From patchwork Thu May 17 17:23:55 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kieran Bingham
 <kieran.bingham+renesas@ideasonboard.com>
X-Patchwork-Id: 10407379
X-Patchwork-Delegate: geert@linux-m68k.org
Return-Path: <linux-renesas-soc-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	A471B60353 for <patchwork-linux-renesas-soc@patchwork.kernel.org>;
	Thu, 17 May 2018 17:24:36 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9545D285AF
	for <patchwork-linux-renesas-soc@patchwork.kernel.org>;
	Thu, 17 May 2018 17:24:36 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 89BD8285C5; Thu, 17 May 2018 17:24:36 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI
	autolearn=unavailable version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 16578285AF
	for <patchwork-linux-renesas-soc@patchwork.kernel.org>;
	Thu, 17 May 2018 17:24:36 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752539AbeEQRY3 (ORCPT
	<rfc822;patchwork-linux-renesas-soc@patchwork.kernel.org>);
	Thu, 17 May 2018 13:24:29 -0400
Received: from perceval.ideasonboard.com ([213.167.242.64]:50652 "EHLO
	perceval.ideasonboard.com" rhost-flags-OK-OK-OK-OK) by
	vger.kernel.org with ESMTP id S1752488AbeEQRYJ (ORCPT
	<rfc822;linux-renesas-soc@vger.kernel.org>);
	Thu, 17 May 2018 13:24:09 -0400
Received: from localhost.localdomain
	(cpc89242-aztw30-2-0-cust488.18-1.cable.virginm.net
	[86.31.129.233])
	by perceval.ideasonboard.com (Postfix) with ESMTPSA id 827EF1ABE;
	Thu, 17 May 2018 19:24:06 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;
	s=mail; t=1526577846;
	bh=Z/xiEkc56NJx/DFchf27LrGYA2Qcc4IEWhHuPmQWhaQ=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:In-Reply-To:
	References:From;
	b=agALTWb9I+1CHVMQVcW+UcdUomEtO73sIkyajdIM9TK7sip914zxtw6SeLxjqVmwY
	9JavmEExFRUPlOH+6KYCS0IiY8MAuImCqtEVbLuiXO1ffp5G3srZLOHYPHxw85w/oy
	IbHl1C/bYVaZETHPmlsa4SulMBITlRW1r7H4ObAw=
From: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
To: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Cc: linux-media@vger.kernel.org, linux-renesas-soc@vger.kernel.org,
	Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>,
	Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Subject: [PATCH v10 2/8] media: vsp1: Protect bodies against overflow
Date: Thu, 17 May 2018 18:23:55 +0100
Message-Id: 
 <3d343d7eef1d43b04c15dcbd473507ee539779ca.1526577622.git-series.kieran.bingham+renesas@ideasonboard.com>
X-Mailer: git-send-email 2.17.0
In-Reply-To: 
 <cover.e217e37c63010c4a78c4022a30a389e5d7627919.1526577622.git-series.kieran.bingham+renesas@ideasonboard.com>
References: 
 <cover.e217e37c63010c4a78c4022a30a389e5d7627919.1526577622.git-series.kieran.bingham+renesas@ideasonboard.com>
In-Reply-To: 
 <cover.e217e37c63010c4a78c4022a30a389e5d7627919.1526577622.git-series.kieran.bingham+renesas@ideasonboard.com>
References: 
 <cover.e217e37c63010c4a78c4022a30a389e5d7627919.1526577622.git-series.kieran.bingham+renesas@ideasonboard.com>
Sender: linux-renesas-soc-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-renesas-soc.vger.kernel.org>
X-Mailing-List: linux-renesas-soc@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

The body write function relies on the code never asking it to write more
than the entries available in the list.

Currently with each list body containing 256 entries, this is fine, but
we can reduce this number greatly saving memory. In preparation of this
add a level of protection to catch any buffer overflows.

Signed-off-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
---
 drivers/media/platform/vsp1/vsp1_dl.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/media/platform/vsp1/vsp1_dl.c b/drivers/media/platform/vsp1/vsp1_dl.c
index 083da4f05c20..51965c30dec2 100644
--- a/drivers/media/platform/vsp1/vsp1_dl.c
+++ b/drivers/media/platform/vsp1/vsp1_dl.c
@@ -46,6 +46,7 @@ struct vsp1_dl_entry {
  * @dma: DMA address of the entries
  * @size: size of the DMA memory in bytes
  * @num_entries: number of stored entries
+ * @max_entries: number of entries available
  */
 struct vsp1_dl_body {
 	struct list_head list;
@@ -56,6 +57,7 @@ struct vsp1_dl_body {
 	size_t size;
 
 	unsigned int num_entries;
+	unsigned int max_entries;
 };
 
 /**
@@ -138,6 +140,7 @@ static int vsp1_dl_body_init(struct vsp1_device *vsp1,
 
 	dlb->vsp1 = vsp1;
 	dlb->size = size;
+	dlb->max_entries = num_entries;
 
 	dlb->entries = dma_alloc_wc(vsp1->bus_master, dlb->size, &dlb->dma,
 				    GFP_KERNEL);
@@ -219,6 +222,10 @@ void vsp1_dl_body_free(struct vsp1_dl_body *dlb)
  */
 void vsp1_dl_body_write(struct vsp1_dl_body *dlb, u32 reg, u32 data)
 {
+	if (WARN_ONCE(dlb->num_entries >= dlb->max_entries,
+		      "DLB size exceeded (max %u)", dlb->max_entries))
+		return;
+
 	dlb->entries[dlb->num_entries].addr = reg;
 	dlb->entries[dlb->num_entries].data = data;
 	dlb->num_entries++;