media: mediatek: vcodec: Consider vdecsys presence in reg range check

Commit fe8a3397 ("media: mediatek: vcodec: Read HW active status from syscon") allowed the driver to read the VDEC_SYS io space from a syscon instead of from the reg property when reg-names are supplied. However as part of that change, a smatch warning was introduced: drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_drv.c:142 mtk_vcodec_get_reg_bases() error: buffer overflow 'mtk_dec_reg_names' 11 <= 11 With a correct Devicetree, that is, one that follows the dt-binding, it wouldn't be possible to trigger such a buffer overflow. Even so, update the range validation of the reg property, so that the smatch warning is fixed and if an incorrect Devicetree is ever supplied the code errors out instead of causing memory corruption. Reported-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Closes: https://lore.kernel.org/all/b5fd2dff-14a5-3ad8-9698-d1a50f4516fa@xs4all.nl Fixes: fe8a3397 ("media: mediatek: vcodec: Read HW active status from syscon") Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com> Signed-off-by: Nícolas F. R. A. Prado <nfraprado@collabora.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>

media: mediatek: vcodec: Consider vdecsys presence in reg range check
Commit fe8a3397 ("media: mediatek: vcodec: Read HW active status from syscon") allowed the driver to read the VDEC_SYS io space from a syscon instead of from the reg property when reg-names are supplied. However as part of that change, a smatch warning was introduced: drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_drv.c:142 mtk_vcodec_get_reg_bases() error: buffer overflow 'mtk_dec_reg_names' 11 <= 11 With a correct Devicetree, that is, one that follows the dt-binding, it wouldn't be possible to trigger such a buffer overflow. Even so, update the range validation of the reg property, so that the smatch warning is fixed and if an incorrect Devicetree is ever supplied the code errors out instead of causing memory corruption. Reported-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Closes: https://lore.kernel.org/all/b5fd2dff-14a5-3ad8-9698-d1a50f4516fa@xs4all.nl Fixes: fe8a3397 ("media: mediatek: vcodec: Read HW active status from syscon") Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com> Signed-off-by: Nícolas F. R. A. Prado <nfraprado@collabora.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
dd61c2a3 · Nícolas F. R. A. Prado · Hans Verkuil · 7baeedbe · dd61c2a3
Commit dd61c2a3 authored Jul 26, 2023 by Nícolas F. R. A. Prado Committed by Hans Verkuil Jul 27, 2023
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 1 deletion

drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_drv.c drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_drv.c +5 -1

No files found.
--- a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_drv.c
+++ b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec_drv.c
@@ -96,6 +96,7 @@ static int mtk_vcodec_get_reg_bases(struct mtk_vcodec_dev *dev)
 	int reg_num, i;
 	struct resource *res;
 	bool has_vdecsys_reg;
+	int num_max_vdec_regs;
 	static const char * const mtk_dec_reg_names[] = {
 		"misc",
 		"ld",
@@ -122,10 +123,13 @@ static int mtk_vcodec_get_reg_bases(struct mtk_vcodec_dev *dev)
 	else
 		has_vdecsys_reg = true;

+	num_max_vdec_regs = has_vdecsys_reg ? NUM_MAX_VDEC_REG_BASE :
+					      ARRAY_SIZE(mtk_dec_reg_names);
+
 	/* Sizeof(u32) * 4 bytes for each register base. */
 	reg_num = of_property_count_elems_of_size(pdev->dev.of_node, "reg",
 						  sizeof(u32) * 4);
-	if (reg_num <= 0 || reg_num > NUM_MAX_VDEC_REG_BASE) {
+	if (reg_num <= 0 || reg_num > num_max_vdec_regs) {
 		dev_err(&pdev->dev, "Invalid register property size: %d\n", reg_num);
 		return -EINVAL;
 	}