[1/1] v4l: Avoid unaligned access warnings when printing 4cc modifiers

Pointers V4L2 pixelformat and dataformat fields in a few packed structs
are directly passed to printk family of functions. This could result in an
unaligned access albeit no such possibility appears to exist at the
moment i.e. this clang warning appears to be a false positive.

Address the warning by copying the pixelformat or dataformat value to a
local variable first.

Reported-by: kernel test robot <lkp@intel.com>
Fixes: e927e1e0f0dd ("v4l: ioctl: Use %p4cc printk modifier to print FourCC codes")
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
---
Hi Andy, Nick,

How about this one?

I believe it does address the clang warning although I haven't tested it.

Kind regards,
Sakari

 drivers/media/v4l2-core/v4l2-ioctl.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

Hi Nick,

On Mon, Jan 10, 2022 at 03:11:18PM -0800, Nick Desaulniers wrote:
> On Mon, Jan 10, 2022 at 2:48 PM Sakari Ailus
> <sakari.ailus@linux.intel.com> wrote:
> >
> > Pointers V4L2 pixelformat and dataformat fields in a few packed structs
> > are directly passed to printk family of functions.
> 
> I would rephrase the below statement...
> 
> > This could result in an
> > unaligned access albeit no such possibility appears to exist at the
> > moment i.e. this clang warning appears to be a false positive.
> 
> ...to:
> 
> warning: taking address of packed member 'pixelformat' of class or
> structure 'v4l2_pix_format_mplane' may result in an unaligned pointer
> value [-Waddress-of-packed-member]
> 
> The warning is correct; because `struct v4l2_pix_format_mplane` is
> __packed, it's members also have __aligned(1).  Taking the address of
> such members results in the use of underaligned pointers which is UB
> and may be caught by UBSAN or fault on architectures without unaligned
> loads should the struct instance happen to be allocated without any
> natural alignment.

Wouldn't that be the case only if the __packed attribute resulted in a
different memory layout than not having that attribute?

All these fields are aligned by 4 so I don't see how this could be an
actual problem.

> 
> >
> > Address the warning by copying the pixelformat or dataformat value to a
> > local variable first.
> >
> > Reported-by: kernel test robot <lkp@intel.com>
> > Fixes: e927e1e0f0dd ("v4l: ioctl: Use %p4cc printk modifier to print FourCC codes")
> > Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
> > ---
> > Hi Andy, Nick,
> >
> > How about this one?
> >
> > I believe it does address the clang warning although I haven't tested it.
> 
> LGTM. Thanks Sakari and Andy for pursuing this. Just a minor nit on my
> side about the framing of this warning being a false positive; I don't
> think it is.  With that amended,
> 
> Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>

Thanks!

On Tue, Jan 11, 2022 at 12:46:56AM +0200, Sakari Ailus wrote:
> Pointers V4L2 pixelformat and dataformat fields in a few packed structs
> are directly passed to printk family of functions. This could result in an
> unaligned access albeit no such possibility appears to exist at the
> moment i.e. this clang warning appears to be a false positive.
> 
> Address the warning by copying the pixelformat or dataformat value to a
> local variable first.
> 
> Reported-by: kernel test robot <lkp@intel.com>
> Fixes: e927e1e0f0dd ("v4l: ioctl: Use %p4cc printk modifier to print FourCC codes")
> Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
> ---
> Hi Andy, Nick,
> 
> How about this one?
> 
> I believe it does address the clang warning although I haven't tested it.

With addressed comments, pointed by Nick,

Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>

Thanks!

Note, applying this doesn't automatically discard my patch.

