media: vsp1: Protect bodies against overflow

The body write function relies on the code never asking it to write more
than the entries available in the list.

Currently with each list body containing 256 entries, this is fine, but
we can reduce this number greatly saving memory. In preparation of this
add a level of protection to catch any buffer overflows.

Signed-off-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
This commit is contained in:
Kieran Bingham 2018-05-18 16:41:57 -04:00 committed by Mauro Carvalho Chehab
parent 764dfee1a1
commit 0766734197

View File

@ -46,6 +46,7 @@ struct vsp1_dl_entry {
* @dma: DMA address of the entries * @dma: DMA address of the entries
* @size: size of the DMA memory in bytes * @size: size of the DMA memory in bytes
* @num_entries: number of stored entries * @num_entries: number of stored entries
* @max_entries: number of entries available
*/ */
struct vsp1_dl_body { struct vsp1_dl_body {
struct list_head list; struct list_head list;
@ -56,6 +57,7 @@ struct vsp1_dl_body {
size_t size; size_t size;
unsigned int num_entries; unsigned int num_entries;
unsigned int max_entries;
}; };
/** /**
@ -138,6 +140,7 @@ static int vsp1_dl_body_init(struct vsp1_device *vsp1,
dlb->vsp1 = vsp1; dlb->vsp1 = vsp1;
dlb->size = size; dlb->size = size;
dlb->max_entries = num_entries;
dlb->entries = dma_alloc_wc(vsp1->bus_master, dlb->size, &dlb->dma, dlb->entries = dma_alloc_wc(vsp1->bus_master, dlb->size, &dlb->dma,
GFP_KERNEL); GFP_KERNEL);
@ -219,6 +222,10 @@ void vsp1_dl_body_free(struct vsp1_dl_body *dlb)
*/ */
void vsp1_dl_body_write(struct vsp1_dl_body *dlb, u32 reg, u32 data) void vsp1_dl_body_write(struct vsp1_dl_body *dlb, u32 reg, u32 data)
{ {
if (WARN_ONCE(dlb->num_entries >= dlb->max_entries,
"DLB size exceeded (max %u)", dlb->max_entries))
return;
dlb->entries[dlb->num_entries].addr = reg; dlb->entries[dlb->num_entries].addr = reg;
dlb->entries[dlb->num_entries].data = data; dlb->entries[dlb->num_entries].data = data;
dlb->num_entries++; dlb->num_entries++;