From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-wr1-f53.google.com (mail-wr1-f53.google.com [209.85.221.53])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9BDDE3FF8B6
	for <linux-kernel@vger.kernel.org>; Tue, 12 May 2026 07:46:26 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.53
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1778571989; cv=none; b=cA9RcEh5vKl1Tng/WplOUJXdRZa1sZYBZuGw6R88XmlaBj9OnrT8tMnXMNDTYzNP4XqPng4CVAYuckCa2lovme76YMSvIFpK0YyswRthRNDZvJqN398jTY7ksGPrXOjgBF5YdX1eokCGsZMZbvZl3BhZ3WxJJWmtObPrFvk1N54=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1778571989; c=relaxed/simple;
	bh=R0ToAlzpi8O9RonCUOJfjicwYLthpIGNBfL+IRceIWU=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=KEMTZSq5g8LhXElEGU2iXPkYw/IhEoUpeN+k4EKWrR2ye9twx5JoxJGFMSMWuvpnN5FnktfvmLJujpzBwSpUnBgM8V47K3DYtVhM0HugxDIW2pT4rzg0NwWu4cpQ9Oir7bSBcOsEJTFyVVY7c3T2L4UJJmdIsfPpEigrKeaapBU=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=F2ZXKStP; arc=none smtp.client-ip=209.85.221.53
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="F2ZXKStP"
Received: by mail-wr1-f53.google.com with SMTP id ffacd0b85a97d-44a74032ff8so3826495f8f.1
        for <linux-kernel@vger.kernel.org>; Tue, 12 May 2026 00:46:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1778571984; x=1779176784; darn=vger.kernel.org;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to;
        bh=dVy/L8Jze54TojCR0KZX0SV4kvXWoRSdNBWT9WiqX2M=;
        b=F2ZXKStPuKjTVvf9KxbXGkCZo/wv0q02R29u2pUtipvVHzi5sR8BOVYCiIGRQl7x5I
         39mx1herCiH0nFfHpse9t5+tJeMYxmTr49nWrV91igoHeRCQ8xf/XJIzYiWR7uRuZ5h7
         nrU2lXVjXU1QWvrTaTaJ14CcPQHp6NEuQs+cW4EDp1bh/T2a8K4DFpsKlBajMBKdegV9
         ryj+BZc9WzXz3V8B5RB6f4cbU2pNYF52TqF2lwahbXxUugNtg02+C1Wp2L2hoOo9LeP9
         FGgllfrZKQ3N2fAIbTPFiGj+dBFb79gG8Qx7BflF41zSe9Ju/sgz+Ex91j+ZO7Vz/UHS
         Jktw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1778571984; x=1779176784;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=dVy/L8Jze54TojCR0KZX0SV4kvXWoRSdNBWT9WiqX2M=;
        b=RTzr73eW0sAL6McWCf34Qczji+ADGogid2deqjIdd4Pn8fHhWdG0h5HhOnD+Yq7Ydp
         ZcIGWsaaJr3hlpBYwQGdf+hx9vggVbeJs/+7KmmiEUOAVYZGHJgVxof2vICiD7n4M1Ou
         nWxrV/g8bIEnSznQBtKBC7DVgbZrg19jSZJD0GFnhRjlVqEeKqP30NoN0ZQ2TxTHyL9t
         405iweWJfKNKDuxnUah1O3jafAZGi2swk0wlpVG3FumdLqBIe3h5IZVj8D2ILWVVq7M9
         D94t9OgOpsdXGDxsIfJlgPYB2mm0GOFRRFNV0g5NLSxBXutssLZXId5iz0iR6o2x84T/
         0yWA==
X-Forwarded-Encrypted: i=1; AFNElJ9PrzA2gT6e5up0SSKAgqZGkCW9IMdnbjkG5qWvP/7OF+Sxwbmivsvq/6ZAa+TkEmeSdZW/N2O1+SxGWsk=@vger.kernel.org
X-Gm-Message-State: AOJu0YyBEDSqupU26j4hTmvzjSXBLgli9uXIf8pYAWV/S2y7MC2bg3PY
	oL/WDljaPZGNNtomWegWpnIheXqIan9L5Rby7yCq1CihWtWZl6dYJ8G5ZifHtPdD
X-Gm-Gg: Acq92OHRDTPT72M78At4e4bVOqQovzpJXjfS8c8W2pXF0udoUb3V7/uZxnNkbQBobsI
	rsdXxUv7uhcOuheIo55KHL0ltzORZRIjOOmDVDSTy5rMa+Bpj0OYLJ/glTM6DfA1G95t32ag/iU
	fxhokbH9M+MMFYl8LK95inpPHz4eHQAs4nlS3TI6v6f2PpOD6r7C2cF8bxrrsG6+g6oCFSI7bTG
	YGvqt5UnRyNANIIOh9lsklGXleXUkudEN/72o7MmqWr0x2Dhtfkf1uPZPcYTrOTZ5QQb1v/VbGZ
	LnyQZEZNDFdmwG387sKP4kZRejWxFsdn1gBRBtPWs5AvzncHrofA5WjD+ZxKPFOMUSGcAWzUBld
	OrGhjPCeWD/DgH88JFyVKaz4ity3NgjhWUzRQH+U6FSfdVhiT7AcV8tlJ3qpY8n7wv1H3m0ry7W
	6Jhq92ddlDvpDevudclFk=
X-Received: by 2002:a05:6000:40dc:b0:43d:309b:9c4f with SMTP id ffacd0b85a97d-4515b056c90mr43494569f8f.6.1778571983812;
        Tue, 12 May 2026 00:46:23 -0700 (PDT)
Received: from localhost ([196.207.164.177])
        by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4548e6a6a64sm32142308f8f.6.2026.05.12.00.46.22
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 12 May 2026 00:46:23 -0700 (PDT)
Date: Tue, 12 May 2026 10:46:20 +0300
From: Dan Carpenter <error27@gmail.com>
To: Shayaun Nejad <snejad123@gmail.com>
Cc: Mauro Carvalho Chehab <mchehab@kernel.org>,
	Hans de Goede <hansg@kernel.org>,
	Sakari Ailus <sakari.ailus@linux.intel.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	linux-media@vger.kernel.org, linux-staging@lists.linux.dev,
	linux-kernel@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH] staging: media: atomisp: bound DVS 6-axis config copy
 size against allocated grid
Message-ID: <agLazHI_ulhM5eFQ@stanley.mountain>
References: <20260512014514.22856-1-snejad123@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20260512014514.22856-1-snejad123@gmail.com>