>  drivers/media/v4l2-core/v4l2-ioctl.c | 12 +++++++-----
>  1 file changed, 7 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c
> index 9ac557b8e146..642cb90f457c 100644
> --- a/drivers/media/v4l2-core/v4l2-ioctl.c
> +++ b/drivers/media/v4l2-core/v4l2-ioctl.c
> @@ -279,8 +279,8 @@ static void v4l_print_format(const void *arg, bool write_only)
>  	const struct v4l2_vbi_format *vbi;
>  	const struct v4l2_sliced_vbi_format *sliced;
>  	const struct v4l2_window *win;
> -	const struct v4l2_sdr_format *sdr;
>  	const struct v4l2_meta_format *meta;
> +	u32 pixelformat;
>  	u32 planes;
>  	unsigned i;
>  
> @@ -299,8 +299,9 @@ static void v4l_print_format(const void *arg, bool write_only)
>  	case V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE:
>  	case V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE:
>  		mp = &p->fmt.pix_mp;
> +		pixelformat = mp->pixelformat;
>  		pr_cont(", width=%u, height=%u, format=%p4cc, field=%s, colorspace=%d, num_planes=%u, flags=0x%x, ycbcr_enc=%u, quantization=%u, xfer_func=%u\n",
> -			mp->width, mp->height, &mp->pixelformat,
> +			mp->width, mp->height, &pixelformat,
>  			prt_names(mp->field, v4l2_field_names),
>  			mp->colorspace, mp->num_planes, mp->flags,
>  			mp->ycbcr_enc, mp->quantization, mp->xfer_func);
> @@ -343,14 +344,15 @@ static void v4l_print_format(const void *arg, bool write_only)
>  		break;
>  	case V4L2_BUF_TYPE_SDR_CAPTURE:
>  	case V4L2_BUF_TYPE_SDR_OUTPUT:
> -		sdr = &p->fmt.sdr;
> -		pr_cont(", pixelformat=%p4cc\n", &sdr->pixelformat);
> +		pixelformat = p->fmt.sdr.pixelformat;
> +		pr_cont(", pixelformat=%p4cc\n", &pixelformat);
>  		break;
>  	case V4L2_BUF_TYPE_META_CAPTURE:
>  	case V4L2_BUF_TYPE_META_OUTPUT:
>  		meta = &p->fmt.meta;
> +		pixelformat = meta->dataformat;
>  		pr_cont(", dataformat=%p4cc, buffersize=%u\n",
> -			&meta->dataformat, meta->buffersize);
> +			&pixelformat, meta->buffersize);
>  		break;
>  	}
>  }
> -- 
> 2.30.2
>

On Tue, Jan 11, 2022 at 12:47:17PM +0200, Sakari Ailus wrote:
> Hi Nick,
> 
> On Mon, Jan 10, 2022 at 03:11:18PM -0800, Nick Desaulniers wrote:
> > On Mon, Jan 10, 2022 at 2:48 PM Sakari Ailus
> > <sakari.ailus@linux.intel.com> wrote:
> > >
> > > Pointers V4L2 pixelformat and dataformat fields in a few packed structs
> > > are directly passed to printk family of functions.
> > 
> > I would rephrase the below statement...
> > 
> > > This could result in an
> > > unaligned access albeit no such possibility appears to exist at the
> > > moment i.e. this clang warning appears to be a false positive.
> > 
> > ...to:
> > 
> > warning: taking address of packed member 'pixelformat' of class or
> > structure 'v4l2_pix_format_mplane' may result in an unaligned pointer
> > value [-Waddress-of-packed-member]
> > 
> > The warning is correct; because `struct v4l2_pix_format_mplane` is
> > __packed, it's members also have __aligned(1).  Taking the address of
> > such members results in the use of underaligned pointers which is UB
> > and may be caught by UBSAN or fault on architectures without unaligned
> > loads should the struct instance happen to be allocated without any
> > natural alignment.
> 
> Wouldn't that be the case only if the __packed attribute resulted in a
> different memory layout than not having that attribute?
> 
> All these fields are aligned by 4 so I don't see how this could be an
> actual problem.

packed means two things and developers often forgot about the second one:
- the gaps between members in the data structures are removed
- the instance of the data object may be on unaligned address

Here is the second one which results in the warning.

That's why my patch against vsprintf as I explained in that thread.

On Tue, Jan 11, 2022 at 4:28 AM Andy Shevchenko
<andriy.shevchenko@linux.intel.com> wrote:
>
> On Tue, Jan 11, 2022 at 12:47:17PM +0200, Sakari Ailus wrote:
> > Hi Nick,
> >
> > On Mon, Jan 10, 2022 at 03:11:18PM -0800, Nick Desaulniers wrote:
> > > On Mon, Jan 10, 2022 at 2:48 PM Sakari Ailus
> > > <sakari.ailus@linux.intel.com> wrote:
> > > >
> > > > Pointers V4L2 pixelformat and dataformat fields in a few packed structs
> > > > are directly passed to printk family of functions.
> > >
> > > I would rephrase the below statement...
> > >
> > > > This could result in an
> > > > unaligned access albeit no such possibility appears to exist at the
> > > > moment i.e. this clang warning appears to be a false positive.
> > >
> > > ...to:
> > >
> > > warning: taking address of packed member 'pixelformat' of class or
> > > structure 'v4l2_pix_format_mplane' may result in an unaligned pointer
> > > value [-Waddress-of-packed-member]
> > >
> > > The warning is correct; because `struct v4l2_pix_format_mplane` is
> > > __packed, it's members also have __aligned(1).  Taking the address of
> > > such members results in the use of underaligned pointers which is UB
> > > and may be caught by UBSAN or fault on architectures without unaligned
> > > loads should the struct instance happen to be allocated without any
> > > natural alignment.
> >
> > Wouldn't that be the case only if the __packed attribute resulted in a
> > different memory layout than not having that attribute?
> >
> > All these fields are aligned by 4 so I don't see how this could be an
> > actual problem.
>
> packed means two things and developers often forgot about the second one:
> - the gaps between members in the data structures are removed
> - the instance of the data object may be on unaligned address

Well put; the second is something that surprised me yesterday.  I'd
like to say I'd forgotten, but I'm not sure I ever really knew that in
the first place...marking a struct as being packed seems like
shorthand for marking all of the members as having alignment of 1,
which makes sense since natural alignment requirements are what
prevent structure packing in the first place.

