG("Invalid inputs"); From patchwork Sun Jun 12 16:05:56 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Hans de Goede X-Patchwork-Id: 83858 Received: from vger.kernel.org ([23.128.96.18]) by www.linuxtv.org with esmtp (Exim 4.92) (envelope-from ) id 1o0Q6V-000ahv-UM; Sun, 12 Jun 2022 16:06:20 +0000 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232086AbiFLQGR (ORCPT + 1 other); Sun, 12 Jun 2022 12:06:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43032 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231713AbiFLQGQ (ORCPT ); Sun, 12 Jun 2022 12:06:16 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 7B7AB48E7A for ; Sun, 12 Jun 2022 09:06:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1655049974; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=A13Tgu0+0ldCSVdWWfytuoNL33R3vDWsMrOpJ8spRz0=; b=hWqHIxzOAfoVO4MSs0PJcPaywyJgL76TowZpsLmdV4vagoaQ1C9uA1m97yDTjTlG26rRk0 tD2r78Q7dX48XbMcXcAB8uzZSfU0jb8VISWdKqUQoFqm9IlWZ7rlWrgjYzlgKfGWoeMzVd cKxel8hci8374NVqNU/d+rEnrsps/fQ= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-252-er6C63x5PPejAU2D68HPYQ-1; Sun, 12 Jun 2022 12:06:12 -0400 X-MC-Unique: er6C63x5PPejAU2D68HPYQ-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 9AE2B801E67; Sun, 12 Jun 2022 16:06:11 +0000 (UTC) Received: from localhost.localdomain (unknown [10.39.192.31]) by smtp.corp.redhat.com (Postfix) with ESMTP id 219BD2166B26; Sun, 12 Jun 2022 16:06:10 +0000 (UTC) From: Hans de Goede To: Mauro Carvalho Chehab , Sakari Ailus Cc: Hans de Goede , Tsuchiya Yuto , Andy Shevchenko , Yury Luneff , Nable , andrey.i.trufanov@gmail.com, Fabio Aiuto , linux-media@vger.kernel.org, linux-staging@lists.linux.dev Subject: [PATCH 3/3] media: atomisp: fix -Wdangling-pointer warning Date: Sun, 12 Jun 2022 18:05:56 +0200 Message-Id: <20220612160556.108264-4-hdegoede@redhat.com> In-Reply-To: <20220612160556.108264-1-hdegoede@redhat.com> References: <20220612160556.108264-1-hdegoede@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-Spam-Status: No, score=-3.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org X-LSpam-Score: -2.5 (--) X-LSpam-Report: No, score=-2.5 required=5.0 tests=BAYES_00=-1.9,DKIMWL_WL_HIGH=0.001,DKIM_SIGNED=0.1,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,HEADER_FROM_DIFFERENT_DOMAINS=0.5,MAILING_LIST_MULTI=-1 autolearn=ham autolearn_force=no ia_css_rmgr_acq_vbuf() uses a local on stack "struct ia_css_rmgr_vbuf_handle v" variable. When this path using this is hit, either the rmgr_pop_handle() call will make *handle point to another vbuf-handle, or because v.count == 0, ia_css_rmgr_refcount_retain_vbuf() will alloc a new vbuf-handle and make *handle point to it. So on leaving the function *handle will never point to the on stack vbuf-handle, but gcc does not know this and emits the following: drivers/staging/media/atomisp/pci/runtime/rmgr/src/rmgr_vbuf.c: In function ‘ia_css_rmgr_acq_vbuf’: drivers/staging/media/atomisp/pci/runtime/rmgr/src/rmgr_vbuf.c:276:33: warning: storing the address of local variable ‘h’ in ‘*handle’ [-Wdangling-pointer=] 276 | *handle = &h; | ~~~~~~~~^~~~ drivers/staging/media/atomisp/pci/runtime/rmgr/src/rmgr_vbuf.c:257:40: note: ‘h’ declared here 257 | struct ia_css_rmgr_vbuf_handle h; | ^ drivers/staging/media/atomisp/pci/runtime/rmgr/src/rmgr_vbuf.c:257:40: note: ‘handle’ declared here Rework the code using a new_handle helper to suppress this false-postive compiler warning. Signed-off-by: Hans de Goede --- .../atomisp/pci/runtime/rmgr/src/rmgr_vbuf.c | 22 +++++++++++++------ 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/drivers/staging/media/atomisp/pci/runtime/rmgr/src/rmgr_vbuf.c b/drivers/staging/media/atomisp/pci/runtime/rmgr/src/rmgr_vbuf.c index afe2d22c603f..b84c6cff1499 100644 --- a/drivers/staging/media/atomisp/pci/runtime/rmgr/src/rmgr_vbuf.c +++ b/drivers/staging/media/atomisp/pci/runtime/rmgr/src/rmgr_vbuf.c @@ -254,14 +254,15 @@ void rmgr_pop_handle(struct ia_css_rmgr_vbuf_pool *pool, void ia_css_rmgr_acq_vbuf(struct ia_css_rmgr_vbuf_pool *pool, struct ia_css_rmgr_vbuf_handle **handle) { - struct ia_css_rmgr_vbuf_handle h = { 0 }; - if ((!pool) || (!handle) || (!*handle)) { IA_CSS_LOG("Invalid inputs"); return; } if (pool->copy_on_write) { + struct ia_css_rmgr_vbuf_handle *new_handle; + struct ia_css_rmgr_vbuf_handle h = { 0 }; + /* only one reference, reuse (no new retain) */ if ((*handle)->count == 1) return; @@ -272,23 +273,30 @@ void ia_css_rmgr_acq_vbuf(struct ia_css_rmgr_vbuf_pool *pool, h.size = (*handle)->size; /* release ref to current buffer */ ia_css_rmgr_refcount_release_vbuf(handle); - *handle = &h; + new_handle = &h; + } else { + new_handle = *handle; } /* get new buffer for needed size */ - if ((*handle)->vptr == 0x0) { + if (new_handle->vptr == 0x0) { if (pool->recycle) { /* try and pop from pool */ - rmgr_pop_handle(pool, handle); + rmgr_pop_handle(pool, &new_handle); } - if ((*handle)->vptr == 0x0) { + if (new_handle->vptr == 0x0) { /* we need to allocate */ - (*handle)->vptr = hmm_alloc((*handle)->size, + new_handle->vptr = hmm_alloc(new_handle->size, HMM_BO_PRIVATE, 0, NULL, 0); } else { /* we popped a buffer */ + *handle = new_handle; return; } } + /* Note that new_handle will change to an internally maintained one */ + ia_css_rmgr_refcount_retain_vbuf(&new_handle); + *handle = new_handle; + return; } /* Note that handle will change to an internally maintained one */ ia_css_rmgr_refcount_retain_vbuf(handle);