Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2836936c authored by Govindaraj Rajagopal's avatar Govindaraj Rajagopal Committed by Gerrit - the friendly Code Review server
Browse files

msm: vidc: remove additional checks in response_handler 



possibility of OOB access on device->response_pkt in
__response_handler. for e.x if msg queue contains 1000
messages and all 1000 were read and queue is empty.
So __get_q_size api will return zero and _iface_msgq_read
will go in an infinite loop, even if packet_count
== max_packets.

Change-Id: I3c0fb095feff0ba5d4d6dab65ed9d5111f1b6f05
Signed-off-by: default avatarGovindaraj Rajagopal <grajagop@codeaurora.org>
parent cd0018e7

drivers/media/platform/msm/vidc/venus_hfi.c

+1 −30
Original line number Diff line number Diff line
@@ -2288,34 +2288,6 @@ static int venus_hfi_core_release(void *dev) 
	return rc;

}



static int __get_q_size(struct venus_hfi_device *dev, unsigned int q_index)

{

	struct hfi_queue_header *queue;

	struct vidc_iface_q_info *q_info;

	u32 write_ptr, read_ptr;



	if (q_index >= VIDC_IFACEQ_NUMQ) {

		dprintk(VIDC_ERR, "Invalid q index: %d\n", q_index);

		return -ENOENT;

	}



	q_info = &dev->iface_queues[q_index];

	if (!q_info) {

		dprintk(VIDC_ERR, "cannot read shared Q's\n");

		return -ENOENT;

	}



	queue = (struct hfi_queue_header *)q_info->q_hdr;

	if (!queue) {

		dprintk(VIDC_ERR, "queue not present\n");

		return -ENOENT;

	}



	write_ptr = (u32)queue->qhdr_write_idx;

	read_ptr = (u32)queue->qhdr_read_idx;

	return read_ptr - write_ptr;

}



static void __core_clear_interrupt(struct venus_hfi_device *device)

{

	u32 intr_status = 0;
@@ -3601,8 +3573,7 @@ static int __response_handler(struct venus_hfi_device *device) 
			*session_id = session->session_id;

		}



		if (packet_count >= max_packets &&

				__get_q_size(device, VIDC_IFACEQ_MSGQ_IDX)) {

		if (packet_count >= max_packets) {

			dprintk(VIDC_WARN,

					"Too many packets in message queue to handle at once, deferring read\n");

			break;