`I think this case should demonstrate the second point:
https://godbolt.org/z/77P484e4o

Hi Nick, Andy,

On Tue, Jan 11, 2022 at 12:48:45PM -0800, Nick Desaulniers wrote:
> On Tue, Jan 11, 2022 at 4:28 AM Andy Shevchenko
> <andriy.shevchenko@linux.intel.com> wrote:
> >
> > On Tue, Jan 11, 2022 at 12:47:17PM +0200, Sakari Ailus wrote:
> > > Hi Nick,
> > >
> > > On Mon, Jan 10, 2022 at 03:11:18PM -0800, Nick Desaulniers wrote:
> > > > On Mon, Jan 10, 2022 at 2:48 PM Sakari Ailus
> > > > <sakari.ailus@linux.intel.com> wrote:
> > > > >
> > > > > Pointers V4L2 pixelformat and dataformat fields in a few packed structs
> > > > > are directly passed to printk family of functions.
> > > >
> > > > I would rephrase the below statement...
> > > >
> > > > > This could result in an
> > > > > unaligned access albeit no such possibility appears to exist at the
> > > > > moment i.e. this clang warning appears to be a false positive.
> > > >
> > > > ...to:
> > > >
> > > > warning: taking address of packed member 'pixelformat' of class or
> > > > structure 'v4l2_pix_format_mplane' may result in an unaligned pointer
> > > > value [-Waddress-of-packed-member]
> > > >
> > > > The warning is correct; because `struct v4l2_pix_format_mplane` is
> > > > __packed, it's members also have __aligned(1).  Taking the address of
> > > > such members results in the use of underaligned pointers which is UB
> > > > and may be caught by UBSAN or fault on architectures without unaligned
> > > > loads should the struct instance happen to be allocated without any
> > > > natural alignment.
> > >
> > > Wouldn't that be the case only if the __packed attribute resulted in a
> > > different memory layout than not having that attribute?
> > >
> > > All these fields are aligned by 4 so I don't see how this could be an
> > > actual problem.
> >
> > packed means two things and developers often forgot about the second one:
> > - the gaps between members in the data structures are removed
> > - the instance of the data object may be on unaligned address
> 
> Well put; the second is something that surprised me yesterday.  I'd
> like to say I'd forgotten, but I'm not sure I ever really knew that in
> the first place...marking a struct as being packed seems like
> shorthand for marking all of the members as having alignment of 1,
> which makes sense since natural alignment requirements are what
> prevent structure packing in the first place.

I don't disagree with __packed allowing this but it is not the case here.
The fields clang warns about are always aligned by 4. In other words, this
warning is a false positive.

On Tue, Jan 11, 2022 at 1:07 PM Sakari Ailus
<sakari.ailus@linux.intel.com> wrote:
>
> Hi Nick, Andy,
>
> On Tue, Jan 11, 2022 at 12:48:45PM -0800, Nick Desaulniers wrote:
> > On Tue, Jan 11, 2022 at 4:28 AM Andy Shevchenko
> > <andriy.shevchenko@linux.intel.com> wrote:
> > >
> > > On Tue, Jan 11, 2022 at 12:47:17PM +0200, Sakari Ailus wrote:
> > > > Hi Nick,
> > > >
> > > > On Mon, Jan 10, 2022 at 03:11:18PM -0800, Nick Desaulniers wrote:
> > > > > On Mon, Jan 10, 2022 at 2:48 PM Sakari Ailus
> > > > > <sakari.ailus@linux.intel.com> wrote:
> > > > > >
> > > > > > Pointers V4L2 pixelformat and dataformat fields in a few packed structs
> > > > > > are directly passed to printk family of functions.
> > > > >
> > > > > I would rephrase the below statement...
> > > > >
> > > > > > This could result in an
> > > > > > unaligned access albeit no such possibility appears to exist at the
> > > > > > moment i.e. this clang warning appears to be a false positive.
> > > > >
> > > > > ...to:
> > > > >
> > > > > warning: taking address of packed member 'pixelformat' of class or
> > > > > structure 'v4l2_pix_format_mplane' may result in an unaligned pointer
> > > > > value [-Waddress-of-packed-member]
> > > > >
> > > > > The warning is correct; because `struct v4l2_pix_format_mplane` is
> > > > > __packed, it's members also have __aligned(1).  Taking the address of
> > > > > such members results in the use of underaligned pointers which is UB
> > > > > and may be caught by UBSAN or fault on architectures without unaligned
> > > > > loads should the struct instance happen to be allocated without any
> > > > > natural alignment.
> > > >
> > > > Wouldn't that be the case only if the __packed attribute resulted in a
> > > > different memory layout than not having that attribute?
> > > >
> > > > All these fields are aligned by 4 so I don't see how this could be an
> > > > actual problem.
> > >
> > > packed means two things and developers often forgot about the second one:
> > > - the gaps between members in the data structures are removed
> > > - the instance of the data object may be on unaligned address
> >
> > Well put; the second is something that surprised me yesterday.  I'd
> > like to say I'd forgotten, but I'm not sure I ever really knew that in
> > the first place...marking a struct as being packed seems like
> > shorthand for marking all of the members as having alignment of 1,
> > which makes sense since natural alignment requirements are what
> > prevent structure packing in the first place.
>
> I don't disagree with __packed allowing this but it is not the case here.
> The fields clang warns about are always aligned by 4. In other words, this
> warning is a false positive.

