msm: eva: Added check for valid buffer offset

Check total number of kernel fences if its in limit or not.

Change-Id: Ibeaeca085bea9942dcab0fa2ad574c717d2cc104
Signed-off-by: Palak Joshi <[email protected]>

msm/eva/msm_cvp.c

@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
  * Copyright (c) 2018-2021, The Linux Foundation. All rights reserved.
- * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2023-2024, Qualcomm Innovation Center, Inc. All rights reserved.
  */
 
 #include "msm_cvp.h"
@@ -493,8 +493,18 @@ static int cvp_populate_fences( struct eva_kmd_hfi_packet *in_pkt,
 	enum op_mode mode;
 	struct cvp_buf_type *buf;
 	bool override;
+	unsigned int total_fence_count = 0;
 
 	int rc = 0;
+	cmd_hdr = (struct cvp_hfi_cmd_session_hdr *)in_pkt;
+	if (!offset || !num)
+		return 0;
+
+	if (offset < (sizeof(struct cvp_hfi_cmd_session_hdr)/sizeof(u32))) {
+		dprintk(CVP_ERR, "%s: Incorrect offset in cmd %d\n", __func__, offset);
+		rc = -EINVAL;
+		goto exit;
+	}
 
 	override = get_pkt_fenceoverride((struct cvp_hal_session_cmd_pkt*)in_pkt);
 
@@ -585,7 +595,15 @@ kernel_fence:
 			f->num_fences++;
 			buf->fence_type &= ~INPUT_FENCE_BITMASK;
 			buf->input_handle = 0;
+			total_fence_count++;
 		}
+		if (buf->output_handle)
+			total_fence_count++;
+	}
+	if (total_fence_count > MAX_HFI_FENCE_SIZE) {
+		dprintk(CVP_ERR, "Invalid total_fence_count %d\n", total_fence_count);
+		rc = -EINVAL;
+		goto free_exit;
 	}
 	f->output_index = f->num_fences;
 

msm/eva/msm_cvp_buf.c

@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
  * Copyright (c) 2020-2021, The Linux Foundation. All rights reserved.
- * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2023-2024, Qualcomm Innovation Center, Inc. All rights reserved.
  */
 
 #include <linux/pid.h>
@@ -1781,6 +1781,10 @@ int msm_cvp_unmap_user_persist(struct msm_cvp_inst *inst,
 	if (!offset || !buf_num)
 		return 0;
 
+	if (offset < (sizeof(struct cvp_hfi_cmd_session_hdr)/sizeof(u32))) {
+		dprintk(CVP_ERR, "%s: Incorrect offset in cmd %d\n", __func__, offset);
+		return -EINVAL;
+	}
 	cmd_hdr = (struct cvp_hfi_cmd_session_hdr *)in_pkt;
 	for (i = 0; i < buf_num; i++) {
 		buf = (struct cvp_buf_type *)&in_pkt->pkt_data[offset];
@@ -1815,6 +1819,10 @@ int msm_cvp_map_user_persist(struct msm_cvp_inst *inst,
 	if (!offset || !buf_num)
 		return 0;
 
+	if (offset < (sizeof(struct cvp_hfi_cmd_session_hdr)/sizeof(u32))) {
+		dprintk(CVP_ERR, "%s: Incorrect offset in cmd %d\n", __func__, offset);
+		return -EINVAL;
+	}
 	cmd_hdr = (struct cvp_hfi_cmd_session_hdr *)in_pkt;
 	for (i = 0; i < buf_num; i++) {
 		buf = (struct cvp_buf_type *)&in_pkt->pkt_data[offset];
@@ -1857,6 +1865,10 @@ int msm_cvp_map_frame(struct msm_cvp_inst *inst,
 	if (!offset || !buf_num)
 		return 0;
 
+	if (offset < (sizeof(struct cvp_hfi_cmd_session_hdr)/sizeof(u32))) {
+		dprintk(CVP_ERR, "%s: Incorrect offset in cmd %d\n", __func__, offset);
+		return -EINVAL;
+	}
 	cmd_hdr = (struct cvp_hfi_cmd_session_hdr *)in_pkt;
 	ktid = atomic64_inc_return(&inst->core->kernel_trans_id);
 	ktid &= (FENCE_BIT - 1);