From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-dy1-f178.google.com (mail-dy1-f178.google.com [74.125.82.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8CE2628F948 for ; Tue, 12 May 2026 01:45:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.178 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778550319; cv=none; b=k7sPCBJkienNXqDU5un8Wb5cgf1qGu4NoumolJJweHAfIVFlGorjhsuTw2MkngraNkgv3hb9sdpzM9kOQ1UoqQ5AUm0vT1VWQmFfQCJCrPiT6d3ST9nYCEze+fCvbVGljKo3Wfi89Emwf/vf9Y2nbO3N7GrSpXDOm8aOSLO6D1A= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778550319; c=relaxed/simple; bh=YxgDZVqMtyl56UCDKSwzuZdYVkyDLcSvULyv0SuvHI8=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=jnh3DAHnkzWXl6axyez6gQt9CRrrwe3lZp2XWr9qEtrw7lDRXUpFHpIbgnJja3u5z65JdoqxaJtxtW3wMdZMp3BecXShHDvql3QZnm5M/k0BCW0hdmdl8YYJYj5lQ3Q/R+cg3sSK/Z5ECqMcLqp8QB7jN5Ej1VbP5xe9Qr3n2vo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=KCqX6Ogj; arc=none smtp.client-ip=74.125.82.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="KCqX6Ogj" Received: by mail-dy1-f178.google.com with SMTP id 5a478bee46e88-2ecf9e398f4so13521854eec.1 for ; Mon, 11 May 2026 18:45:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778550317; x=1779155117; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=OXCU/htQ+8Rp3JW/PnjUI+XPGJxr+8fcjyipcOXBdks=; b=KCqX6OgjHUrkeOUmqmV8y2pQ18x0WxQRCugpVPri5MjsKrkqhUbMnzdgbYxXjqT+MT 2ecqjQSAfMBJ7rO7qv1g253RjcV2yDvA71SXtJjOc+riSQ5BME/oY4aMjGqB7Hu3aSd5 X82y5YgjMIct0DNmzQfrWe9LVzw8+TgRDBImg2+xrWGkQQzuVreabvATDPefW90Dx2VU YbZGLgr5xzYRcSebmekC6tbtNpkWDDFANl7Pi62gwtgdaXPM3ZoqarDlHljfjohYGuSE PFFh6GtxrRP43MiWnVzv6NddjZO/UxZVYfhoxWHhU1AYb/friWoc+n8VLofZ0EjrVLK6 5Y+A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778550317; x=1779155117; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=OXCU/htQ+8Rp3JW/PnjUI+XPGJxr+8fcjyipcOXBdks=; b=I0h9Y+zKFXuiZSP0pFyYvQg5xlE7LVwT/2+LWZwSjvQD0i5jqoWPEgUtEuet8gWzpb 3TFhl8HKUmc6CUv+T39jQtyQVJ8N+SGdZYzO3BVOSdIzZlyPDuX5jcCVT826OQBvOUqp 2uo815WDSVmVXoQJbtGId5TFvZD0dRxa5Y44RxeOK0+q2bOC7aMD0DgE1PTtQMdThD5k 8P0tfosNMJ65nke5hL4YhXPah+xTf7eZRApLLdbvj4YXtudD2XJQPw3EHHsrBMv9Vw+h pLBoYpR8EiJ+CEOiQlWGfI4t+QqsYFT66hVbqFlkux8jJWmEG8FAJBWqj4VvzZ19AbR5 aZTQ== X-Forwarded-Encrypted: i=1; AFNElJ9KoHY6c5lQ5xg6bbsur0KGkUFdHvVtjFAV6tqwWvA5s8G3BC4q4SJKLLdxCrIJpW5zeQFRK9NEIRfYy8A=@vger.kernel.org X-Gm-Message-State: AOJu0YyotvIKn3uZ+Dm9I0H6TEuq7YLVfRhWIir84Ru4Hk1j7WQkdvG8 svPHY+PShZ6EBrvqQ1waNP2Cxv5SdfoBu6/v1iXgiF+xHvwaV/OlHeou X-Gm-Gg: Acq92OG3e1aT0SfC9+ja3q4yn3s7DibjMNmLqVzBwlw/5GheWYrhMCQZSAFM09C+Am+ dxDhbkz2HQfRKC3ek0bivXAdiGOb2xPilN1Jl8g40JiwRmelGngJtRLRElcVUj7G5HBKMtCUfCI Mt2Wi9/fBeqP6hTLYHl/h2EjfjiZVKAuiyM3pjnuv5jMYcPUqkY08b7BjJKiQIYOrBIa2sKPoTE +SV7eSypA0EdCSDrlKaZWjWcQyu2JxogD9/uQG+MWrppff0b7ZmeXYTh+86xw+RUmgVwnRGcSBG KhT9U22EOeBcJvZbdtgCViSx1S0Fylo6BXOVk+wa6eUdxrVU/sLVAYSfd6cIjHkAMF5y7xTryyH hm3EqzLklfoCsUUi/LAMuYdiMoPiu30b2kJOAOVrjWMRLLws5Yakcfh1Iq88Cyn/I27JbrtQMej vFlsNorggHxbl5rW3C6vQTG4uQ1OlS3n+Y3cqa06/EPIDMdCJS41aXMLLzvffiaPAIRutyzRsp+ 6MMd3w= X-Received: by 2002:a05:7300:6da5:b0:2ed:e12:376e with SMTP id 5a478bee46e88-2f54d67a686mr13643905eec.30.1778550316712; Mon, 11 May 2026 18:45:16 -0700 (PDT) Received: from localhost.localdomain ([50.231.3.67]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2f8859eafcdsm20104427eec.6.2026.05.11.18.45.