[bug report] media: raspberrypi: Add support for PiSP BE

[Dan Carpenter]

Hello Naushir Patuck,

Commit 12187bd5d4f8 ("media: raspberrypi: Add support for PiSP BE")
from Jun 26, 2024 (linux-next), leads to the following Smatch static
checker warning:

	drivers/media/platform/raspberrypi/pisp_be/pisp_be.c:1127 pispbe_try_format()
	error: undefined (user controlled) shift '(((1))) << (f->fmt.pix_mp.colorspace)'

drivers/media/platform/raspberrypi/pisp_be/pisp_be.c
    1093 static void pispbe_try_format(struct v4l2_format *f, struct pispbe_node *node)
    1094 {
    1095         struct pispbe_dev *pispbe = node->pispbe;
    1096         u32 pixfmt = f->fmt.pix_mp.pixelformat;
    1097         const struct pisp_be_format *fmt;
    1098         bool is_rgb;
    1099 
    1100         dev_dbg(pispbe->dev,
    1101                 "%s: [%s] req %ux%u %p4cc, planes %d\n",
    1102                 __func__, NODE_NAME(node), f->fmt.pix_mp.width,
    1103                 f->fmt.pix_mp.height, &pixfmt,
    1104                 f->fmt.pix_mp.num_planes);
    1105 
    1106         fmt = pispbe_find_fmt(pixfmt);
    1107         if (!fmt) {
    1108                 dev_dbg(pispbe->dev,
    1109                         "%s: [%s] Format not found, defaulting to YUV420\n",
    1110                         __func__, NODE_NAME(node));
    1111                 fmt = pispbe_find_fmt(V4L2_PIX_FMT_YUV420);
    1112         }
    1113 
    1114         f->fmt.pix_mp.pixelformat = fmt->fourcc;
    1115         f->fmt.pix_mp.num_planes = fmt->num_planes;
    1116         f->fmt.pix_mp.field = V4L2_FIELD_NONE;
    1117         f->fmt.pix_mp.width = max(min(f->fmt.pix_mp.width, 65536u),
    1118                                   PISP_BACK_END_MIN_TILE_WIDTH);
    1119         f->fmt.pix_mp.height = max(min(f->fmt.pix_mp.height, 65536u),
    1120                                    PISP_BACK_END_MIN_TILE_HEIGHT);
    1121 
    1122         /*
    1123          * Fill in the actual colour space when the requested one was
    1124          * not supported. This also catches the case when the "default"
    1125          * colour space was requested (as that's never in the mask).
    1126          */
--> 1127         if (!(V4L2_COLORSPACE_MASK(f->fmt.pix_mp.colorspace) &
    1128             fmt->colorspace_mask))
    1129                 f->fmt.pix_mp.colorspace = fmt->colorspace_default;

The warning means that the user passes arg to

v4l_try_fmt()
-> pispbe_node_try_fmt_vid_cap
   -> pispbe_try_format()

Nothing has checked that f->fmt.pix_mp.colorspace >= BIT_PER_LONG so shift in
V4L2_COLORSPACE_MASK() could wrap.

    1130 
    1131         /* In all cases, we only support the defaults for these: */
    1132         f->fmt.pix_mp.ycbcr_enc =
    1133                 V4L2_MAP_YCBCR_ENC_DEFAULT(f->fmt.pix_mp.colorspace);
    1134         f->fmt.pix_mp.xfer_func =
    1135                 V4L2_MAP_XFER_FUNC_DEFAULT(f->fmt.pix_mp.colorspace);
    1136 
    1137         is_rgb = f->fmt.pix_mp.colorspace == V4L2_COLORSPACE_SRGB;
    1138         f->fmt.pix_mp.quantization =
    1139                 V4L2_MAP_QUANTIZATION_DEFAULT(is_rgb, f->fmt.pix_mp.colorspace,
    1140                                               f->fmt.pix_mp.ycbcr_enc);
    1141 
    1142         /* Set plane size and bytes/line for each plane. */
    1143         pispbe_set_plane_params(f, fmt);
    1144 
    1145         for (unsigned int i = 0; i < f->fmt.pix_mp.num_planes; i++) {
    1146                 dev_dbg(pispbe->dev,
    1147                         "%s: [%s] calc plane %d, %ux%u, depth %u, bpl %u size %u\n",
    1148                         __func__, NODE_NAME(node), i, f->fmt.pix_mp.width,
    1149                         f->fmt.pix_mp.height, fmt->bit_depth,
    1150                         f->fmt.pix_mp.plane_fmt[i].bytesperline,
    1151                         f->fmt.pix_mp.plane_fmt[i].sizeimage);
    1152         }
    1153 }

regards,
dan carpenter