Loading drivers/media/platform/msm/camera/cam_cdm/cam_cdm_virtual_core.c +9 −1 Original line number Diff line number Diff line /* Copyright (c) 2017-2018, The Linux Foundation. All rights reserved. /* Copyright (c) 2017-2019, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and Loading Loading @@ -118,6 +118,14 @@ int cam_virtual_cdm_submit_bl(struct cam_hw_info *cdm_hw, if ((!rc) && (vaddr_ptr) && (len) && (len >= cdm_cmd->cmd[i].offset)) { if ((len - cdm_cmd->cmd[i].offset) <= cdm_cmd->cmd[i].len) { CAM_ERR(CAM_CDM, "Not enough buffer"); rc = -EINVAL; break; } CAM_DBG(CAM_CDM, "hdl=%x vaddr=%pK offset=%d cmdlen=%d:%zu", cdm_cmd->cmd[i].bl_addr.mem_handle, Loading drivers/media/platform/msm/camera/cam_core/cam_context_utils.c +11 −1 Original line number Diff line number Diff line /* Copyright (c) 2017-2018, The Linux Foundation. All rights reserved. /* Copyright (c) 2017-2019, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and Loading Loading @@ -275,6 +275,7 @@ int32_t cam_context_prepare_dev_to_hw(struct cam_context *ctx, uintptr_t packet_addr; struct cam_packet *packet; size_t len = 0; size_t remain_len = 0; int32_t i = 0, j = 0; if (!ctx || !cmd) { Loading Loading @@ -323,12 +324,21 @@ int32_t cam_context_prepare_dev_to_hw(struct cam_context *ctx, goto free_req; } remain_len = len; if ((len < sizeof(struct cam_packet)) || ((size_t)cmd->offset >= len - sizeof(struct cam_packet))) { CAM_ERR(CAM_CTXT, "invalid buff length: %zu or offset", len); return -EINVAL; } remain_len -= (size_t)cmd->offset; packet = (struct cam_packet *) ((uint8_t *)packet_addr + (uint32_t)cmd->offset); /* preprocess the configuration */ memset(&cfg, 0, sizeof(cfg)); cfg.packet = packet; cfg.remain_len = remain_len; cfg.ctxt_to_hw_map = ctx->ctxt_to_hw_map; cfg.max_hw_update_entries = CAM_CTX_CFG_MAX; cfg.num_hw_update_entries = req->num_hw_update_entries; Loading drivers/media/platform/msm/camera/cam_core/cam_hw_mgr_intf.h +3 −1 Original line number Diff line number Diff line /* Copyright (c) 2017-2018, The Linux Foundation. All rights reserved. /* Copyright (c) 2017-2019, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and Loading Loading @@ -152,6 +152,7 @@ struct cam_hw_mgr_dump_pf_data { * struct cam_hw_prepare_update_args - Payload for prepare command * * @packet: CSL packet from user mode driver * @remain_len Remaining length of CPU buffer after config offset * @ctxt_to_hw_map: HW context from the acquire * @max_hw_update_entries: Maximum hardware update entries supported * @hw_update_entries: Actual hardware update configuration (returned) Loading @@ -168,6 +169,7 @@ struct cam_hw_mgr_dump_pf_data { */ struct cam_hw_prepare_update_args { struct cam_packet *packet; size_t remain_len; void *ctxt_to_hw_map; uint32_t max_hw_update_entries; struct cam_hw_update_entry *hw_update_entries; Loading drivers/media/platform/msm/camera/cam_fd/fd_hw_mgr/cam_fd_hw_mgr.c +13 −5 Original line number Diff line number Diff line /* Copyright (c) 2017-2018, The Linux Foundation. All rights reserved. /* Copyright (c) 2017-2019, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and Loading Loading @@ -30,7 +30,8 @@ static struct cam_fd_hw_mgr g_fd_hw_mgr; static int cam_fd_mgr_util_packet_validate(struct cam_packet *packet) static int