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 May 2026 18:45:15 -0700 (PDT) From: Shayaun Nejad To: Mauro Carvalho Chehab , Hans de Goede Cc: Sakari Ailus , Greg Kroah-Hartman , linux-media@vger.kernel.org, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Shayaun Nejad Subject: [PATCH] staging: media: atomisp: bound DVS 6-axis config copy size against allocated grid Date: Mon, 11 May 2026 18:45:14 -0700 Message-ID: <20260512014514.22856-1-snejad123@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit atomisp_cp_dvs_6axis_config() copies user-provided coordinate arrays into a 6-axis grid allocated from ISP dimensions. The copy sizes are computed from the user width and height fields, so mismatched or overflowing dimensions can copy past the allocated buffers. Reject dimensions that do not match the allocated config and compute the copy sizes with array3_size() before copying. Fixes: a49d25364dfb ("staging/atomisp: Add support for the Intel IPU v2") Cc: stable@vger.kernel.org Signed-off-by: Shayaun Nejad --- .../staging/media/atomisp/pci/atomisp_cmd.c | 84 ++++++++++++------- 1 file changed, 52 insertions(+), 32 deletions(-) diff --git a/drivers/staging/media/atomisp/pci/atomisp_cmd.c b/drivers/staging/media/atomisp/pci/atomisp_cmd.c index fec369575d..677037f1da 100644 --- a/drivers/staging/media/atomisp/pci/atomisp_cmd.c +++ b/drivers/staging/media/atomisp/pci/atomisp_cmd.c @@ -14,6 +14,7 @@ #include #include #include +#include #include #include @@ -2570,6 +2571,29 @@ int atomisp_css_cp_dvs2_coefs(struct atomisp_sub_device *asd, return 0; } +static int atomisp_dvs_6axis_size(struct ia_css_dvs_6axis_config *config, + u32 width_y, u32 height_y, + u32 width_uv, u32 height_uv, + size_t *y_size, size_t *uv_size) +{ + if (config->width_y != width_y || + config->height_y != height_y || + config->width_uv != width_uv || + config->height_uv != height_uv) + return -EINVAL; + + *y_size = array3_size(width_y, height_y, sizeof(*config->xcoords_y)); + if (*y_size == SIZE_MAX) + return -EINVAL; + + *uv_size = array3_size(width_uv, height_uv, + sizeof(*config->xcoords_uv)); + if (*uv_size == SIZE_MAX) + return -EINVAL; + + return 0; +} + int atomisp_cp_dvs_6axis_config(struct atomisp_sub_device *asd, struct atomisp_dvs_6axis_config *source_6axis_config, struct atomisp_css_params *css_param, @@ -2582,6 +2606,8 @@ int atomisp_cp_dvs_6axis_config(struct atomisp_sub_device *asd, struct ia_css_dvs_grid_info *dvs_grid_info = atomisp_css_get_dvs_grid_info(&asd->params.curr_grid_info); int ret = -EFAULT; + size_t y_size; + size_t uv_size; if (!stream) { dev_err(asd->isp->dev, "%s: internal error!", __func__); @@ -2628,35 +2654,32 @@ int atomisp_cp_dvs_6axis_config(struct atomisp_sub_device *asd, return -ENOMEM; } + ret = atomisp_dvs_6axis_size(dvs_6axis_config, + t_6axis_config.width_y, + t_6axis_config.height_y, + t_6axis_config.width_uv, + t_6axis_config.height_uv, + &y_size, &uv_size); + if (ret) + goto error; + dvs_6axis_config->exp_id = t_6axis_config.exp_id; if (copy_from_compatible(dvs_6axis_config->xcoords_y, t_6axis_config.xcoords_y, - t_6axis_config.width_y * - t_6axis_config.height_y * - sizeof(*dvs_6axis_config->xcoords_y), - from_user)) + y_size, from_user)) goto error; if (copy_from_compatible(dvs_6axis_config->ycoords_y, t_6axis_config.ycoords_y, - t_6axis_config.width_y * - t_6axis_config.height_y * - sizeof(*dvs_6axis_config->ycoords_y), - from_user)) + y_size, from_user)) goto error; if (copy_from_compatible(dvs_6axis_config->xcoords_uv, t_6axis_config.xcoords_uv, - t_6axis_config.width_uv * - t_6axis_config.height_uv * - sizeof(*dvs_6axis_config->xcoords_uv), - from_user)) + uv_size, from_user)) goto error; if (copy_from_compatible(dvs_6axis_config->ycoords_uv, t_6axis_config.ycoords_uv, - t_6axis_config.width_uv * - t_6axis_config.height_uv * - sizeof(*dvs_6axis_config->ycoords_uv), - from_user)) + uv_size, from_user)) goto error; } else { if (old_6axis_config && @@ -2680,35 +2703,32 @@ int atomisp_cp_dvs_6axis_config(struct atomisp_sub_device *asd, } } + ret = atomisp_dvs_6axis_size(dvs_6axis_config, + source_6axis_config->width_y, + source_6axis_config->height_y, + source_6axis_config->width_uv, + source_6axis_config->height_uv, + &y_size, &uv_size); + if (ret) + goto error; + dvs_6axis_config->exp_id = source_6axis_config->exp_id; if (copy_from_compatible(dvs_6axis_config->xcoords_y, source_6axis_config->xcoords_y, - source_6axis_config->width_y * - source_6axis_config->height_y * - sizeof(*source_6axis_config->xcoords_y), - from_user)) + y_size, from_user)) goto error; if (copy_from_compatible(dvs_6axis_config->ycoords_y, source_6axis_config->ycoords_y, - source_6axis_config->width_y * - source_6axis_config->height_y * - sizeof(*source_6axis_config->ycoords_y), - from_user)) + y_size, from_user)) goto error; if (copy_from_compatible(dvs_6axis_config->xcoords_uv, source_6axis_config->xcoords_uv, - source_6axis_config->width_uv * - source_6axis_config->height_uv * - sizeof(*source_6axis_config->xcoords_uv), - from_user)) + uv_size, from_user)) goto error; if (copy_from_compatible(dvs_6axis_config->ycoords_uv, source_6axis_config->ycoords_uv, - source_6axis_config->width_uv * - source_6axis_config->height_uv * - sizeof(*source_6axis_config->ycoords_uv), - from_user)) + uv_size, from_user)) goto error; } css_param->dvs_6axis = dvs_6axis_config; -- 2.43.0