media: mfc: add refcnt condition check to avoid OOB am: 5b865ae244

Original change: https://partner-android-review.googlesource.com/c/kernel/private/gs-google/+/2758437 Change-Id: I017d85c21e9d225dba43ab4acd9d983f99fc042e Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
author: Seungchul Kim <sc377.kim@samsung.com> 2024-03-05 11:19:51 +0000
committer: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> 2024-03-05 11:19:51 +0000
commit: 97c5e34862f9a5c236aae7e1ab9035da1569a675 (patch)
tree: 385b1661f86c331043567356fd1ff7976d5ad1e9
parent: ce2b203b036535c1d40aecf3eab232adfaf04e68 (diff)
parent: 5b865ae2443f8367220cc9e3cf2c8e3dd9e02743 (diff)
download: gs-97c5e34862f9a5c236aae7e1ab9035da1569a675.tar.gz
2 files changed, 16 insertions, 8 deletions
diff --git a/drivers/media/platform/exynos/mfc/mfc_core_isr.c b/drivers/media/platform/exynos/mfc/mfc_core_isr.c
index fbbfcd08f6c9..0276c4d06c5a 100644
--- a/drivers/media/platform/exynos/mfc/mfc_core_isr.c
+++ b/drivers/media/platform/exynos/mfc/mfc_core_isr.c
@@ -194,7 +194,8 @@ static void __mfc_handle_frame_unused_output(struct mfc_core *core, struct mfc_c
 				UNUSED_TAG);
 
 		dec->ref_buf[dec->refcnt].fd[0] = mfc_buf->vb.vb2_buf.planes[0].m.fd;
-		dec->refcnt++;
+		if (dec->refcnt < MFC_MAX_BUFFERS - 1)
+			dec->refcnt++;
 
 		vb2_buffer_done(&mfc_buf->vb.vb2_buf, VB2_BUF_STATE_DONE);
 		mfc_debug(2, "[DPB] dst index [%d][%d] fd: %d is buffer done (not used)\n",
@@ -594,7 +595,8 @@ static void __mfc_handle_released_buf(struct mfc_core *core, struct mfc_ctx *ctx
 			dec->dpb[i].ref = 0;
 			if (dec->dpb[i].queued && (dec->dpb[i].new_fd != -1)) {
 				dec->ref_buf[dec->refcnt].fd[0] = dec->dpb[i].fd[0];
-				dec->refcnt++;
+				if (dec->refcnt < MFC_MAX_BUFFERS - 1)
+					dec->refcnt++;
 				mfc_debug(3, "[REFINFO] Queued DPB[%d] released fd: %d\n",
 						i, dec->dpb[i].fd[0]);
 				dec->dpb[i].fd[0] = dec->dpb[i].new_fd;
@@ -603,7 +605,8 @@ static void __mfc_handle_released_buf(struct mfc_core *core, struct mfc_ctx *ctx
 						i, dec->dpb[i].fd[0]);
 			} else if (!dec->dpb[i].queued) {
 				dec->ref_buf[dec->refcnt].fd[0] = dec->dpb[i].fd[0];
-				dec->refcnt++;
+				if (dec->refcnt < MFC_MAX_BUFFERS - 1)
+					dec->refcnt++;
 				mfc_debug(3, "[REFINFO] Dqueued DPB[%d] released fd: %d\n",
 						i, dec->dpb[i].fd[0]);
 				/*
@@ -629,7 +632,8 @@ static void __mfc_handle_released_buf(struct mfc_core *core, struct mfc_ctx *ctx
 		if (!(dec->dynamic_used & (1UL << i)) && dec->dpb[i].mapcnt
 				&& !dec->dpb[i].queued) {
 			dec->ref_buf[dec->refcnt].fd[0] = dec->dpb[i].fd[0];
-			dec->refcnt++;
+			if (dec->refcnt < MFC_MAX_BUFFERS - 1)
+				dec->refcnt++;
 			mfc_debug(3, "[REFINFO] display DPB[%d] released fd: %d\n",
 					i, dec->dpb[i].fd[0]);
 			dec->dpb_table_used &= ~(1UL << i);
diff --git a/drivers/media/platform/exynos/mfc/mfc_core_nal_q.c b/drivers/media/platform/exynos/mfc/mfc_core_nal_q.c
index 50ca7b455c3a..903c58556894 100644
--- a/drivers/media/platform/exynos/mfc/mfc_core_nal_q.c
+++ b/drivers/media/platform/exynos/mfc/mfc_core_nal_q.c
@@ -1656,7 +1656,8 @@ static void __mfc_core_nal_q_handle_frame_unused_output(struct mfc_ctx *ctx,
 				UNUSED_TAG);
 
