diff --git a/msm/eva/hfi_response_handler.c b/msm/eva/hfi_response_handler.c index f5d153e238..5cfb66f535 100644 --- a/msm/eva/hfi_response_handler.c +++ b/msm/eva/hfi_response_handler.c @@ -628,7 +628,7 @@ static void hfi_process_sys_get_prop_image_version( int req_bytes; req_bytes = pkt->size - sizeof(*pkt); - if (req_bytes < version_string_size || + if (req_bytes < (signed int)version_string_size || !pkt->rg_property_data[1] || pkt->num_properties > 1) { dprintk(CVP_ERR, "%s: bad_pkt: %d\n", __func__, req_bytes); diff --git a/msm/eva/msm_cvp.c b/msm/eva/msm_cvp.c index f30b6e929a..8d5620c047 100644 --- a/msm/eva/msm_cvp.c +++ b/msm/eva/msm_cvp.c @@ -1,7 +1,7 @@ // SPDX-License-Identifier: GPL-2.0-only /* * Copyright (c) 2018-2021, The Linux Foundation. All rights reserved. - * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved. + * Copyright (c) 2023-2024, Qualcomm Innovation Center, Inc. All rights reserved. */ #include "msm_cvp.h" @@ -493,8 +493,18 @@ static int cvp_populate_fences( struct eva_kmd_hfi_packet *in_pkt, enum op_mode mode; struct cvp_buf_type *buf; bool override; + unsigned int total_fence_count = 0; int rc = 0; + cmd_hdr = (struct cvp_hfi_cmd_session_hdr *)in_pkt; + if (!offset || !num) + return 0; + + if (offset < (sizeof(struct cvp_hfi_cmd_session_hdr)/sizeof(u32))) { + dprintk(CVP_ERR, "%s: Incorrect offset in cmd %d\n", __func__, offset); + rc = -EINVAL; + goto exit; + } override = get_pkt_fenceoverride((struct cvp_hal_session_cmd_pkt*)in_pkt); @@ -585,7 +595,15 @@ kernel_fence: f->num_fences++; buf->fence_type &= ~INPUT_FENCE_BITMASK; buf->input_handle = 0; + total_fence_count++; } + if (buf->output_handle) + total_fence_count++; + } + if (total_fence_count > MAX_HFI_FENCE_SIZE) { + dprintk(CVP_ERR, "Invalid total_fence_count %d\n", total_fence_count); + rc = -EINVAL; + goto free_exit; } f->output_index = f->num_fences; @@ -1119,6 +1137,7 @@ static int msm_cvp_get_sysprop(struct msm_cvp_inst *inst, rc = dma_buf_fd(hfi->sfr.mem_data.dma_buf, O_RDONLY | O_CLOEXEC); if (rc < 0) { dprintk(CVP_WARN, "Failed get dma_buf fd %d\n", rc); + dma_buf_put(hfi->sfr.mem_data.dma_buf); break; } diff --git a/msm/eva/msm_cvp_buf.c b/msm/eva/msm_cvp_buf.c index f3a7876d9e..f135d5755f 100644 --- a/msm/eva/msm_cvp_buf.c +++ b/msm/eva/msm_cvp_buf.c @@ -1,7 +1,7 @@ // SPDX-License-Identifier: GPL-2.0-only /* * Copyright (c) 2020-2021, The Linux Foundation. All rights reserved. - * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved. + * Copyright (c) 2023-2024, Qualcomm Innovation Center, Inc. All rights reserved. */ #include @@ -536,11 +536,11 @@ int msm_cvp_map_buf_wncc(struct msm_cvp_inst *inst, } } - list_add_tail(&cbuf->list, &inst->cvpwnccbufs.list); for (i = 0; i < EVA_KMD_WNCC_MAX_SRC_BUFS; i++) { if (inst->cvpwnccbufs_table[i].iova == 0) { + list_add_tail(&cbuf->list, &inst->cvpwnccbufs.list); inst->cvpwnccbufs_num++; inst->cvpwnccbufs_table[i].fd = buf->fd; inst->cvpwnccbufs_table[i].iova = smem->device_addr; @@ -1781,6 +1781,10 @@ int msm_cvp_unmap_user_persist(struct msm_cvp_inst *inst, if (!offset || !buf_num) return 0; + if (offset < (sizeof(struct cvp_hfi_cmd_session_hdr)/sizeof(u32))) { + dprintk(CVP_ERR, "%s: Incorrect offset in cmd %d\n", __func__, offset); + return -EINVAL; + } cmd_hdr = (struct cvp_hfi_cmd_session_hdr *)in_pkt; for (i = 0; i < buf_num; i++) { buf = (struct cvp_buf_type *)&in_pkt->pkt_data[offset]; @@ -1815,6 +1819,10 @@ int msm_cvp_map_user_persist(struct msm_cvp_inst *inst, if (!offset || !buf_num) return 0; + if (offset < (sizeof(struct cvp_hfi_cmd_session_hdr)/sizeof(u32))) { + dprintk(CVP_ERR, "%s: Incorrect offset in cmd %d\n", __func__, offset); + return -EINVAL; + } cmd_hdr = (struct cvp_hfi_cmd_session_hdr *)in_pkt; for (i = 0; i < buf_num; i++) { buf = (struct cvp_buf_type *)&in_pkt->pkt_data[offset]; @@ -1857,6 +1865,10 @@ int msm_cvp_map_frame(struct msm_cvp_inst *inst, if (!offset || !buf_num) return 0; + if (offset < (sizeof(struct cvp_hfi_cmd_session_hdr)/sizeof(u32))) { + dprintk(CVP_ERR, "%s: Incorrect offset in cmd %d\n", __func__, offset); + return -EINVAL; + } cmd_hdr = (struct cvp_hfi_cmd_session_hdr *)in_pkt; ktid = atomic64_inc_return(&inst->core->kernel_trans_id); ktid &= (FENCE_BIT - 1);