From patchwork Mon Jan 15 16:38:42 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kieran Bingham
 <kieran.bingham+renesas@ideasonboard.com>
X-Patchwork-Id: 10164761
Return-Path: <linux-media-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	CB6A260325 for <patchwork-linux-media@patchwork.kernel.org>;
	Mon, 15 Jan 2018 16:38:49 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B966920072
	for <patchwork-linux-media@patchwork.kernel.org>;
	Mon, 15 Jan 2018 16:38:49 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id AD38520134; Mon, 15 Jan 2018 16:38:49 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,RCVD_IN_DNSWL_HI,URIBL_GREY autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3E8E420072
	for <patchwork-linux-media@patchwork.kernel.org>;
	Mon, 15 Jan 2018 16:38:49 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S966015AbeAOQir (ORCPT
	<rfc822;patchwork-linux-media@patchwork.kernel.org>);
	Mon, 15 Jan 2018 11:38:47 -0500
Received: from o1678950229.outbound-mail.sendgrid.net ([167.89.50.229]:26535
	"EHLO o1678950229.outbound-mail.sendgrid.net"
	rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S966133AbeAOQin (ORCPT
	<rfc822;linux-media@vger.kernel.org>);
	Mon, 15 Jan 2018 11:38:43 -0500
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=sendgrid.me;
	h=from:to:cc:subject:in-reply-to:references:in-reply-to:references;
	s=smtpapi; bh=c+9YLamestGSRoQVF5yZmsiUnIg=; b=mivrFocRrUsffD9Qc6
	mVptU0xb+cM3ULIhHdkeQNOcjEb05Hogd3OL3RI9t7IZcZGPnBM9cX1rlodML/Rl
	Pur61oyT/UYcLQWwEQfy51GjQdtSlkUDO4JdLWuRBz7eIUpBEBJ0hOAyC7RpVEvI
	WmSwc9qGPxun1Q0yPsxw/eBqA=
Received: by filter0023p3iad2.sendgrid.net with SMTP id
	filter0023p3iad2-10029-5A5CD911-46
	2018-01-15 16:38:41.820303913 +0000 UTC
Received: from localhost.localdomain
	(cpc89242-aztw30-2-0-cust488.18-1.cable.virginm.net
	[86.31.129.233])
	by ismtpd0003p1lon1.sendgrid.net (SG) with ESMTP id
	AcZ86gzzSraIjhQa73z4Ug Mon, 15 Jan 2018 16:38:41.757 +0000 (UTC)
From: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
To: linux-media@vger.kernel.org, linux-renesas-soc@vger.kernel.org
Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>,
	Kieran Bingham <kieran.bingham@ideasonboard.com>,
	Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
Subject: [PATCH v5 2/9] v4l: vsp1: Protect bodies against overflow
Date: Mon, 15 Jan 2018 16:38:42 +0000 (UTC)
Message-Id: 
 <c843f227e694a9e94c43b2f67cdef54cc186a0ad.1516028582.git-series.kieran.bingham+renesas@ideasonboard.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: 
 <cover.7c5bc67e9d7032daf8ea4d7bd18cf237c61676b4.1516028582.git-series.kieran.bingham+renesas@ideasonboard.com>
References: 
 <cover.7c5bc67e9d7032daf8ea4d7bd18cf237c61676b4.1516028582.git-series.kieran.bingham+renesas@ideasonboard.com>
In-Reply-To: 
 <cover.7c5bc67e9d7032daf8ea4d7bd18cf237c61676b4.1516028582.git-series.kieran.bingham+renesas@ideasonboard.com>
References: 
 <cover.7c5bc67e9d7032daf8ea4d7bd18cf237c61676b4.1516028582.git-series.kieran.bingham+renesas@ideasonboard.com>
X-SG-EID: 
 Tfq0zQjjJFmIKL8hyrOr6KT7wyjsEm7XZZskPfLyBPJqnoj4H7xJRAKVkFtoAjwE2aDThXrGFiQVZz
	0/++69fYV8hAq3BfxNJUHvAxn6sumF0TScYmb78mArNYEuiVSrbj0LJmwK+EO5pqp1FeDtk3PjDiNr
	TU1MNLNWYvtcICWiSiC35XJQYG2HafY8W5t9R+hvlWebLhsuKwuAYVPlMR13BYh3hcno5LAiL0FP09
	ldXSi4pBXdZcn12rZ3QB3t
Sender: linux-media-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-media.vger.kernel.org>
X-Mailing-List: linux-media@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

The body write function relies on the code never asking it to write more
than the entries available in the list.

Currently with each list body containing 256 entries, this is fine, but
we can reduce this number greatly saving memory. In preparation of this
add a level of protection to catch any buffer overflows.

Signed-off-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
---

v3:
 - adapt for new 'body' terminology
 - simplify WARN_ON macro usage
---
 drivers/media/platform/vsp1/vsp1_dl.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/media/platform/vsp1/vsp1_dl.c b/drivers/media/platform/vsp1/vsp1_dl.c
index 90e972a75c62..ecc3659a7884 100644
--- a/drivers/media/platform/vsp1/vsp1_dl.c
+++ b/drivers/media/platform/vsp1/vsp1_dl.c
@@ -50,6 +50,7 @@ struct vsp1_dl_entry {
  * @dma: DMA address of the entries
  * @size: size of the DMA memory in bytes
  * @num_entries: number of stored entries
+ * @max_entries: number of entries available
  */
 struct vsp1_dl_body {
 	struct list_head list;
@@ -60,6 +61,7 @@ struct vsp1_dl_body {
 	size_t size;
 
 	unsigned int num_entries;
+	unsigned int max_entries;
 };
 
 /**
@@ -139,6 +141,7 @@ static int vsp1_dl_body_init(struct vsp1_device *vsp1,
 
 	dlb->vsp1 = vsp1;
 	dlb->size = size;
+	dlb->max_entries = num_entries;
 
 	dlb->entries = dma_alloc_wc(vsp1->bus_master, dlb->size, &dlb->dma,
 				    GFP_KERNEL);
@@ -220,6 +223,10 @@ void vsp1_dl_body_free(struct vsp1_dl_body *dlb)
  */
 void vsp1_dl_body_write(struct vsp1_dl_body *dlb, u32 reg, u32 data)
 {
+	if (WARN_ONCE(dlb->num_entries >= dlb->max_entries,
+		      "DLB size exceeded (max %u)", dlb->max_entries))
+		return;
+
 	dlb->entries[dlb->num_entries].addr = reg;
 	dlb->entries[dlb->num_entries].data = data;
 	dlb->num_entries++;