The member `pixelformat` has a natural alignment of 4, but due to
being a member of a packed struct, it now has an alignment of 1.

On Tue, Jan 11, 2022 at 01:36:14PM -0800, Nick Desaulniers wrote:
> On Tue, Jan 11, 2022 at 1:07 PM Sakari Ailus
> <sakari.ailus@linux.intel.com> wrote:
> >
> > Hi Nick, Andy,
> >
> > On Tue, Jan 11, 2022 at 12:48:45PM -0800, Nick Desaulniers wrote:
> > > On Tue, Jan 11, 2022 at 4:28 AM Andy Shevchenko
> > > <andriy.shevchenko@linux.intel.com> wrote:
> > > >
> > > > On Tue, Jan 11, 2022 at 12:47:17PM +0200, Sakari Ailus wrote:
> > > > > Hi Nick,
> > > > >
> > > > > On Mon, Jan 10, 2022 at 03:11:18PM -0800, Nick Desaulniers wrote:
> > > > > > On Mon, Jan 10, 2022 at 2:48 PM Sakari Ailus
> > > > > > <sakari.ailus@linux.intel.com> wrote:
> > > > > > >
> > > > > > > Pointers V4L2 pixelformat and dataformat fields in a few packed structs
> > > > > > > are directly passed to printk family of functions.
> > > > > >
> > > > > > I would rephrase the below statement...
> > > > > >
> > > > > > > This could result in an
> > > > > > > unaligned access albeit no such possibility appears to exist at the
> > > > > > > moment i.e. this clang warning appears to be a false positive.
> > > > > >
> > > > > > ...to:
> > > > > >
> > > > > > warning: taking address of packed member 'pixelformat' of class or
> > > > > > structure 'v4l2_pix_format_mplane' may result in an unaligned pointer
> > > > > > value [-Waddress-of-packed-member]
> > > > > >
> > > > > > The warning is correct; because `struct v4l2_pix_format_mplane` is
> > > > > > __packed, it's members also have __aligned(1).  Taking the address of
> > > > > > such members results in the use of underaligned pointers which is UB
> > > > > > and may be caught by UBSAN or fault on architectures without unaligned
> > > > > > loads should the struct instance happen to be allocated without any
> > > > > > natural alignment.
> > > > >
> > > > > Wouldn't that be the case only if the __packed attribute resulted in a
> > > > > different memory layout than not having that attribute?
> > > > >
> > > > > All these fields are aligned by 4 so I don't see how this could be an
> > > > > actual problem.
> > > >
> > > > packed means two things and developers often forgot about the second one:
> > > > - the gaps between members in the data structures are removed
> > > > - the instance of the data object may be on unaligned address
> > >
> > > Well put; the second is something that surprised me yesterday.  I'd
> > > like to say I'd forgotten, but I'm not sure I ever really knew that in
> > > the first place...marking a struct as being packed seems like
> > > shorthand for marking all of the members as having alignment of 1,
> > > which makes sense since natural alignment requirements are what
> > > prevent structure packing in the first place.
> >
> > I don't disagree with __packed allowing this but it is not the case here.
> > The fields clang warns about are always aligned by 4. In other words, this
> > warning is a false positive.
> 
> The member `pixelformat` has a natural alignment of 4, but due to
> being a member of a packed struct, it now has an alignment of 1.

I think you're discussing the general case and the meaning of __packed
whereas I'm talking about the circumstances where the struct is actually
used in the kernel. Yes, different kind of use of the struct could lead to
unaligned accesses (and crash on some archs) but that just does not happen
here i.e. there is no bug to fix.