disp: msm: sde: add out of bounds check for dnsc_blur & wb cache

Add bound check for number of dnsc_blur blocks, while parsing from
device tree. Fix out of bound access while setting the llcc_active
during system cache disable case in writeback.

Change-Id: I7e604db5ebfaa6e8b6f066e0f6efb76e7d78e604
Signed-off-by: Veera Sundaram Sankaran <[email protected]>

msm/sde/sde_encoder_phys_wb.c

@@ -1101,6 +1101,7 @@ static void _sde_encoder_phys_wb_setup_sys_cache(struct sde_encoder_phys *phys_e
 	struct sde_sc_cfg *sc_cfg;
 	struct sde_hw_wb_sc_cfg *cfg  = &wb_enc->sc_cfg;
 	u32 cache_enable, cache_flag, cache_rd_type, cache_wr_type;
+	int i;
 
 	if (!fb) {
 		SDE_ERROR("invalid fb on wb %d\n", WBID(wb_enc));
@@ -1162,9 +1163,13 @@ static void _sde_encoder_phys_wb_setup_sys_cache(struct sde_encoder_phys *phys_e
 	 * avoid llcc_active reset for crtc while in clone mode as it will reset it for
 	 * primary display as well
 	 */
-	if (cache_enable || !phys_enc->in_clone_mode) {
-		sde_crtc->new_perf.llcc_active[cache_wr_type] = cache_enable;
-		sde_crtc->new_perf.llcc_active[cache_rd_type] = cache_enable;
+	if (cache_enable) {
+		sde_crtc->new_perf.llcc_active[cache_wr_type] = true;
+		sde_crtc->new_perf.llcc_active[cache_rd_type] = true;
+		sde_core_perf_crtc_update_llcc(wb_enc->crtc);
+	} else if (!phys_enc->in_clone_mode) {
+		for (i = 0; i < SDE_SYS_CACHE_MAX; i++)
+			sde_crtc->new_perf.llcc_active[i] = false;
 		sde_core_perf_crtc_update_llcc(wb_enc->crtc);
 	}
 

msm/sde/sde_hw_catalog.c

@@ -3377,6 +3377,12 @@ static int sde_dnsc_blur_parse_dt(struct device_node *np, struct sde_mdss_cfg *s
 	if (rc)
 		goto end;
 
+	if (off_count > DNSC_BLUR_MAX_COUNT) {
+		SDE_ERROR("invalid dnsc_blur block count:%d\n", off_count);
+		rc = -EINVAL;
+		goto end;
+	}
+
 	sde_cfg->dnsc_blur_count = off_count;
 
 	rc = _read_dt_entry(np, dnsc_blur_prop, ARRAY_SIZE(dnsc_blur_prop), prop_count,