[media] marvell-ccic: check register address

Prevent out-of-range register accesses.

Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

drivers/media/platform/marvell-ccic/cafe-driver.c

@@ -500,6 +500,7 @@ static int cafe_pci_probe(struct pci_dev *pdev,
 		printk(KERN_ERR "Unable to ioremap cafe-ccic regs\n");
 		goto out_disable;
 	}
+	mcam->regs_size = pci_resource_len(pdev, 0);
 	ret = request_irq(pdev->irq, cafe_irq, IRQF_SHARED, "cafe-ccic", cam);
 	if (ret)
 		goto out_iounmap;

drivers/media/platform/marvell-ccic/mcam-core.c

@@ -1404,6 +1404,8 @@ static int mcam_vidioc_g_register(struct file *file, void *priv,
 {
 	struct mcam_camera *cam = priv;
 
+	if (reg->reg > cam->regs_size - 4)
+		return -EINVAL;
 	reg->val = mcam_reg_read(cam, reg->reg);
 	reg->size = 4;
 	return 0;
@@ -1414,6 +1416,8 @@ static int mcam_vidioc_s_register(struct file *file, void *priv,
 {
 	struct mcam_camera *cam = priv;
 
+	if (reg->reg > cam->regs_size - 4)
+		return -EINVAL;
 	mcam_reg_write(cam, reg->reg, reg->val);
 	return 0;
 }

drivers/media/platform/marvell-ccic/mcam-core.h

@@ -101,6 +101,7 @@ struct mcam_camera {
 	 */
 	struct i2c_adapter *i2c_adapter;
 	unsigned char __iomem *regs;
+	unsigned regs_size; /* size in bytes of the register space */
 	spinlock_t dev_lock;
 	struct device *dev; /* For messages, dma alloc */
 	enum mcam_chip_id chip_id;

drivers/media/platform/marvell-ccic/mmp-driver.c

@@ -202,6 +202,7 @@ static int mmpcam_probe(struct platform_device *pdev)
 		ret = -ENODEV;
 		goto out_free;
 	}
+	mcam->regs_size = resource_size(res);
 	/*
 	 * Power/clock memory is elsewhere; get it too.  Perhaps this
 	 * should really be managed outside of this driver?