video: driver: fix possible memory corruption issue

__flush_debug_queue() currently uses core->response_packet
or core->packet for flushing debug queue. So these were
allocated only 4096 bytes, but in read_queue(), boundaries
were checked against VIDC_IFACEQ_VAR_HUGE_PKT_SIZE macro
which is of size 1024 * 12 bytes.

So if FW log packet size is in between 4 KB to 12 KB then
read_queue() allows memcpy() into core->response_packet
or core->packet that will lead to redzone corruption issue
with adjacent alive/valid allocations i.e futher lead to
kernel panic at kfree() sequence(during object validation).

Uploaded change to use same sizes during allocation and
read_queue() validation.

Change-Id: If82766c1479d7589605386f3e314ff2ccd97f6d0
Signed-off-by: Govindaraj Rajagopal <[email protected]>

driver/vidc/inc/msm_vidc_internal.h

@@ -82,7 +82,7 @@
 #define VIDC_IFACEQ_MIN_PKT_SIZE                8
 #define VIDC_IFACEQ_VAR_SMALL_PKT_SIZE          100
 #define VIDC_IFACEQ_VAR_LARGE_PKT_SIZE          512
-#define VIDC_IFACEQ_VAR_HUGE_PKT_SIZE          (1024*12)
+#define VIDC_IFACEQ_VAR_HUGE_PKT_SIZE          (1024*4)
 
 #define NUM_MBS_PER_SEC(__height, __width, __fps) \
 	(NUM_MBS_PER_FRAME(__height, __width) * __fps)

driver/vidc/src/msm_vidc_probe.c

@@ -306,7 +306,7 @@ static int msm_vidc_initialize_core(struct msm_vidc_core *core)
 		goto exit;
 	}
 
-	core->packet_size = 4096;
+	core->packet_size = VIDC_IFACEQ_VAR_HUGE_PKT_SIZE;
 	rc = msm_vidc_vmem_alloc(core->packet_size,
 			(void **)&core->packet, "core packet");
 	if (rc)