msm: camera: reqmgr: Validate the link handle (746d1a59) · Commits · e / devices / android_kernel_fairphone_FP3

drivers/media/platform/msm/camera/cam_req_mgr/cam_req_mgr_core.c

+57 −23

Original line number	Diff line number	Diff line
		@@ -2407,8 +2407,12 @@ int cam_req_mgr_destroy_session(
		mutex_lock(&g_crm_core_dev->crm_lock);
		cam_session = (struct cam_req_mgr_core_session *)
		cam_get_device_priv(ses_info->session_hdl);
		if (!cam_session) {
		CAM_ERR(CAM_CRM, "failed to get session priv");
		if (!cam_session \|\|
		(cam_session->session_hdl != ses_info->session_hdl)) {
		CAM_ERR(CAM_CRM, "ses:%s ses_info->ses_hdl:%x ses->ses_hdl:%x",
		CAM_IS_NULL_TO_STR(cam_session), ses_info->session_hdl,
		(!cam_session) ?
		CAM_REQ_MGR_DEFAULT_HDL_VAL : cam_session->session_hdl);
		rc = -ENOENT;
		goto end;

		@@ -2469,8 +2473,12 @@ int cam_req_mgr_link(struct cam_req_mgr_link_info *link_info)
		/* session hdl's priv data is cam session struct */
		cam_session = (struct cam_req_mgr_core_session *)
		cam_get_device_priv(link_info->session_hdl);
		if (!cam_session) {
		CAM_DBG(CAM_CRM, "NULL pointer");
		if (!cam_session \|\|
		(cam_session->session_hdl != link_info->session_hdl)) {
		CAM_ERR(CAM_CRM, "ses:%s link_info->ses_hdl:%x ses->ses_hdl:%x",
		CAM_IS_NULL_TO_STR(cam_session), link_info->session_hdl,
		(!cam_session) ?
		CAM_REQ_MGR_DEFAULT_HDL_VAL : cam_session->session_hdl);
		mutex_unlock(&g_crm_core_dev->crm_lock);
		return -EINVAL;
		}
		@@ -2569,16 +2577,23 @@ int cam_req_mgr_unlink(struct cam_req_mgr_unlink_info *unlink_info)
		/* session hdl's priv data is cam session struct */
		cam_session = (struct cam_req_mgr_core_session *)
		cam_get_device_priv(unlink_info->session_hdl);
		if (!cam_session) {
		CAM_ERR(CAM_CRM, "NULL pointer");
		if (!cam_session \|\|
		(cam_session->session_hdl != unlink_info->session_hdl)) {
		CAM_ERR(CAM_CRM, "ses:%s unlink->ses_hdl:%x ses->ses_hdl:%x",
		CAM_IS_NULL_TO_STR(cam_session),
		unlink_info->session_hdl,
		(!cam_session) ?
		CAM_REQ_MGR_DEFAULT_HDL_VAL : cam_session->session_hdl);
		mutex_unlock(&g_crm_core_dev->crm_lock);
		return -EINVAL;
		}

		/* link hdl's priv data is core_link struct */
		link = cam_get_device_priv(unlink_info->link_hdl);
		if (!link) {
		CAM_ERR(CAM_CRM, "NULL pointer");
		if (!link \|\| (link->link_hdl != unlink_info->link_hdl)) {
		CAM_ERR(CAM_CRM, "link:%s unlink->link_hdl:%x lnk->lnk_hdl:%x",
		CAM_IS_NULL_TO_STR(link), unlink_info->link_hdl,
		(!link) ? CAM_REQ_MGR_DEFAULT_HDL_VAL : link->link_hdl);
		rc = -EINVAL;
		goto done;
		}
		@@ -2610,8 +2625,10 @@ int cam_req_mgr_schedule_request(
		mutex_lock(&g_crm_core_dev->crm_lock);
		link = (struct cam_req_mgr_core_link *)
		cam_get_device_priv(sched_req->link_hdl);
		if (!link) {
		CAM_DBG(CAM_CRM, "link ptr NULL %x", sched_req->link_hdl);
		if (!link \|\| (link->link_hdl != sched_req->link_hdl)) {
		CAM_ERR(CAM_CRM, "lnk:%s schd_req->lnk_hdl:%x lnk->lnk_hdl:%x",
		CAM_IS_NULL_TO_STR(link), sched_req->link_hdl,
		(!link) ? CAM_REQ_MGR_DEFAULT_HDL_VAL : link->link_hdl);
		rc = -EINVAL;
		goto end;
		}
		@@ -2677,8 +2694,12 @@ int cam_req_mgr_sync_config(
		/* session hdl's priv data is cam session struct */
		cam_session = (struct cam_req_mgr_core_session *)
		cam_get_device_priv(sync_info->session_hdl);
		if (!cam_session) {
		CAM_ERR(CAM_CRM, "NULL pointer");
		if (!cam_session \|\|
		(cam_session->session_hdl != sync_info->session_hdl)) {
		CAM_ERR(CAM_CRM, "ses:%s sync_info->ses_hdl:%x ses->ses_hdl:%x",
		CAM_IS_NULL_TO_STR(cam_session), sync_info->session_hdl,
		(!cam_session) ?
		CAM_REQ_MGR_DEFAULT_HDL_VAL : cam_session->session_hdl);
		mutex_unlock(&g_crm_core_dev->crm_lock);
		return -EINVAL;
		}
		@@ -2690,15 +2711,21 @@ int cam_req_mgr_sync_config(

