diff --git a/drivers/video/msm/mdp_debugfs.c b/drivers/video/msm/mdp_debugfs.c
index d3e0c8ddd63e33072bcfe118fb99f7e537f50c2c..82acfa1f231dcc40f765ec4a10bb18bc50c31c73 100644
--- a/drivers/video/msm/mdp_debugfs.c
+++ b/drivers/video/msm/mdp_debugfs.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2009-2012, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2009-2012, 2016 The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -39,6 +39,9 @@
#endif
#define MDP_DEBUG_BUF 2048
+#define MDP_MAX_OFFSET 0xF05FC
+#define MDDI_MAX_OFFSET 0xC
+#define HDMI_MAX_OFFSET 0x59C
static uint32 mdp_offset;
static uint32 mdp_count;
@@ -78,11 +81,18 @@ static ssize_t mdp_offset_write(
debug_buf[count] = 0; /* end of string */
- sscanf(debug_buf, "%x %d", &off, &cnt);
+ if (sscanf(debug_buf, "%x %d", &off, &cnt) != 2)
+ return -EFAULT;
if (cnt <= 0)
cnt = 1;
+ if ((off > MDP_MAX_OFFSET) || (cnt > (MDP_MAX_OFFSET - off))) {
+ printk(KERN_INFO "%s: Invalid offset%x+cnt%d > %x\n", __func__,
+ off, cnt, MDP_MAX_OFFSET);
+ return -EFAULT;
+ }
+
mdp_offset = off;
mdp_count = cnt;
@@ -154,6 +164,14 @@ static ssize_t mdp_reg_write(
debug_buf[count] = 0; /* end of string */
cnt = sscanf(debug_buf, "%x %x", &off, &data);
+ if (cnt != 2)
+ return -EFAULT;
+
+ if (off > MDP_MAX_OFFSET) {
+ printk(KERN_INFO "%s: Invalid offset%x > %x\n", __func__,
+ off, MDP_MAX_OFFSET);
+ return -EFAULT;
+ }
mdp_pipe_ctrl(MDP_CMD_BLOCK, MDP_BLOCK_POWER_ON, FALSE);
outpdw(MDP_BASE + off, data);
@@ -620,6 +638,17 @@ static void mddi_reg_write(int ndx, uint32 off, uint32 data)
else
base = (char *)msm_pmdh_base;
+ if (base == NULL) {
+ printk(KERN_INFO "%s: base offset is not set properly. \
+ Please check if MDDI is enabled correctly\n", __func__);
+ return;
+ }
+
+ if (off > MDDI_MAX_OFFSET) {
+ printk(KERN_INFO "%s: Invalid offset=%x > %x\n", __func__,
+ off, MDDI_MAX_OFFSET);
+ return;
+ }
mdp_pipe_ctrl(MDP_CMD_BLOCK, MDP_BLOCK_POWER_ON, FALSE);
writel(data, base + off);
mdp_pipe_ctrl(MDP_CMD_BLOCK, MDP_BLOCK_POWER_OFF, FALSE);
@@ -682,6 +711,14 @@ static ssize_t pmdh_reg_write(
debug_buf[count] = 0; /* end of string */
cnt = sscanf(debug_buf, "%x %x", &off, &data);
+ if (cnt != 2)
+ return -EFAULT;
+
+ if (off > MDDI_MAX_OFFSET) {
+ printk(KERN_INFO "%s: Invalid offset=%x > %x\n", __func__,
+ off, MDDI_MAX_OFFSET);
+ return -EFAULT;
+ }
mddi_reg_write(0, off, data);
@@ -737,6 +774,14 @@ static ssize_t emdh_reg_write(
debug_buf[count] = 0; /* end of string */
cnt = sscanf(debug_buf, "%x %x", &off, &data);
+ if (cnt != 2)
+ return -EFAULT;
+
+ if (off > MDDI_MAX_OFFSET) {
+ printk(KERN_INFO "%s: Invalid offset=%x > %x\n", __func__,
+ off, MDDI_MAX_OFFSET);
+ return -EFAULT;
+ }
mddi_reg_write(1, off, data);
@@ -884,15 +929,18 @@ static ssize_t dbg_offset_write(
cnt = sscanf(debug_buf, "%x %d %x", &off, &num, &base);
- if (cnt < 0)
- cnt = 0;
+ if (cnt != 3)
+ return -EFAULT;
+
+ if ((off > MDP_MAX_OFFSET) || (num > (MDP_MAX_OFFSET - off))) {
+ printk(KERN_INFO "%s: Invalid offset%x+num%d > %x\n", __func__,
+ off, num, MDP_MAX_OFFSET);
+ return -EFAULT;
+ }
- if (cnt >= 1)
- dbg_offset = off;
- if (cnt >= 2)
- dbg_count = num;
- if (cnt >= 3)
- dbg_base = (char *)base;
+ dbg_offset = off;
+ dbg_count = num;
+ dbg_base = (char *)base;
printk(KERN_INFO "%s: offset=%x cnt=%d base=%x\n", __func__,
dbg_offset, dbg_count, (int)dbg_base);
@@ -951,6 +999,14 @@ static ssize_t dbg_reg_write(
debug_buf[count] = 0; /* end of string */
cnt = sscanf(debug_buf, "%x %x", &off, &data);
+ if (cnt != 2)
+ return -EFAULT;
+
+ if (off > MDP_MAX_OFFSET) {
+ printk(KERN_INFO "%s: Invalid offset%x > %x\n", __func__,
+ off, MDP_MAX_OFFSET);
+ return -EFAULT;
+ }
writel(data, dbg_base + off);
@@ -1073,6 +1129,8 @@ static ssize_t dbg_force_ov0_blt_write(
