From patchwork Thu Jun 3 00:17:08 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Gustavo A. R. Silva" X-Patchwork-Id: 12295875 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.4 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 23E10C47092 for ; Thu, 3 Jun 2021 00:16:02 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 0F902613EA for ; Thu, 3 Jun 2021 00:16:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229629AbhFCARo (ORCPT ); Wed, 2 Jun 2021 20:17:44 -0400 Received: from mail.kernel.org ([198.145.29.99]:50366 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229541AbhFCARo (ORCPT ); Wed, 2 Jun 2021 20:17:44 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id D65AA6100A; Thu, 3 Jun 2021 00:15:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1622679360; bh=yEdkcwuAhilPBcLbUWO28NG4GTX7d4iKHu4aVHEwMBE=; h=Date:From:To:Cc:Subject:From; b=uu9+1ZBQo/EZmWv5FGp1qdyQb2TwPdVMUd8Gai0Lzd076/EBqKLci9m3hKubk0xuE uS3cEkN6UgTpNA4mA1QTke4r2EIl6gRgDkchsERpkEbZvPhr0mcrMm7dTuxX80mjAm SeAybvHtyu1siOVw/IWuhYVEOjBS4YLV9oPxB6IPRaIj533yA1Z/gditQfHWpFqWzw r7W8o/40j7TpPH8K8udH4G+lIX+kPDg3E6gWFuwe6rhylHRPH/TD1t24shUYbmUanD li7WTp24O6Qogx8sgCREjrM47vfsDsOW3sZi5YSLLh6ddChslNiy1TUmgCEMaHPh9N gKnazDIguyOQQ== Date: Wed, 2 Jun 2021 19:17:08 -0500 From: "Gustavo A. R. Silva" To: Stanimir Varbanov , Andy Gross , Bjorn Andersson , Mauro Carvalho Chehab , "Gustavo A. R. Silva" Cc: linux-media@vger.kernel.org, linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org, "Gustavo A. R. Silva" , linux-hardening@vger.kernel.org, Kees Cook Subject: [PATCH v3][venus-for-next-v5.14] media: venus: hfi_cmds: Fix packet size calculation Message-ID: <20210603001708.GA55239@embeddedor> MIME-Version: 1.0 Content-Disposition: inline Precedence: bulk List-ID: X-Mailing-List: linux-arm-msm@vger.kernel.org Now that a one-element array was replaced with a flexible-array member in struct hfi_sys_set_property_pkt, use the struct_size() helper to correctly calculate the packet size. Fixes: 701e10b3fd9f ("media: venus: hfi_cmds.h: Replace one-element array with flexible-array member") Signed-off-by: Gustavo A. R. Silva Reviewed-by: Kees Cook --- Changes in v3: - Fix size calculation in call to struct_size(). Link: https://lore.kernel.org/linux-hardening/202106021254.39A1561075@keescook/ Link: https://lore.kernel.org/linux-hardening/113fd896-464c-6aef-215a-a53ac6103a62@embeddedor.com/ Changes in v2: - Include linux/overflow.h for struct_size(). drivers/media/platform/qcom/venus/hfi_cmds.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/media/platform/qcom/venus/hfi_cmds.c b/drivers/media/platform/qcom/venus/hfi_cmds.c index 4b9dea7f6940..f51024786991 100644 --- a/drivers/media/platform/qcom/venus/hfi_cmds.c +++ b/drivers/media/platform/qcom/venus/hfi_cmds.c @@ -3,6 +3,7 @@ * Copyright (c) 2012-2016, The Linux Foundation. All rights reserved. * Copyright (C) 2017 Linaro Ltd. */ +#include #include #include @@ -27,7 +28,7 @@ void pkt_sys_idle_indicator(struct hfi_sys_set_property_pkt *pkt, u32 enable) { struct hfi_enable *hfi = (struct hfi_enable *)&pkt->data[1]; - pkt->hdr.size = sizeof(*pkt) + sizeof(*hfi) + sizeof(u32); + pkt->hdr.size = struct_size(pkt, data, 1) + sizeof(*hfi); pkt->hdr.pkt_type = HFI_CMD_SYS_SET_PROPERTY; pkt->num_properties = 1; pkt->data[0] = HFI_PROPERTY_SYS_IDLE_INDICATOR; @@ -39,7 +40,7 @@ void pkt_sys_debug_config(struct hfi_sys_set_property_pkt *pkt, u32 mode, { struct hfi_debug_config *hfi; - pkt->hdr.size = sizeof(*pkt) + sizeof(*hfi) + sizeof(u32); + pkt->hdr.size = struct_size(pkt, data, 1) + sizeof(*hfi); pkt->hdr.pkt_type = HFI_CMD_SYS_SET_PROPERTY; pkt->num_properties = 1; pkt->data[0] = HFI_PROPERTY_SYS_DEBUG_CONFIG; @@ -50,7 +51,7 @@ void pkt_sys_debug_config(struct hfi_sys_set_property_pkt *pkt, u32 mode, void pkt_sys_coverage_config(struct hfi_sys_set_property_pkt *pkt, u32 mode) { - pkt->hdr.size = sizeof(*pkt) + sizeof(u32); + pkt->hdr.size = struct_size(pkt, data, 2); pkt->hdr.pkt_type = HFI_CMD_SYS_SET_PROPERTY; pkt->num_properties = 1; pkt->data[0] = HFI_PROPERTY_SYS_CONFIG_COVERAGE; @@ -116,7 +117,7 @@ void pkt_sys_power_control(struct hfi_sys_set_property_pkt *pkt, u32 enable) { struct hfi_enable *hfi = (struct hfi_enable *)&pkt->data[1]; - pkt->hdr.size = sizeof(*pkt) + sizeof(*hfi) + sizeof(u32); + pkt->hdr.size = struct_size(pkt, data, 1) + sizeof(*hfi); pkt->hdr.pkt_type = HFI_CMD_SYS_SET_PROPERTY; pkt->num_properties = 1; pkt->data[0] = HFI_PROPERTY_SYS_CODEC_POWER_PLANE_CTRL;