media: bcm2835-unicam: Fix for possible dummy buffer overrun

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The Unicam hardware has been observed to cause a buffer overrun when
using the dummy buffer as a circular buffer. The conditions that cause
the overrun are not fully known, but it seems to occur when the memory
bus is heavily loaded.

To avoid the overrun, program the hardware with a buffer size of 0 when
using the dummy buffer. This will cause overrun into the allocated dummy
buffer, but avoid out of bounds writes.

Signed-off-by: Naushir Patuck <naush@raspberrypi.com>
Reviewed-by: Jacopo Mondi <jacopo.mondi@ideasonboard.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>

authored by

Naushir Patuck and committed by

Mauro Carvalho Chehab 1 year ago 7b1ec3e3 697a252b

+8 -1

1 changed file

expand all

drivers

media

platform

broadcom

bcm2835-unicam.c

+8 -1

drivers/media/platform/broadcom/bcm2835-unicam.c

··· 640 640 static void unicam_wr_dma_addr(struct unicam_node *node, 641 641 struct unicam_buffer *buf) 642 642 { 643 - dma_addr_t endaddr = buf->dma_addr + buf->size; 643 + /* 644 + * Due to a HW bug causing buffer overruns in circular buffer mode under 645 + * certain (not yet fully known) conditions, the dummy buffer allocation 646 + * is set to a a single page size, but the hardware gets programmed with 647 + * a buffer size of 0. 648 + */ 649 + dma_addr_t endaddr = buf->dma_addr + 650 + (buf != &node->dummy_buf ? buf->size : 0); 644 651 645 652 if (node->id == UNICAM_IMAGE_NODE) { 646 653 unicam_reg_write(node->dev, UNICAM_IBSA0, buf->dma_addr);