		/* only two links existing per session in dual cam use case*/
		link1 = cam_get_device_priv(sync_info->link_hdls[0]);
		if (!link1) {
		CAM_ERR(CAM_CRM, "link1 NULL pointer");
		if (!link1 \|\| (link1->link_hdl != sync_info->link_hdls[0])) {
		CAM_ERR(CAM_CRM, "lnk:%s sync_info->lnk_hdl[0]:%x lnk1_hdl:%x",
		CAM_IS_NULL_TO_STR(link1), sync_info->link_hdls[0],
		(!link1) ?
		CAM_REQ_MGR_DEFAULT_HDL_VAL : link1->link_hdl);
		rc = -EINVAL;
		goto done;
		}

		link2 = cam_get_device_priv(sync_info->link_hdls[1]);
		if (!link2) {
		CAM_ERR(CAM_CRM, "link2 NULL pointer");
		if (!link2 \|\| (link2->link_hdl != sync_info->link_hdls[1])) {
		CAM_ERR(CAM_CRM, "lnk:%s sync_info->lnk_hdl[1]:%x lnk2_hdl:%x",
		CAM_IS_NULL_TO_STR(link2), sync_info->link_hdls[1],
		(!link2) ?
		CAM_REQ_MGR_DEFAULT_HDL_VAL : link2->link_hdl);
		rc = -EINVAL;
		goto done;
		}
		@@ -2752,8 +2779,11 @@ int cam_req_mgr_flush_requests(
		/* session hdl's priv data is cam session struct */
		session = (struct cam_req_mgr_core_session *)
		cam_get_device_priv(flush_info->session_hdl);
		if (!session) {
		CAM_ERR(CAM_CRM, "Invalid session %x", flush_info->session_hdl);
		if (!session \|\| (session->session_hdl != flush_info->session_hdl)) {
		CAM_ERR(CAM_CRM, "ses:%s flush->ses_hdl:%x ses->ses_hdl:%x",
		CAM_IS_NULL_TO_STR(session), flush_info->session_hdl,
		(!session) ?
		CAM_REQ_MGR_DEFAULT_HDL_VAL : session->session_hdl);
		rc = -EINVAL;
		goto end;
		}
		@@ -2765,8 +2795,10 @@ int cam_req_mgr_flush_requests(

		link = (struct cam_req_mgr_core_link *)
		cam_get_device_priv(flush_info->link_hdl);
		if (!link) {
		CAM_DBG(CAM_CRM, "link ptr NULL %x", flush_info->link_hdl);
		if (!link \|\| (link->link_hdl != flush_info->link_hdl)) {
		CAM_ERR(CAM_CRM, "lnk:%s flush->lnk_hdl:%x lnk->lnk_hdl:%x",
		CAM_IS_NULL_TO_STR(link), flush_info->link_hdl,
		(!link) ? CAM_REQ_MGR_DEFAULT_HDL_VAL : link->link_hdl);
		rc = -EINVAL;
		goto end;
		}
		@@ -2823,9 +2855,11 @@ int cam_req_mgr_link_control(struct cam_req_mgr_link_control *control)
		for (i = 0; i < control->num_links; i++) {
		link = (struct cam_req_mgr_core_link *)
		cam_get_device_priv(control->link_hdls[i]);
		if (!link) {
		CAM_ERR(CAM_CRM, "Link(%d) is NULL on session 0x%x",
		i, control->session_hdl);
		if (!link \|\| (link->link_hdl != control->link_hdls[i])) {
		CAM_ERR(CAM_CRM, "lnk:%s ctrl->lnk_hdl:%x lnk_hdl:%x",
		CAM_IS_NULL_TO_STR(link), control->link_hdls[i],
		(!link) ?
		CAM_REQ_MGR_DEFAULT_HDL_VAL : link->link_hdl);
		rc = -EINVAL;
		break;
		}

drivers/media/platform/msm/camera/cam_req_mgr/cam_req_mgr_core.h

+2 −0

Original line number	Diff line number	Diff line
		/* Copyright (c) 2016-2018, The Linux Foundation. All rights reserved.
		* Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.
		*
		* This program is free software; you can redistribute it and/or modify
		* it under the terms of the GNU General Public License version 2 and
		@@ -23,6 +24,7 @@
		#define CAM_REQ_MGR_WATCHDOG_TIMEOUT 5000
		#define CAM_REQ_MGR_SCHED_REQ_TIMEOUT 1000
		#define CAM_REQ_MGR_SIMULATE_SCHED_REQ 30
		#define CAM_REQ_MGR_DEFAULT_HDL_VAL 0

		#define FORCE_DISABLE_RECOVERY 2
		#define FORCE_ENABLE_RECOVERY 1

drivers/media/platform/msm/camera/cam_utils/cam_debug_util.h

+3 −0

Original line number	Diff line number	Diff line
		/* Copyright (c) 2017-2019, The Linux Foundation. All rights reserved.
		* Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.
		*
		* This program is free software; you can redistribute it and/or modify
		* it under the terms of the GNU General Public License version 2 and
		@@ -13,6 +14,8 @@
		#ifndef _CAM_DEBUG_UTIL_H_
		#define _CAM_DEBUG_UTIL_H_

		#define CAM_IS_NULL_TO_STR(ptr) ((ptr) ? "Non-NULL" : "NULL")

		#define CAM_CDM (1 << 0)
		#define CAM_CORE (1 << 1)
		#define CAM_CPAS (1 << 2)