On Mon, May 11, 2026 at 06:45:14PM -0700, Shayaun Nejad wrote:
> atomisp_cp_dvs_6axis_config() copies user-provided coordinate arrays into
> a 6-axis grid allocated from ISP dimensions.
> 
> The copy sizes are computed from the user width and height fields, so
> mismatched or overflowing dimensions can copy past the allocated buffers.
> 
> Reject dimensions that do not match the allocated config and compute the
> copy sizes with array3_size() before copying.
> 
> Fixes: a49d25364dfb ("staging/atomisp: Add support for the Intel IPU v2")
> Cc: stable@vger.kernel.org
> Signed-off-by: Shayaun Nejad <snejad123@gmail.com>
> ---
>  .../staging/media/atomisp/pci/atomisp_cmd.c   | 84 ++++++++++++-------
>  1 file changed, 52 insertions(+), 32 deletions(-)
> 
> diff --git a/drivers/staging/media/atomisp/pci/atomisp_cmd.c b/drivers/staging/media/atomisp/pci/atomisp_cmd.c
> index fec369575d..677037f1da 100644
> --- a/drivers/staging/media/atomisp/pci/atomisp_cmd.c
> +++ b/drivers/staging/media/atomisp/pci/atomisp_cmd.c
> @@ -14,6 +14,7 @@
>  #include <linux/kernel.h>
>  #include <linux/kfifo.h>
>  #include <linux/pm_runtime.h>
> +#include <linux/overflow.h>
>  #include <linux/timer.h>
>  
>  #include <asm/iosf_mbi.h>
> @@ -2570,6 +2571,29 @@ int atomisp_css_cp_dvs2_coefs(struct atomisp_sub_device *asd,
>  	return 0;
>  }
>  
> +static int atomisp_dvs_6axis_size(struct ia_css_dvs_6axis_config *config,
> +				  u32 width_y, u32 height_y,
> +				  u32 width_uv, u32 height_uv,
> +				  size_t *y_size, size_t *uv_size)
> +{
> +	if (config->width_y != width_y ||
> +	    config->height_y != height_y ||
> +	    config->width_uv != width_uv ||
> +	    config->height_uv != height_uv)
> +		return -EINVAL;
> +
> +	*y_size = array3_size(width_y, height_y, sizeof(*config->xcoords_y));
> +	if (*y_size == SIZE_MAX)
> +		return -EINVAL;
> +
> +	*uv_size = array3_size(width_uv, height_uv,
> +			       sizeof(*config->xcoords_uv));
> +	if (*uv_size == SIZE_MAX)
> +		return -EINVAL;
> +
> +	return 0;
> +}

This commit doesn't make sense.  Any time people end up checking
size_mul() type calculations for SIZE_MAX it's probably a sign things
have gone wrong.  You're supposed to just pass it along and let
regular bounds checking handle it.  It's not like ULONG_MAX is a special
sort of "extra bad" invalid number.

So we have some math here and if it equals >= ULONG_MAX then it's
invalid.

> +
>  int atomisp_cp_dvs_6axis_config(struct atomisp_sub_device *asd,
>  				struct atomisp_dvs_6axis_config *source_6axis_config,
>  				struct atomisp_css_params *css_param,
> @@ -2582,6 +2606,8 @@ int atomisp_cp_dvs_6axis_config(struct atomisp_sub_device *asd,
>  	struct ia_css_dvs_grid_info *dvs_grid_info =
>  	    atomisp_css_get_dvs_grid_info(&asd->params.curr_grid_info);
>  	int ret = -EFAULT;
> +	size_t y_size;
> +	size_t uv_size;
>  
>  	if (!stream) {
>  		dev_err(asd->isp->dev, "%s: internal error!", __func__);
> @@ -2628,35 +2654,32 @@ int atomisp_cp_dvs_6axis_config(struct atomisp_sub_device *asd,
>  				return -ENOMEM;
>  		}
>  
> +		ret = atomisp_dvs_6axis_size(dvs_6axis_config,
> +					     t_6axis_config.width_y,
> +					     t_6axis_config.height_y,
> +					     t_6axis_config.width_uv,
> +					     t_6axis_config.height_uv,
> +					     &y_size, &uv_size);
> +		if (ret)
> +			goto error;
> +
>  		dvs_6axis_config->exp_id = t_6axis_config.exp_id;
>  
>  		if (copy_from_compatible(dvs_6axis_config->xcoords_y,
>  					t_6axis_config.xcoords_y,
> -					t_6axis_config.width_y *
> -					t_6axis_config.height_y *
> -					sizeof(*dvs_6axis_config->xcoords_y),
> -					from_user))
> +					y_size, from_user))

But it the result stored in y_size is ULONG_MAX - 1 then we copy that
number of bytes from the user.

regards,
dan carpenter