msm: vidc: Allocate bus vote data memory correctly
Allocate bus vote data memory in probe and free in remove.
This makes vote data allocated once and accessible all the
times. Allocate vote data for correct length. Protect vote
data with core->lock for use-after-free issues.
CRs-Fixed: 2073885
Change-Id: I72c8996176a082997948fb327cfdc279474c793c
Signed-off-by: Karthikeyan Periasamy <kperiasa@codeaurora.org>
Signed-off-by: Praneeth Paladugu <ppaladug@codeaurora.org>
diff --git a/drivers/media/platform/msm/vidc/msm_v4l2_vidc.c b/drivers/media/platform/msm/vidc/msm_v4l2_vidc.c
index 8c63469..54766a2 100644
--- a/drivers/media/platform/msm/vidc/msm_v4l2_vidc.c
+++ b/drivers/media/platform/msm/vidc/msm_v4l2_vidc.c
@@ -347,6 +347,14 @@
}
INIT_DELAYED_WORK(&core->fw_unload_work, msm_vidc_fw_unload_handler);
+
+ mutex_lock(&core->lock);
+ core->vote_data = kcalloc(MAX_SUPPORTED_INSTANCES,
+ sizeof(*core->vote_data), GFP_KERNEL);
+ if (!core->vote_data)
+ dprintk(VIDC_ERR, "%s: failed to allocate memory\n", __func__);
+ mutex_unlock(&core->lock);
+
return rc;
}
diff --git a/drivers/media/platform/msm/vidc/msm_vidc_clocks.c b/drivers/media/platform/msm/vidc/msm_vidc_clocks.c
index 4327309..9c6bf42 100644
--- a/drivers/media/platform/msm/vidc/msm_vidc_clocks.c
+++ b/drivers/media/platform/msm/vidc/msm_vidc_clocks.c
@@ -139,15 +139,16 @@
hdev = core->device;
+ mutex_lock(&core->lock);
vote_data = core->vote_data;
if (!vote_data) {
dprintk(VIDC_PROF,
"Failed to get vote_data for inst %pK\n",
inst);
+ mutex_unlock(&core->lock);
return -EINVAL;
}
- mutex_lock(&core->lock);
list_for_each_entry(inst, &core->instances, list) {
int codec = 0;
struct msm_vidc_buffer *temp, *next;
@@ -157,6 +158,7 @@
if (!inst) {
dprintk(VIDC_ERR, "%s Invalid args\n",
__func__);
+ mutex_unlock(&core->lock);
return -EINVAL;
}
diff --git a/drivers/media/platform/msm/vidc/msm_vidc_common.c b/drivers/media/platform/msm/vidc/msm_vidc_common.c
index ee538a9..160a63d 100644
--- a/drivers/media/platform/msm/vidc/msm_vidc_common.c
+++ b/drivers/media/platform/msm/vidc/msm_vidc_common.c
@@ -35,8 +35,6 @@
V4L2_EVENT_MSM_VIDC_RELEASE_BUFFER_REFERENCE
#define L_MODE V4L2_MPEG_VIDEO_H264_LOOP_FILTER_MODE_DISABLED_AT_SLICE_BOUNDARY
-#define MAX_SUPPORTED_INSTANCES 16
-
const char *const mpeg_video_vidc_extradata[] = {
"Extradata none",
"Extradata MB Quantization",
@@ -957,8 +955,8 @@
/* This should come from sys_init_done */
core->resources.max_inst_count =
sys_init_msg->max_sessions_supported ?
- sys_init_msg->max_sessions_supported :
- MAX_SUPPORTED_INSTANCES;
+ min_t(u32, sys_init_msg->max_sessions_supported,
+ MAX_SUPPORTED_INSTANCES) : MAX_SUPPORTED_INSTANCES;
core->resources.max_secure_inst_count =
core->resources.max_secure_inst_count ?
@@ -979,11 +977,6 @@
__func__, core->codec_count, core->enc_codec_supported,
core->dec_codec_supported);
- core->vote_data = kcalloc(MAX_SUPPORTED_INSTANCES,
- sizeof(core->vote_data), GFP_KERNEL);
- if (!core->vote_data)
- dprintk(VIDC_ERR, "%s: failed to allocate memory\n", __func__);
-
complete(&(core->completions[index]));
}
diff --git a/drivers/media/platform/msm/vidc/msm_vidc_internal.h b/drivers/media/platform/msm/vidc/msm_vidc_internal.h
index e554a46..fe9a472 100644
--- a/drivers/media/platform/msm/vidc/msm_vidc_internal.h
+++ b/drivers/media/platform/msm/vidc/msm_vidc_internal.h
@@ -49,6 +49,7 @@
#define MAX_NUM_OUTPUT_BUFFERS VIDEO_MAX_FRAME // same as VB2_MAX_FRAME
#define MAX_NUM_CAPTURE_BUFFERS VIDEO_MAX_FRAME // same as VB2_MAX_FRAME
+#define MAX_SUPPORTED_INSTANCES 16
/* Maintains the number of FTB's between each FBD over a window */
#define DCVS_FTB_WINDOW 16