debug_buf[count] = 0; /* end of string */
cnt = sscanf(debug_buf, "%x", &dbg_force_ov0_blt);
+ if (cnt != 1)
+ return -EFAULT;
pr_info("%s: dbg_force_ov0_blt = %x\n",
__func__, dbg_force_ov0_blt);
@@ -1136,6 +1194,8 @@ static ssize_t dbg_force_ov1_blt_write(
debug_buf[count] = 0; /* end of string */
cnt = sscanf(debug_buf, "%x", &dbg_force_ov1_blt);
+ if (cnt != 1)
+ return -EFAULT;
pr_info("%s: dbg_force_ov1_blt = %x\n",
__func__, dbg_force_ov1_blt);
@@ -1191,14 +1251,17 @@ static ssize_t hdmi_offset_write(
debug_buf[count] = 0; /* end of string */
cnt = sscanf(debug_buf, "%x %d", &off, &num);
+ if (cnt != 2)
+ return -EFAULT;
- if (cnt < 0)
- cnt = 0;
+ if ((off > HDMI_MAX_OFFSET) || (num > (HDMI_MAX_OFFSET - off))) {
+ printk(KERN_INFO "%s: Invalid offset%x+num%d > %x\n", __func__,
+ off, num, HDMI_MAX_OFFSET);
+ return -EFAULT;
+ }
- if (cnt >= 1)
- hdmi_offset = off;
- if (cnt >= 2)
- hdmi_count = num;
+ hdmi_offset = off;
+ hdmi_count = num;
printk(KERN_INFO "%s: offset=%x cnt=%d\n", __func__,
hdmi_offset, hdmi_count);
@@ -1262,6 +1325,15 @@ static ssize_t hdmi_reg_write(
cnt = sscanf(debug_buf, "%x %x", &off, &data);
+ if (cnt != 2)
+ return -EFAULT;
+
+ if (off > HDMI_MAX_OFFSET) {
+ printk(KERN_INFO "%s: Invalid offset%x > %x\n", __func__,
+ off, HDMI_MAX_OFFSET);
+ return -EFAULT;
+ }
+
writel(data, base + off);
printk(KERN_INFO "%s: addr=%x data=%x\n",
@@ -1355,14 +1427,14 @@ int mdp_debugfs_init(void)
return -1;
}
- if (debugfs_create_file("off", 0644, dent, 0, &mdp_off_fops)
+ if (debugfs_create_file("off", 0600, dent, 0, &mdp_off_fops)
== NULL) {
printk(KERN_ERR "%s(%d): debugfs_create_file: index fail\n",
__FILE__, __LINE__);
return -1;
}
- if (debugfs_create_file("reg", 0644, dent, 0, &mdp_reg_fops)
+ if (debugfs_create_file("reg", 0600, dent, 0, &mdp_reg_fops)
== NULL) {
printk(KERN_ERR "%s(%d): debugfs_create_file: debug fail\n",
__FILE__, __LINE__);
@@ -1402,7 +1474,7 @@ int mdp_debugfs_init(void)
return -1;
}
- if (debugfs_create_file("reg", 0644, dent, 0, &pmdh_fops)
+ if (debugfs_create_file("reg", 0600, dent, 0, &pmdh_fops)
== NULL) {
printk(KERN_ERR "%s(%d): debugfs_create_file: debug fail\n",
__FILE__, __LINE__);
@@ -1417,7 +1489,7 @@ int mdp_debugfs_init(void)
return -1;
}
- if (debugfs_create_file("reg", 0644, dent, 0, &emdh_fops)
+ if (debugfs_create_file("reg", 0600, dent, 0, &emdh_fops)
== NULL) {
printk(KERN_ERR "%s(%d): debugfs_create_file: debug fail\n",
__FILE__, __LINE__);
@@ -1432,21 +1504,21 @@ int mdp_debugfs_init(void)
return -1;
}
- if (debugfs_create_file("base", 0644, dent, 0, &dbg_base_fops)
+ if (debugfs_create_file("base", 0600, dent, 0, &dbg_base_fops)
== NULL) {
printk(KERN_ERR "%s(%d): debugfs_create_file: index fail\n",
__FILE__, __LINE__);
return -1;
}
- if (debugfs_create_file("off", 0644, dent, 0, &dbg_off_fops)
+ if (debugfs_create_file("off", 0600, dent, 0, &dbg_off_fops)
== NULL) {
printk(KERN_ERR "%s(%d): debugfs_create_file: index fail\n",
__FILE__, __LINE__);
return -1;
}
- if (debugfs_create_file("reg", 0644, dent, 0, &dbg_reg_fops)
+ if (debugfs_create_file("reg", 0600, dent, 0, &dbg_reg_fops)
== NULL) {
printk(KERN_ERR "%s(%d): debugfs_create_file: debug fail\n",
__FILE__, __LINE__);
@@ -1462,14 +1534,14 @@ int mdp_debugfs_init(void)
return PTR_ERR(dent);
}
- if (debugfs_create_file("off", 0644, dent, 0, &hdmi_off_fops)
+ if (debugfs_create_file("off", 0600, dent, 0, &hdmi_off_fops)
== NULL) {
printk(KERN_ERR "%s(%d): debugfs_create_file: 'off' fail\n",
__FILE__, __LINE__);
return -ENOENT;
}
- if (debugfs_create_file("reg", 0644, dent, 0, &hdmi_reg_fops)
+ if (debugfs_create_file("reg", 0600, dent, 0, &hdmi_reg_fops)
== NULL) {
printk(KERN_ERR "%s(%d): debugfs_create_file: 'reg' fail\n",
__FILE__, __LINE__);