Re: [PATCH v2 5/6] media: staging: ipu3-imgu: Add range check for imgu_css_cfg_acc_stripe
From: Sakari Ailus
Date: Mon May 04 2026 - 04:24:01 EST
Hi Ricardo,
On Fri, May 01, 2026 at 11:32:50AM +0000, Ricardo Ribalda wrote:
> If the driver's stripe information is invalid it can result in an integer
> overflow. Add a range check with a WARN_ON to expose this kind of
> error.
This would be an underflow, not overflow. There's also no longer a
WARN_ON() here.
I presume this might not be the only such issue in the driver.
>
> This patch fixes the following smatch error:
> drivers/staging/media/ipu3/ipu3-css-params.c:1792 imgu_css_cfg_acc_stripe() warn: 'acc->stripe.bds_out_stripes[0]->width - 2 * f' 4294967168 can't fit into 65535 'acc->stripe.bds_out_stripes[1]->offset'
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: e11110a5b744 ("media: staging/intel-ipu3: css: Compute and program ccs")
> Signed-off-by: Ricardo Ribalda <ribalda@xxxxxxxxxxxx>
> ---
> drivers/staging/media/ipu3/ipu3-css-params.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/staging/media/ipu3/ipu3-css-params.c b/drivers/staging/media/ipu3/ipu3-css-params.c
> index 2c48d57a3180..92cce31e35c5 100644
> --- a/drivers/staging/media/ipu3/ipu3-css-params.c
> +++ b/drivers/staging/media/ipu3/ipu3-css-params.c
> @@ -1770,6 +1770,8 @@ static int imgu_css_cfg_acc_stripe(struct imgu_css *css, unsigned int pipe,
> acc->stripe.bds_out_stripes[0].width =
> ALIGN(css_pipe->rect[IPU3_CSS_RECT_BDS].width, f);
> } else {
> + u32 offset;
> +
> /* Image processing is divided into two stripes */
> acc->stripe.bds_out_stripes[0].width =
> acc->stripe.bds_out_stripes[1].width =
> @@ -1788,8 +1790,10 @@ static int imgu_css_cfg_acc_stripe(struct imgu_css *css, unsigned int pipe,
> acc->stripe.bds_out_stripes[1].width += f;
> }
> /* Overlap between stripes is IPU3_UAPI_ISP_VEC_ELEMS * 4 */
> - acc->stripe.bds_out_stripes[1].offset =
> - acc->stripe.bds_out_stripes[0].width - 2 * f;
> + offset = acc->stripe.bds_out_stripes[0].width - 2 * f;
> + if (offset > 65535)
> + return -EINVAL;
> + acc->stripe.bds_out_stripes[1].offset = offset;
> }
>
> acc->stripe.effective_stripes[0].height =
>
--
Regards,
Sakari Ailus