diff --git a/msm/eva/msm_cvp.c b/msm/eva/msm_cvp.c index f30b6e929a..b4afdeaf29 100644 --- a/msm/eva/msm_cvp.c +++ b/msm/eva/msm_cvp.c @@ -1,7 +1,7 @@ // SPDX-License-Identifier: GPL-2.0-only /* * Copyright (c) 2018-2021, The Linux Foundation. All rights reserved. - * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved. + * Copyright (c) 2023-2024, Qualcomm Innovation Center, Inc. All rights reserved. */ #include "msm_cvp.h" @@ -493,8 +493,18 @@ static int cvp_populate_fences( struct eva_kmd_hfi_packet *in_pkt, enum op_mode mode; struct cvp_buf_type *buf; bool override; + unsigned int total_fence_count = 0; int rc = 0; + cmd_hdr = (struct cvp_hfi_cmd_session_hdr *)in_pkt; + if (!offset || !num) + return 0; + + if (offset < (sizeof(struct cvp_hfi_cmd_session_hdr)/sizeof(u32))) { + dprintk(CVP_ERR, "%s: Incorrect offset in cmd %d\n", __func__, offset); + rc = -EINVAL; + goto exit; + } override = get_pkt_fenceoverride((struct cvp_hal_session_cmd_pkt*)in_pkt); @@ -585,7 +595,15 @@ kernel_fence: f->num_fences++; buf->fence_type &= ~INPUT_FENCE_BITMASK; buf->input_handle = 0; + total_fence_count++; } + if (buf->output_handle) + total_fence_count++; + } + if (total_fence_count > MAX_HFI_FENCE_SIZE) { + dprintk(CVP_ERR, "Invalid total_fence_count %d\n", total_fence_count); + rc = -EINVAL; + goto free_exit; } f->output_index = f->num_fences; diff --git a/msm/eva/msm_cvp_buf.c b/msm/eva/msm_cvp_buf.c index f3a7876d9e..288b408904 100644 --- a/msm/eva/msm_cvp_buf.c +++ b/msm/eva/msm_cvp_buf.c @@ -1,7 +1,7 @@ // SPDX-License-Identifier: GPL-2.0-only /* * Copyright (c) 2020-2021, The Linux Foundation. All rights reserved. - * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved. + * Copyright (c) 2023-2024, Qualcomm Innovation Center, Inc. All rights reserved. */ #include @@ -1781,6 +1781,10 @@ int msm_cvp_unmap_user_persist(struct msm_cvp_inst *inst, if (!offset || !buf_num) return 0; + if (offset < (sizeof(struct cvp_hfi_cmd_session_hdr)/sizeof(u32))) { + dprintk(CVP_ERR, "%s: Incorrect offset in cmd %d\n", __func__, offset); + return -EINVAL; + } cmd_hdr = (struct cvp_hfi_cmd_session_hdr *)in_pkt; for (i = 0; i < buf_num; i++) { buf = (struct cvp_buf_type *)&in_pkt->pkt_data[offset]; @@ -1815,6 +1819,10 @@ int msm_cvp_map_user_persist(struct msm_cvp_inst *inst, if (!offset || !buf_num) return 0; + if (offset < (sizeof(struct cvp_hfi_cmd_session_hdr)/sizeof(u32))) { + dprintk(CVP_ERR, "%s: Incorrect offset in cmd %d\n", __func__, offset); + return -EINVAL; + } cmd_hdr = (struct cvp_hfi_cmd_session_hdr *)in_pkt; for (i = 0; i < buf_num; i++) { buf = (struct cvp_buf_type *)&in_pkt->pkt_data[offset]; @@ -1857,6 +1865,10 @@ int msm_cvp_map_frame(struct msm_cvp_inst *inst, if (!offset || !buf_num) return 0; + if (offset < (sizeof(struct cvp_hfi_cmd_session_hdr)/sizeof(u32))) { + dprintk(CVP_ERR, "%s: Incorrect offset in cmd %d\n", __func__, offset); + return -EINVAL; + } cmd_hdr = (struct cvp_hfi_cmd_session_hdr *)in_pkt; ktid = atomic64_inc_return(&inst->core->kernel_trans_id); ktid &= (FENCE_BIT - 1);