From patchwork Thu Mar  8 00:05:25 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kieran Bingham
 <kieran.bingham+renesas@ideasonboard.com>
X-Patchwork-Id: 10265701
Return-Path: <linux-media-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	76F8F6055D for <patchwork-linux-media@patchwork.kernel.org>;
	Thu,  8 Mar 2018 00:05:59 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6A17A28F30
	for <patchwork-linux-media@patchwork.kernel.org>;
	Thu,  8 Mar 2018 00:05:59 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 5F0F228F77; Thu,  8 Mar 2018 00:05:59 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU,
	RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 17BF928FCD
	for <patchwork-linux-media@patchwork.kernel.org>;
	Thu,  8 Mar 2018 00:05:59 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S933780AbeCHAF4 (ORCPT
	<rfc822;patchwork-linux-media@patchwork.kernel.org>);
	Wed, 7 Mar 2018 19:05:56 -0500
Received: from galahad.ideasonboard.com ([185.26.127.97]:52113 "EHLO
	galahad.ideasonboard.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1754875AbeCHAFj (ORCPT
	<rfc822; linux-media@vger.kernel.org>); Wed, 7 Mar 2018 19:05:39 -0500
Received: from localhost.localdomain
	(cpc89242-aztw30-2-0-cust488.18-1.cable.virginm.net
	[86.31.129.233])
	by galahad.ideasonboard.com (Postfix) with ESMTPSA id 7529F20D3D;
	Thu,  8 Mar 2018 01:03:33 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;
	s=mail; t=1520467413;
	bh=866YRDrUfpGj/f27lS20+hnfiDELT3YI7iHHx23xGsk=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:In-Reply-To:
	References:From;
	b=IW2liRqi9kgLxmFKXmBapozWTLvHQlXTdttz0JtHijJGn5qttKlIuZ9lpN1HnyoxX
	VrFn1pApos0vSo7RUf758V3EdYXAO6crMgeqYCwhTp17p9p5R2QNIrx9TmMcI9r2jx
	8NYqFEbTumDDmJqcFtrkYAfCeXba7/QefUeZcqyE=
From: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
To: linux-media@vger.kernel.org, linux-renesas-soc@vger.kernel.org,
	Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Cc: Kieran Bingham <kieran.bingham@ideasonboard.com>,
	Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
Subject: [PATCH v7 2/8] media: vsp1: Protect bodies against overflow
Date: Thu,  8 Mar 2018 00:05:25 +0000
Message-Id: 
 <8ed642bf8f056311e67fe177d5686178f8926427.1520466993.git-series.kieran.bingham+renesas@ideasonboard.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: 
 <cover.636c1ee27fc6973cc312e0f25131a435872a0a35.1520466993.git-series.kieran.bingham+renesas@ideasonboard.com>
References: 
 <cover.636c1ee27fc6973cc312e0f25131a435872a0a35.1520466993.git-series.kieran.bingham+renesas@ideasonboard.com>
In-Reply-To: 
 <cover.636c1ee27fc6973cc312e0f25131a435872a0a35.1520466993.git-series.kieran.bingham+renesas@ideasonboard.com>
References: 
 <cover.636c1ee27fc6973cc312e0f25131a435872a0a35.1520466993.git-series.kieran.bingham+renesas@ideasonboard.com>
Sender: linux-media-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-media.vger.kernel.org>
X-Mailing-List: linux-media@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

The body write function relies on the code never asking it to write more
than the entries available in the list.

Currently with each list body containing 256 entries, this is fine, but
we can reduce this number greatly saving memory. In preparation of this
add a level of protection to catch any buffer overflows.

Signed-off-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
---

v3:
 - adapt for new 'body' terminology
 - simplify WARN_ON macro usage

 drivers/media/platform/vsp1/vsp1_dl.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/media/platform/vsp1/vsp1_dl.c b/drivers/media/platform/vsp1/vsp1_dl.c
index caed441f5f0c..67cc16c1b8e3 100644
--- a/drivers/media/platform/vsp1/vsp1_dl.c
+++ b/drivers/media/platform/vsp1/vsp1_dl.c
@@ -50,6 +50,7 @@ struct vsp1_dl_entry {
  * @dma: DMA address of the entries
  * @size: size of the DMA memory in bytes
  * @num_entries: number of stored entries
+ * @max_entries: number of entries available
  */
 struct vsp1_dl_body {
 	struct list_head list;
@@ -60,6 +61,7 @@ struct vsp1_dl_body {
 	size_t size;
 
 	unsigned int num_entries;
+	unsigned int max_entries;
 };
 
 /**
@@ -139,6 +141,7 @@ static int vsp1_dl_body_init(struct vsp1_device *vsp1,
 
 	dlb->vsp1 = vsp1;
 	dlb->size = size;
+	dlb->max_entries = num_entries;
 
 	dlb->entries = dma_alloc_wc(vsp1->bus_master, dlb->size, &dlb->dma,
 				    GFP_KERNEL);
@@ -220,6 +223,10 @@ void vsp1_dl_body_free(struct vsp1_dl_body *dlb)
  */
 void vsp1_dl_body_write(struct vsp1_dl_body *dlb, u32 reg, u32 data)
 {
+	if (WARN_ONCE(dlb->num_entries >= dlb->max_entries,
+		      "DLB size exceeded (max %u)", dlb->max_entries))
+		return;
+
 	dlb->entries[dlb->num_entries].addr = reg;
 	dlb->entries[dlb->num_entries].data = data;
 	dlb->num_entries++;