From 47eb93ed08a23efb7ae8d3719797d8241091d232 Mon Sep 17 00:00:00 2001
From: Srihitha Tangudu <quic_tangudu@quicinc.com>
Date: Mon, 27 Jun 2022 12:33:35 +0530
Subject: [PATCH] disp: msm: dsi: handle case where panel sends more bytes than
 requested

Reset number of bytes read from panel to the expected value when panel
sends more bytes than requested during DSI read. This can otherwise lead
to negative value of repeated bytes and array out of bounds access.

Change-Id: I9310c521a862108940142ba7c1a8c39838be0f79
Signed-off-by: Srihitha Tangudu <quic_tangudu@quicinc.com>
---
 msm/dsi/dsi_ctrl_hw_cmn.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/msm/dsi/dsi_ctrl_hw_cmn.c b/msm/dsi/dsi_ctrl_hw_cmn.c
index f4886ee986..787d259022 100644
--- a/msm/dsi/dsi_ctrl_hw_cmn.c
+++ b/msm/dsi/dsi_ctrl_hw_cmn.c
@@ -1046,6 +1046,24 @@ u32 dsi_ctrl_hw_cmn_get_cmd_read_data(struct dsi_ctrl_hw *ctrl,
 		return 0;
 	}
 
+	/*
+	 * Large read_cnt value can lead to negative repeated_bytes value
+	 * and array out of bounds access of read buffer.
+	 * Avoid this by resetting read_cnt to expected value when panel
+	 * sends more bytes than expected.
+	 */
+	if (rx_byte == 4 && read_cnt > 4) {
+		DSI_CTRL_HW_INFO(ctrl,
+			"Expected %u bytes for short read but received %u bytes\n",
+			rx_byte, read_cnt);
+		read_cnt = rx_byte;
+	} else if (rx_byte == 16 && read_cnt > (pkt_size + 6)) {
+		DSI_CTRL_HW_INFO(ctrl,
+			"Expected %u bytes for long read but received %u bytes\n",
+			pkt_size + 6, read_cnt);
+		read_cnt = pkt_size + 6;
+	}
+
 	if (read_cnt > 16) {
 		int bytes_shifted, data_lost = 0, rem_header = 0;