Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4145ae35 authored by Suprith Malligere Shankaregowda's avatar Suprith Malligere Shankaregowda
Browse files

msm: ais: Handling bigger value than upper bound in msm_cpp_irq api 



 In msm_cpp_irq function, tx_level is read using msm_carmera_io_r(),
 However, this value is never verified to lower than
 MSM_CPP_TX_FIFO_LEVEL (16), As tx_level is used as the upper bound
 for the following loop, any value bigger than 16 will result in a
 buffer overflow. Hence handling this case as error with error log.

Change-Id: I1a922b0c14bb1a79297e71a6e5dda476042b5414
Signed-off-by: default avatarSuprith Malligere Shankaregowda <supgow@codeaurora.org>
parent 203023cb

drivers/media/platform/msm/ais/pproc/cpp/msm_cpp.c

+10 −4
Original line number Diff line number Diff line 
/* Copyright (c) 2013-2017, The Linux Foundation. All rights reserved.

/* Copyright (c) 2013-2018, The Linux Foundation. All rights reserved.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and
@@ -836,10 +836,15 @@ static irqreturn_t msm_cpp_irq(int irq_num, void *data) 
	if (irq_status & 0x8) {

		tx_level = msm_camera_io_r(cpp_dev->base +

			MSM_CPP_MICRO_FIFO_TX_STAT) >> 2;

		if (tx_level < MSM_CPP_TX_FIFO_LEVEL) {

			for (i = 0; i < tx_level; i++) {

				tx_fifo[i] = msm_camera_io_r(cpp_dev->base +

					MSM_CPP_MICRO_FIFO_TX_DATA);

			}

		} else {

			pr_err("Fatal invalid tx level %d", tx_level);

			goto err;

		}

		spin_lock_irqsave(&cpp_dev->tasklet_lock, flags);

		queue_cmd = &cpp_dev->tasklet_queue_cmd[cpp_dev->taskletq_idx];

		if (queue_cmd->cmd_used) {
@@ -893,6 +898,7 @@ static irqreturn_t msm_cpp_irq(int irq_num, void *data) 
		pr_debug("DEBUG_R1: 0x%x\n",

			msm_camera_io_r(cpp_dev->base + 0x8C));

	}

err:

	msm_camera_io_w(irq_status, cpp_dev->base + MSM_CPP_MICRO_IRQGEN_CLR);

	return IRQ_HANDLED;

}