[PATCH v1 4/5] drivers: media: bcm2835-unicam: Fix for possible dummy buffer overrun

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Naushir Patuck <naush@raspberrypi.com>
To: Raspberry Pi Kernel Maintenance <kernel-list@raspberrypi.com>,
	Mauro Carvalho Chehab <mchehab@kernel.org>,
	Florian Fainelli <florian.fainelli@broadcom.com>,
	Broadcom internal kernel review list
	<bcm-kernel-feedback-list@broadcom.com>,
	Ray Jui <rjui@broadcom.com>,
	Scott Branden <sbranden@broadcom.com>
Cc: linux-media@vger.kernel.org,
	linux-rpi-kernel@lists.infradead.org,
	linux-arm-kernel@lists.infradead.org,
	linux-kernel@vger.kernel.org, jacopo.mondi@ideasonboard.com,
	Dave Stevenson <dave.stevenson@raspberrypi.com>,
	Naushir Patuck <naush@raspberrypi.com>
Subject: [PATCH v1 4/5] drivers: media: bcm2835-unicam: Fix for possible dummy buffer overrun
Date: Fri, 22 Nov 2024 08:41:51 +0000	[thread overview]
Message-ID: <20241122084152.1841419-5-naush@raspberrypi.com> (raw)
In-Reply-To: <20241122084152.1841419-1-naush@raspberrypi.com>

The Unicam hardware has been observed to cause a buffer overrun when
using the dummy buffer as a circular buffer. The conditions that cause
the overrun are not fully known, but it seems to occur when the memory
bus is heavily loaded.

To avoid the overrun, program the hardware with a buffer size of 0 when
using the dummy buffer. This will cause overrun into the allocated dummy
buffer, but avoid out of bounds writes.

Signed-off-by: Naushir Patuck <naush@raspberrypi.com>
---
 drivers/media/platform/broadcom/bcm2835-unicam.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/drivers/media/platform/broadcom/bcm2835-unicam.c b/drivers/media/platform/broadcom/bcm2835-unicam.c
index 550eb1b064f1..f10064107d54 100644
--- a/drivers/media/platform/broadcom/bcm2835-unicam.c
+++ b/drivers/media/platform/broadcom/bcm2835-unicam.c
@@ -640,7 +640,14 @@ static inline void unicam_reg_write_field(struct unicam_device *unicam, u32 offs
 static void unicam_wr_dma_addr(struct unicam_node *node,
 			       struct unicam_buffer *buf)
 {
-	dma_addr_t endaddr = buf->dma_addr + buf->size;
+	/*
+	 * Due to a HW bug causing buffer overruns in circular buffer mode under
+	 * certain (not yet fully known) conditions, the dummy buffer allocation
+	 * is set to a a single page size, but the hardware gets programmed with
+	 * a buffer size of 0.
+	 */
+	dma_addr_t endaddr = buf->dma_addr +
+			     (buf != &node->dummy_buf ? buf->size : 0);
 
 	if (node->id == UNICAM_IMAGE_NODE) {
 		unicam_reg_write(node->dev, UNICAM_IBSA0, buf->dma_addr);
-- 
2.34.1

next prev parent reply	other threads:[~2024-11-22  8:42 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-11-22  8:41 [PATCH v1 0/5] media: bcm2835-unicam: Upstreaming various improvements Naushir Patuck
2024-11-22  8:41 ` [PATCH v1 1/5] drivers: media: bcm2835-unicam: Improve frame sequence count handling Naushir Patuck
2024-11-22 14:45   ` Jacopo Mondi
2024-11-22  8:41 ` [PATCH v1 2/5] drivers: media: bcm2835-unicam: Allow setting of unpacked formats Naushir Patuck
2024-11-22 11:16   ` Jacopo Mondi
2024-11-22  8:41 ` [PATCH v1 3/5] drivers: media: bcm2835-unicam: Disable trigger mode operation Naushir Patuck
2024-11-22 11:18   ` Jacopo Mondi
2024-11-22  8:41 ` Naushir Patuck [this message]
2024-11-22 11:20   ` [PATCH v1 4/5] drivers: media: bcm2835-unicam: Fix for possible dummy buffer overrun Jacopo Mondi
2024-11-22 11:35     ` Naushir Patuck
2024-11-22 14:42       ` Jacopo Mondi
2024-11-22  8:41 ` [PATCH v1 5/5] drivers: media: bcm2835-unicam: Correctly handle FS + FE ISR condition Naushir Patuck
2024-11-22 11:16   ` Jacopo Mondi
2024-11-22 11:40     ` Naushir Patuck
2024-11-22 14:41       ` Jacopo Mondi
2024-11-22 14:48         ` Jacopo Mondi
2024-11-24  7:04           ` Laurent Pinchart
2024-11-25  8:37             ` Naushir Patuck
2024-11-25  9:23               ` Laurent Pinchart
2024-11-25  9:46                 ` Naushir Patuck
2024-11-25 10:27                   ` Laurent Pinchart
2024-11-25 10:46                     ` Naushir Patuck
2024-11-25 11:00                       ` Laurent Pinchart

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:550eb1b064f dfblob:f10064107d5 )
 OR (
bs:"[PATCH v1 4/5] drivers: media: bcm2835-unicam: Fix for possible dummy buffer overrun" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20241122084152.1841419-5-naush@raspberrypi.com \
    --to=naush@raspberrypi.com \
    --cc=bcm-kernel-feedback-list@broadcom.com \
    --cc=dave.stevenson@raspberrypi.com \
    --cc=florian.fainelli@broadcom.com \
    --cc=jacopo.mondi@ideasonboard.com \
    --cc=kernel-list@raspberrypi.com \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-media@vger.kernel.org \
    --cc=linux-rpi-kernel@lists.infradead.org \
    --cc=mchehab@kernel.org \
    --cc=rjui@broadcom.com \
    --cc=sbranden@broadcom.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox