From a98c0c65522b04a7adf81386eab1f64e5b42526a Mon Sep 17 00:00:00 2001 From: Pratap Nirujogi Date: Wed, 8 Aug 2018 20:43:29 +0530 Subject: [PATCH] msm: camera: cpp: Check for valid tx level TX and RX FIFOs of Microcontroller are used to exchange commands and messages between Micro FW and CPP driver. TX FIFO depth is 16 32-bit words, incase of errors there is a chance of overflow. To prevent possible out of bound access, TX FIFO depth or level is checked for MAX depth before accessing the FIFO. Change-Id: I5adf39b46ff10e358c4a2c03a2de07d44b99cedb Signed-off-by: Pratap Nirujogi --- .../media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c index 53a01aff4bdd..4b5671cd9c28 100644 --- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c +++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c @@ -958,9 +958,14 @@ static irqreturn_t msm_cpp_irq(int irq_num, void *data) if (irq_status & 0x8) { tx_level = msm_camera_io_r(cpp_dev->base + MSM_CPP_MICRO_FIFO_TX_STAT) >> 2; - for (i = 0; i < tx_level; i++) { - tx_fifo[i] = msm_camera_io_r(cpp_dev->base + - MSM_CPP_MICRO_FIFO_TX_DATA); + if (tx_level < MSM_CPP_TX_FIFO_LEVEL) { + for (i = 0; i < tx_level; i++) { + tx_fifo[i] = msm_camera_io_r(cpp_dev->base + + MSM_CPP_MICRO_FIFO_TX_DATA); + } + } else { + pr_err("Fatal invalid tx level %d", tx_level); + goto err; } spin_lock_irqsave(&cpp_dev->tasklet_lock, flags); queue_cmd = &cpp_dev->tasklet_queue_cmd[cpp_dev->taskletq_idx]; @@ -1015,6 +1020,7 @@ static irqreturn_t msm_cpp_irq(int irq_num, void *data) pr_debug("DEBUG_R1: 0x%x\n", msm_camera_io_r(cpp_dev->base + 0x8C)); } +err: msm_camera_io_w(irq_status, cpp_dev->base + MSM_CPP_MICRO_IRQGEN_CLR); return IRQ_HANDLED; }