cam_fd_mgr_util_packet_validate(struct cam_packet *packet, size_t remain_len) { struct cam_cmd_buf_desc *cmd_desc = NULL; int i, rc; Loading @@ -50,7 +51,7 @@ static int cam_fd_mgr_util_packet_validate(struct cam_packet *packet) packet->patch_offset, packet->num_patches, packet->kmd_cmd_buf_offset, packet->kmd_cmd_buf_index); if (cam_packet_util_validate_packet(packet)) { if (cam_packet_util_validate_packet(packet, remain_len)) { CAM_ERR(CAM_FD, "invalid packet:%d %d %d %d %d", packet->kmd_cmd_buf_index, packet->num_cmd_buf, packet->cmd_buf_offset, Loading Loading @@ -608,7 +609,13 @@ static int cam_fd_mgr_util_prepare_io_buf_info(int32_t iommu_hdl, rc); return rc; } if (io_cfg[i].offsets[plane] >= size) { CAM_ERR(CAM_FD, "Invalid cpu buf %d %d %d", io_cfg[i].direction, io_cfg[i].resource_type, plane); return -EINVAL; } cpu_addr[plane] += io_cfg[i].offsets[plane]; } Loading Loading @@ -1559,7 +1566,8 @@ static int cam_fd_mgr_hw_prepare_update(void *hw_mgr_priv, goto error; } rc = cam_fd_mgr_util_packet_validate(prepare->packet); rc = cam_fd_mgr_util_packet_validate(prepare->packet, prepare->remain_len); if (rc) { CAM_ERR(CAM_FD, "Error in packet validation %d", rc); goto error; Loading drivers/media/platform/msm/camera/cam_icp/icp_hw/icp_hw_mgr/cam_icp_hw_mgr.c +3 −0 Original line number Diff line number Diff line Loading @@ -3731,6 +3731,9 @@ static int cam_icp_mgr_prepare_hw_update(void *hw_mgr_priv, packet = prepare_args->packet; if (cam_packet_util_validate_packet(packet, prepare_args->remain_len)) return -EINVAL; rc = cam_icp_mgr_pkt_validation(packet); if (rc) { mutex_unlock(&ctx_data->ctx_mutex); Loading Loading
drivers/media/platform/msm/camera/cam_cdm/cam_cdm_virtual_core.c +9 −1 Original line number Diff line number Diff line /* Copyright (c) 2017-2018, The Linux Foundation. All rights reserved. /* Copyright (c) 2017-2019, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and Loading Loading @@ -118,6 +118,14 @@ int cam_virtual_cdm_submit_bl(struct cam_hw_info *cdm_hw, if ((!rc) && (vaddr_ptr) && (len) && (len >= cdm_cmd->cmd[i].offset)) { if ((len - cdm_cmd->cmd[i].offset) <= cdm_cmd->cmd[i].len) { CAM_ERR(CAM_CDM, "Not enough buffer"); rc = -EINVAL; break; } CAM_DBG(CAM_CDM, "hdl=%x vaddr=%pK offset=%d cmdlen=%d:%zu", cdm_cmd->cmd[i].bl_addr.mem_handle, Loading
drivers/media/platform/msm/camera/cam_core/cam_context_utils.c +11 −1 Original line number Diff line number Diff line /* Copyright (c) 2017-2018, The Linux Foundation. All rights reserved. /* Copyright (c) 2017-2019, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and Loading Loading @@ -275,6 +275,7 @@ int32_t cam_context_prepare_dev_to_hw(struct cam_context *ctx, uintptr_t packet_addr; struct cam_packet *packet; size_t len = 0; size_t remain_len = 0; int32_t i = 0, j = 0; if (!ctx || !cmd) { Loading Loading @@ -323,12 +324,21 @@ int32_t cam_context_prepare_dev_to_hw(struct cam_context *ctx, goto free_req; } remain_len = len; if ((len < sizeof(struct cam_packet)) || ((size_t)cmd->offset >= len - sizeof(struct cam_packet))) { CAM_ERR(CAM_CTXT, "invalid buff length: %zu or offset", len); return -EINVAL; } remain_len -= (size_t)cmd->offset; packet = (struct cam_packet *) ((uint8_t *)packet_addr + (uint32_t)cmd->offset); /* preprocess the configuration */ memset(&cfg, 0, sizeof(cfg)); cfg.packet = packet; cfg.remain_len = remain_len; cfg.ctxt_to_hw_map = ctx->ctxt_to_hw_map; cfg.max_hw_update_entries = CAM_CTX_CFG_MAX; cfg.num_hw_update_entries = req->num_hw_update_entries; Loading
