Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2396a460 authored by Venkat Chinta's avatar Venkat Chinta
Browse files

msm: camera: icp: Validate size read from msg & dbg queues 

A common api is used to read both msg and dbg queues. The
hw mgr buffers for these queues are of different sizes.
Hence check to validate the size read for each queue
independently.

Change-Id: I95b5044753d0fafebfb1d6797bc1a131fc68a251
Signed-off-by: Venkat Chinta <vchinta@codeaurora.org> adding
parent e5c3238b

drivers/media/platform/msm/camera/cam_icp/fw_inc/hfi_reg.h

+2 −1
Original line number Diff line number Diff line 
/* Copyright (c) 2017, The Linux Foundation. All rights reserved.

/* Copyright (c) 2018, The Linux Foundation. All rights reserved.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and
@@ -74,6 +74,7 @@ 
#define ICP_SHARED_MEM_IN_BYTES                 (1024 * 1024)

#define ICP_UNCACHED_HEAP_SIZE_IN_BYTES         (2 * 1024 * 1024)

#define ICP_HFI_MAX_PKT_SIZE_IN_WORDS           25600

#define ICP_HFI_MAX_PKT_SIZE_MSGQ_IN_WORDS      256



#define ICP_HFI_QTBL_HOSTID1                    0x01000000

#define ICP_HFI_QTBL_STATUS_ENABLED             0x00000001

drivers/media/platform/msm/camera/cam_icp/hfi.c

+8 −4
Original line number Diff line number Diff line 
/* Copyright (c) 2017, The Linux Foundation. All rights reserved.

/* Copyright (c) 2018, The Linux Foundation. All rights reserved.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and
@@ -138,6 +138,7 @@ int hfi_read_message(uint32_t *pmsg, uint8_t q_id, 
	struct hfi_q_hdr *q;

	uint32_t new_read_idx, size_in_words, word_diff, temp;

	uint32_t *read_q, *read_ptr, *write_ptr;

	uint32_t size_upper_bound = 0;

	int rc = 0;



	if (!pmsg) {
@@ -175,10 +176,13 @@ int hfi_read_message(uint32_t *pmsg, uint8_t q_id, 
		goto err;

	}



	if (q_id == Q_MSG)

	if (q_id == Q_MSG) {

		read_q = (uint32_t *)g_hfi->map.msg_q.kva;

	else

		size_upper_bound = ICP_HFI_MAX_PKT_SIZE_MSGQ_IN_WORDS;

	} else {

		read_q = (uint32_t *)g_hfi->map.dbg_q.kva;

		size_upper_bound = ICP_HFI_MAX_PKT_SIZE_IN_WORDS;

	}



	read_ptr = (uint32_t *)(read_q + q->qhdr_read_idx);

	write_ptr = (uint32_t *)(read_q + q->qhdr_write_idx);
@@ -196,7 +200,7 @@ int hfi_read_message(uint32_t *pmsg, uint8_t q_id, 
	}



	if ((size_in_words == 0) ||

		(size_in_words > ICP_HFI_MAX_PKT_SIZE_IN_WORDS)) {

		(size_in_words > size_upper_bound)) {

		CAM_ERR(CAM_HFI, "invalid HFI message packet size - 0x%08x",

			size_in_words << BYTE_WORD_SHIFT);

		q->qhdr_read_idx = q->qhdr_write_idx;