 		dec->ref_buf[dec->refcnt].fd[0] = mfc_buf->vb.vb2_buf.planes[0].m.fd;
-		dec->refcnt++;
+		if (dec->refcnt < MFC_MAX_BUFFERS - 1)
+			dec->refcnt++;
 
 		vb2_buffer_done(&mfc_buf->vb.vb2_buf, VB2_BUF_STATE_DONE);
 		mfc_debug(2, "[NALQ][DPB] dst index [%d][%d] fd: %d is buffer done (not used)\n",
@@ -2117,7 +2118,8 @@ static void __mfc_core_nal_q_handle_released_buf(struct mfc_core *core, struct m
 			dec->dpb[i].ref = 0;
 			if (dec->dpb[i].queued && (dec->dpb[i].new_fd != -1)) {
 				dec->ref_buf[dec->refcnt].fd[0] = dec->dpb[i].fd[0];
-				dec->refcnt++;
+				if (dec->refcnt < MFC_MAX_BUFFERS - 1)
+					dec->refcnt++;
 				mfc_debug(3, "[NALQ][REFINFO] Queued DPB[%d] released fd: %d\n",
 						i, dec->dpb[i].fd[0]);
 				dec->dpb[i].fd[0] = dec->dpb[i].new_fd;
@@ -2126,7 +2128,8 @@ static void __mfc_core_nal_q_handle_released_buf(struct mfc_core *core, struct m
 						i, dec->dpb[i].fd[0]);
 			} else if (!dec->dpb[i].queued) {
 				dec->ref_buf[dec->refcnt].fd[0] = dec->dpb[i].fd[0];
-				dec->refcnt++;
+				if (dec->refcnt < MFC_MAX_BUFFERS - 1)
+					dec->refcnt++;
 				mfc_debug(3, "[NALQ][REFINFO] Dqueued DPB[%d] released fd: %d\n",
 						i, dec->dpb[i].fd[0]);
 				/*
@@ -2152,7 +2155,8 @@ static void __mfc_core_nal_q_handle_released_buf(struct mfc_core *core, struct m
 		if (!(dec->dynamic_used & (1UL << i)) && dec->dpb[i].mapcnt
 				&& !dec->dpb[i].queued) {
 			dec->ref_buf[dec->refcnt].fd[0] = dec->dpb[i].fd[0];
-			dec->refcnt++;
+			if (dec->refcnt < MFC_MAX_BUFFERS - 1)
+				dec->refcnt++;
 			mfc_debug(3, "[NALQ][REFINFO] display DPB[%d] released fd: %d\n",
 					i, dec->dpb[i].fd[0]);
 			dec->dpb_table_used &= ~(1UL << i);
author	Seungchul Kim <sc377.kim@samsung.com>	2024-03-05 11:19:51 +0000
committer	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2024-03-05 11:19:51 +0000
commit	97c5e34862f9a5c236aae7e1ab9035da1569a675 (patch)
tree	385b1661f86c331043567356fd1ff7976d5ad1e9
parent	ce2b203b036535c1d40aecf3eab232adfaf04e68 (diff)
parent	5b865ae2443f8367220cc9e3cf2c8e3dd9e02743 (diff)
download	gs-97c5e34862f9a5c236aae7e1ab9035da1569a675.tar.gz