drivers/media/platform/msm/camera/cam_core/cam_hw_mgr_intf.h +3 −1 Original line number Diff line number Diff line /* Copyright (c) 2017-2018, The Linux Foundation. All rights reserved. /* Copyright (c) 2017-2019, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and Loading Loading @@ -152,6 +152,7 @@ struct cam_hw_mgr_dump_pf_data { * struct cam_hw_prepare_update_args - Payload for prepare command * * @packet: CSL packet from user mode driver * @remain_len Remaining length of CPU buffer after config offset * @ctxt_to_hw_map: HW context from the acquire * @max_hw_update_entries: Maximum hardware update entries supported * @hw_update_entries: Actual hardware update configuration (returned) Loading @@ -168,6 +169,7 @@ struct cam_hw_mgr_dump_pf_data { */ struct cam_hw_prepare_update_args { struct cam_packet *packet; size_t remain_len; void *ctxt_to_hw_map; uint32_t max_hw_update_entries; struct cam_hw_update_entry *hw_update_entries; Loading
drivers/media/platform/msm/camera/cam_fd/fd_hw_mgr/cam_fd_hw_mgr.c +13 −5 Original line number Diff line number Diff line /* Copyright (c) 2017-2018, The Linux Foundation. All rights reserved. /* Copyright (c) 2017-2019, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and Loading Loading @@ -30,7 +30,8 @@ static struct cam_fd_hw_mgr g_fd_hw_mgr; static int cam_fd_mgr_util_packet_validate(struct cam_packet *packet) static int cam_fd_mgr_util_packet_validate(struct cam_packet *packet, size_t remain_len) { struct cam_cmd_buf_desc *cmd_desc = NULL; int i, rc; Loading @@ -50,7 +51,7 @@ static int cam_fd_mgr_util_packet_validate(struct cam_packet *packet) packet->patch_offset, packet->num_patches, packet->kmd_cmd_buf_offset, packet->kmd_cmd_buf_index); if (cam_packet_util_validate_packet(packet)) { if (cam_packet_util_validate_packet(packet, remain_len)) { CAM_ERR(CAM_FD, "invalid packet:%d %d %d %d %d", packet->kmd_cmd_buf_index, packet->num_cmd_buf, packet->cmd_buf_offset, Loading Loading @@ -608,7 +609,13 @@ static int cam_fd_mgr_util_prepare_io_buf_info(int32_t iommu_hdl, rc); return rc; } if (io_cfg[i].offsets[plane] >= size) { CAM_ERR(CAM_FD, "Invalid cpu buf %d %d %d", io_cfg[i].direction, io_cfg[i].resource_type, plane); return -EINVAL; } cpu_addr[plane] += io_cfg[i].offsets[plane]; } Loading Loading @@ -1559,7 +1566,8 @@ static int cam_fd_mgr_hw_prepare_update(void *hw_mgr_priv, goto error; } rc = cam_fd_mgr_util_packet_validate(prepare->packet); rc = cam_fd_mgr_util_packet_validate(prepare->packet, prepare->remain_len); if (rc) { CAM_ERR(CAM_FD, "Error in packet validation %d", rc); goto error; Loading
drivers/media/platform/msm/camera/cam_icp/icp_hw/icp_hw_mgr/cam_icp_hw_mgr.c +3 −0 Original line number Diff line number Diff line Loading @@ -3731,6 +3731,9 @@ static int cam_icp_mgr_prepare_hw_update(void *hw_mgr_priv, packet = prepare_args->packet; if (cam_packet_util_validate_packet(packet, prepare_args->remain_len)) return -EINVAL; rc = cam_icp_mgr_pkt_validation(packet); if (rc) { mutex_unlock(&ctx_data->ctx_mutex); Loading
