import PULS_20180308

[GitHub/mt8127/android_kernel_alcatel_ttab.git] / drivers / misc / mediatek / cmdq / cmdq_driver.c

diff --git a/drivers/misc/mediatek/cmdq/cmdq_driver.c b/drivers/misc/mediatek/cmdq/cmdq_driver.c
index 312fb55413750d998fc738fa0025cff65aa5f3f8..d0440b06210d40b7554e28666300203dcbefc831 100644 (file)
--- a/drivers/misc/mediatek/cmdq/cmdq_driver.c
+++ b/drivers/misc/mediatek/cmdq/cmdq_driver.c
@@ -41,6 +41,10 @@ static const struct of_device_id cmdq_of_ids[] = {
 };
 #endif
 
+#define CMDQ_MAX_DUMP_REG_COUNT (2048)
+#define CMDQ_MAX_COMMAND_SIZE  (0x10000)
+#define CMDQ_MAX_WRITE_ADDR_COUNT      (PAGE_SIZE / sizeof(u32))
+
 static dev_t gCmdqDevNo;
 static struct cdev *gCmdqCDev;
 static struct class *gCMDQClass;
@@ -185,6 +189,8 @@ static int cmdq_driver_create_reg_address_buffer(cmdqCommandStruct *pCommand)
        }
 
        /* how many register to dump? */
+       if (kernelRegCount > CMDQ_MAX_DUMP_REG_COUNT || userRegCount > CMDQ_MAX_DUMP_REG_COUNT)
+               return -EINVAL;
        totalRegCount = kernelRegCount + userRegCount;
 
        if (0 == totalRegCount) {
@@ -237,6 +243,7 @@ static void cmdq_driver_process_read_address_request(cmdqReadAddressStruct *req_
        do {
                if (NULL == req_user ||
                    0 == req_user->count ||
+                       req_user->count > CMDQ_MAX_DUMP_REG_COUNT ||
                    NULL == req_user->values || NULL == req_user->dmaAddresses) {
                        CMDQ_ERR("[READ_PA] invalid req_user\n");
                        break;
@@ -364,6 +371,9 @@ static long cmdq_driver_process_command_request(cmdqCommandStruct *pCommand)
                return -EFAULT;
        }
 
+       if (pCommand->regRequest.count > CMDQ_MAX_DUMP_REG_COUNT)
+               return -EINVAL;
+
        /* allocate secure medatata */
        status = cmdq_driver_create_secure_medadata(pCommand);
        if (0 != status) {
@@ -458,6 +468,11 @@ static long cmdq_ioctl(struct file *pFile, unsigned int code, unsigned long para
                        return -EFAULT;
                }
 
+               if (command.regRequest.count > CMDQ_MAX_DUMP_REG_COUNT ||
+                       !command.blockSize ||
+                       command.blockSize > CMDQ_MAX_COMMAND_SIZE)
+                       return -EINVAL;
+
                /* insert private_data for resource reclaim */
                command.privateData = (void *)pFile->private_data;
 
@@ -480,6 +495,9 @@ static long cmdq_ioctl(struct file *pFile, unsigned int code, unsigned long para
                        return -EFAULT;
                }
 
+               if (job.command.blockSize > CMDQ_MAX_COMMAND_SIZE)
+                       return -EINVAL;
+
                /* not support secure path for async ioctl yet */
                if (true == job.command.secData.isSecure) {
                        CMDQ_ERR("not support secure path for CMDQ_IOCTL_ASYNC_JOB_EXEC\n");
@@ -537,6 +555,8 @@ static long cmdq_ioctl(struct file *pFile, unsigned int code, unsigned long para
                        return -EFAULT;
                }
                pTask = (TaskStruct *)(unsigned long)jobResult.hJob;
+               if (pTask->regCount > CMDQ_MAX_DUMP_REG_COUNT)
+                       return -EINVAL;
 
                /* utility service, fill the engine flag. */
                /* this is required by MDP. */
@@ -632,6 +652,13 @@ static long cmdq_ioctl(struct file *pFile, unsigned int code, unsigned long para
                                return -EFAULT;
                        }
 
+                       if (!addrReq.count || addrReq.count > CMDQ_MAX_WRITE_ADDR_COUNT) {
+                               CMDQ_ERR(
+                                       "CMDQ_IOCTL_ALLOC_WRITE_ADDRESS invalid alloc write addr count:%u\n",
+                                       addrReq.count);
+                               return -EINVAL;
+                       }
+
                        status = cmdqCoreAllocWriteAddress(addrReq.count, &paStart);
                        if (0 != status) {
                                CMDQ_ERR