diff options
| author | Jeonghee Kim <jhhhh.kim@samsung.com> | 2023-07-26 10:17:45 +0900 |
|---|---|---|
| committer | Treehugger Robot <android-test-infra-autosubmit@system.gserviceaccount.com> | 2023-07-27 08:22:24 +0000 |
| commit | 4c474438ed651141d040583a3748d20ef01e9122 (patch) | |
| tree | abfd831361e863a9b77d07bf42ae4f115c4a92da | |
| parent | 846bd39ccf6c1e8f8d579224ec70c0233c1d3252 (diff) | |
| download | gs-4c474438ed651141d040583a3748d20ef01e9122.tar.gz | |
media: mfc: prevent the consumed size from becoming negative
BUG: 292442146
Change-Id: I1d653635a86f41462397770f4778d06576684591
Signed-off-by: Jeonghee Kim <jhhhh.kim@samsung.com>
| -rw-r--r-- | drivers/media/platform/exynos/mfc/mfc_core_nal_q.c | 1 | ||||
| -rw-r--r-- | drivers/media/platform/exynos/mfc/mfc_queue.c | 8 | ||||
| -rw-r--r-- | drivers/media/platform/exynos/mfc/mfc_utils.h | 20 |
3 files changed, 23 insertions, 6 deletions
diff --git a/drivers/media/platform/exynos/mfc/mfc_core_nal_q.c b/drivers/media/platform/exynos/mfc/mfc_core_nal_q.c index 87e35b55c..28eef5f7c 100644 --- a/drivers/media/platform/exynos/mfc/mfc_core_nal_q.c +++ b/drivers/media/platform/exynos/mfc/mfc_core_nal_q.c @@ -2245,6 +2245,7 @@ static void __mfc_core_nal_q_handle_frame_input(struct mfc_core *core, struct mf src_mb = mfc_get_del_buf(ctx, &ctx->src_buf_nal_queue, MFC_BUF_NO_TOUCH_USED); if (src_mb) vb2_buffer_done(&src_mb->vb.vb2_buf, VB2_BUF_STATE_DONE); + dec->consumed = 0; } /* Check multi-frame */ diff --git a/drivers/media/platform/exynos/mfc/mfc_queue.c b/drivers/media/platform/exynos/mfc/mfc_queue.c index 9a0592a26..32ae2e434 100644 --- a/drivers/media/platform/exynos/mfc/mfc_queue.c +++ b/drivers/media/platform/exynos/mfc/mfc_queue.c @@ -137,9 +137,11 @@ struct mfc_buf *mfc_get_del_if_consumed(struct mfc_ctx *ctx, struct mfc_buf_queu mfc_debug(2, "addr[0]: 0x%08llx\n", mfc_buf->addr[0][0]); - strm_size = mfc_dec_get_strm_size(ctx, mfc_buf), - remained = strm_size - consumed; - if (consumed > strm_size) { + strm_size = mfc_dec_get_strm_size(ctx, mfc_buf); + if (strm_size >= consumed) { + remained = strm_size - consumed; + } else { + remained = 0; exceed = true; mfc_ctx_err("[MULTIFRAME] consumed (%d) exceeded the strm_size (%d)\n", consumed, strm_size); diff --git a/drivers/media/platform/exynos/mfc/mfc_utils.h b/drivers/media/platform/exynos/mfc/mfc_utils.h index 2c48e5c18..9a04486d3 100644 --- a/drivers/media/platform/exynos/mfc/mfc_utils.h +++ b/drivers/media/platform/exynos/mfc/mfc_utils.h @@ -199,9 +199,23 @@ static inline u32 mfc_dec_get_strm_size(struct mfc_ctx *ctx, struct mfc_buf *src * And the dec->consumed is cumulate-decoded size. */ vb_plane = &src_mb->vb.vb2_buf.planes[0]; - strm_size = vb_plane->bytesused - vb_plane->data_offset; - if (dec->consumed) - strm_size -= dec->consumed; + if (vb_plane->bytesused > vb_plane->data_offset) { + strm_size = vb_plane->bytesused - vb_plane->data_offset; + } else { + strm_size = vb_plane->bytesused; + mfc_ctx_err("[STREAM] invalid offset (bytesused %d, data_offset: %d)\n", + vb_plane->bytesused, vb_plane->data_offset); + } + + if (dec->consumed) { + if (strm_size > dec->consumed) { + strm_size -= dec->consumed; + } else { + dec->consumed = 0; + mfc_ctx_err("[STREAM] invalid consumed (strm_size: %d, consumed: %d)", + strm_size, dec->consumed); + } + } mfc_debug(2, "[STREAM] strm_size: %d (bytesused %d, data_offset %d, consumed %d)\n", strm_size, vb_plane->bytesused, vb_plane->data_offset, dec->consumed); |