Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8b969652 authored by Manoj Rao's avatar Manoj Rao
Browse files

mdss: mdp: increase size of mdp image data length 



MDP image structure's len member is currently 32-bit.
This field is incorrectly cast to unsigned long before
passing to ion APIs like ion_map_iommu that expect 64-bit
wide data. This can cause unexpected data overwrites.
Avoid such incorrect casts and declare the member
in mdp image structure to have 64-bit width.
Additionally, use appropriate format specifiers in print
statements for the new field type.

Change-Id: I5b60230d25db23f355372284a81ef7505b3e8488
Signed-off-by: default avatarManoj Rao <manojraj@codeaurora.org>
parent 4d10f813

drivers/video/msm/mdss/mdss_mdp.h

+1 −1
Original line number Diff line number Diff line
@@ -265,7 +265,7 @@ struct mdss_mdp_plane_sizes { 


struct mdss_mdp_img_data {

	dma_addr_t addr;

	u32 len;

	unsigned long len;

	u32 flags;

	int p_need;

	struct file *srcp_file;

drivers/video/msm/mdss/mdss_mdp_util.c

+5 −5
Original line number Diff line number Diff line
@@ -428,7 +428,7 @@ int mdss_mdp_data_check(struct mdss_mdp_data *data, 
	if (!data || data->num_planes == 0)

		return -ENOMEM;



	pr_debug("srcp0=%pa len=%u frame_size=%u\n", &data->p[0].addr,

	pr_debug("srcp0=%pa len=%lu frame_size=%u\n", &data->p[0].addr,

		data->p[0].len, ps->total_size);



	for (i = 0; i < ps->num_planes; i++) {
@@ -443,11 +443,11 @@ int mdss_mdp_data_check(struct mdss_mdp_data *data, 
			curr->addr = prev->addr + psize;

		}

		if (curr->len < ps->plane_size[i]) {

			pr_err("insufficient mem=%u p=%d len=%u\n",

			pr_err("insufficient mem=%lu p=%d len=%u\n",

			       curr->len, i, ps->plane_size[i]);

			return -ENOMEM;

		}

		pr_debug("plane[%d] addr=%pa len=%u\n", i,

		pr_debug("plane[%d] addr=%pa len=%lu\n", i,

				&curr->addr, curr->len);

	}

	data->num_planes = ps->num_planes;
@@ -532,7 +532,7 @@ int mdss_mdp_get_img(struct msmfb_data *img, struct mdss_mdp_img_data *data) 
	struct ion_client *iclient = mdss_get_ionclient();



	start = &data->addr;

	len = (unsigned long *) &data->len;

	len = &data->len;

	data->flags |= img->flags;

	data->p_need = 0;
@@ -611,7 +611,7 @@ int mdss_mdp_get_img(struct msmfb_data *img, struct mdss_mdp_img_data *data) 
		data->addr += img->offset;

		data->len -= img->offset;



		pr_debug("mem=%d ihdl=%p buf=0x%pa len=0x%x\n", img->memory_id,

		pr_debug("mem=%d ihdl=%p buf=0x%pa len=%lu\n", img->memory_id,

			 data->srcp_ihdl, &data->addr, data->len);

	} else {

		mdss_mdp_put_img(data);

drivers/video/msm/mdss/mdss_mdp_wb.c

+2 −2
Original line number Diff line number Diff line
@@ -450,7 +450,7 @@ static struct mdss_mdp_wb_data *get_user_node(struct msm_fb_data_type *mfd, 
		goto register_fail;

	}



	pr_debug("register node mem_id=%d offset=%u addr=0x%pa len=%d\n",

	pr_debug("register node mem_id=%d offset=%u addr=0x%pa len=%lu\n",

		 data->memory_id, data->offset, &buf->addr, buf->len);



	return node;
@@ -580,7 +580,7 @@ static int mdss_mdp_wb_dequeue(struct msm_fb_data_type *mfd, 
		memcpy(data, &node->buf_info, sizeof(*data));



		buf = &node->buf_data.p[0];

		pr_debug("found node addr=%pa len=%d\n", &buf->addr, buf->len);

		pr_debug("found node addr=%pa len=%lu\n", &buf->addr, buf->len);

	} else {

		pr_debug("node is NULL, wait for next\n");

		ret = -ENOBUFS;