Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c6ad499d authored by Govindaraj Rajagopal's avatar Govindaraj Rajagopal
Browse files

msm: vidc: remove additional checks in response_handler 



possibility of OOB access on device->response_pkt in
__response_handler. for e.x if msg queue contains 1000
messages and all 1000 were read and queue is empty.
So __get_q_size api will return zero and _iface_msgq_read
will go in an infinite loop, even if packet_count
== max_packets.

Change-Id: I3c0fb095feff0ba5d4d6dab65ed9d5111f1b6f05
Signed-off-by: default avatarGovindaraj Rajagopal <grajagop@codeaurora.org>
parent 4fe743ba

msm/vidc/hfi_common.c

+1 −30
Original line number Diff line number Diff line
@@ -2141,34 +2141,6 @@ static int venus_hfi_core_release(void *dev) 
	return rc;

}



static int __get_q_size(struct venus_hfi_device *dev, unsigned int q_index)

{

	struct hfi_queue_header *queue;

	struct vidc_iface_q_info *q_info;

	u32 write_ptr, read_ptr;



	if (q_index >= VIDC_IFACEQ_NUMQ) {

		d_vpr_e("Invalid q index: %d\n", q_index);

		return -ENOENT;

	}



	q_info = &dev->iface_queues[q_index];

	if (!q_info) {

		d_vpr_e("cannot read shared Q's\n");

		return -ENOENT;

	}



	queue = (struct hfi_queue_header *)q_info->q_hdr;

	if (!queue) {

		d_vpr_e("queue not present\n");

		return -ENOENT;

	}



	write_ptr = (u32)queue->qhdr_write_idx;

	read_ptr = (u32)queue->qhdr_read_idx;

	return read_ptr - write_ptr;

}



static void __core_clear_interrupt_common(struct venus_hfi_device *device)

{

	u32 intr_status = 0, mask = 0;
@@ -3369,8 +3341,7 @@ static int __response_handler(struct venus_hfi_device *device) 
			*inst_id = session->inst_id;

		}



		if (packet_count >= max_packets &&

				__get_q_size(device, VIDC_IFACEQ_MSGQ_IDX)) {

		if (packet_count >= max_packets) {

			d_vpr_e(

				"Too many packets in message queue to handle at once, deferring read\n");

			break;