Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4b5e7331 authored by Karthikeyan Periasamy's avatar Karthikeyan Periasamy Committed by Gerrit - the friendly Code Review server
Browse files

msm: vidc: Allocate bus vote data memory correctly 



Allocate bus vote data memory in probe and free in remove.
This makes vote data allocated once and accessible all the
times. Allocate vote data for correct length. Protect vote
data with core->lock for use-after-free issues.

CRs-Fixed: 2073885
Change-Id: I72c8996176a082997948fb327cfdc279474c793c
Signed-off-by: default avatarKarthikeyan Periasamy <kperiasa@codeaurora.org>
Signed-off-by: default avatarPraneeth Paladugu <ppaladug@codeaurora.org>
parent 5f300da0

drivers/media/platform/msm/vidc/msm_v4l2_vidc.c

+8 −0
Original line number Diff line number Diff line
@@ -347,6 +347,14 @@ static int msm_vidc_initialize_core(struct platform_device *pdev, 
	}



	INIT_DELAYED_WORK(&core->fw_unload_work, msm_vidc_fw_unload_handler);



	mutex_lock(&core->lock);

	core->vote_data = kcalloc(MAX_SUPPORTED_INSTANCES,

		sizeof(*core->vote_data), GFP_KERNEL);

	if (!core->vote_data)

		dprintk(VIDC_ERR, "%s: failed to allocate memory\n", __func__);

	mutex_unlock(&core->lock);



	return rc;

}

drivers/media/platform/msm/vidc/msm_vidc_clocks.c

+3 −1
Original line number Diff line number Diff line
@@ -139,15 +139,16 @@ int msm_comm_vote_bus(struct msm_vidc_core *core) 


	hdev = core->device;



	mutex_lock(&core->lock);

	vote_data = core->vote_data;

	if (!vote_data) {

		dprintk(VIDC_PROF,

			"Failed to get vote_data for inst %pK\n",

				inst);

		mutex_unlock(&core->lock);

		return -EINVAL;

	}



	mutex_lock(&core->lock);

	list_for_each_entry(inst, &core->instances, list) {

		int codec = 0;

		struct msm_vidc_buffer *temp, *next;
@@ -157,6 +158,7 @@ int msm_comm_vote_bus(struct msm_vidc_core *core) 
		if (!inst) {

			dprintk(VIDC_ERR, "%s Invalid args\n",

				__func__);

			mutex_unlock(&core->lock);

			return -EINVAL;

		}

drivers/media/platform/msm/vidc/msm_vidc_common.c

+2 −9
Original line number Diff line number Diff line
@@ -35,8 +35,6 @@ 
		V4L2_EVENT_MSM_VIDC_RELEASE_BUFFER_REFERENCE

#define L_MODE V4L2_MPEG_VIDEO_H264_LOOP_FILTER_MODE_DISABLED_AT_SLICE_BOUNDARY



#define MAX_SUPPORTED_INSTANCES 16



const char *const mpeg_video_vidc_extradata[] = {

	"Extradata none",

	"Extradata MB Quantization",
@@ -957,8 +955,8 @@ static void handle_sys_init_done(enum hal_command_response cmd, void *data) 
	/* This should come from sys_init_done */

	core->resources.max_inst_count =

		sys_init_msg->max_sessions_supported ?

		sys_init_msg->max_sessions_supported :

		MAX_SUPPORTED_INSTANCES;

		min_t(u32, sys_init_msg->max_sessions_supported,

		MAX_SUPPORTED_INSTANCES) : MAX_SUPPORTED_INSTANCES;



	core->resources.max_secure_inst_count =

		core->resources.max_secure_inst_count ?
@@ -979,11 +977,6 @@ static void handle_sys_init_done(enum hal_command_response cmd, void *data) 
		__func__, core->codec_count, core->enc_codec_supported,

		core->dec_codec_supported);



	core->vote_data = kcalloc(MAX_SUPPORTED_INSTANCES,

		sizeof(core->vote_data), GFP_KERNEL);

	if (!core->vote_data)

		dprintk(VIDC_ERR, "%s: failed to allocate memory\n", __func__);



	complete(&(core->completions[index]));

}

drivers/media/platform/msm/vidc/msm_vidc_internal.h

+1 −0
Original line number Diff line number Diff line
@@ -49,6 +49,7 @@ 
#define MAX_NUM_OUTPUT_BUFFERS VIDEO_MAX_FRAME // same as VB2_MAX_FRAME

#define MAX_NUM_CAPTURE_BUFFERS VIDEO_MAX_FRAME // same as VB2_MAX_FRAME



#define MAX_SUPPORTED_INSTANCES 16



/* Maintains the number of FTB's between each FBD over a window */

#define DCVS_FTB_WINDOW 16