Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9f13d0ec authored by Karthik Anantha Ram's avatar Karthik Anantha Ram Committed by Suresh Vankadara
Browse files

msm: camera: icp: Fix out of bound issue in ICP 



Number of IPE devices change based on the target, so memory
is allocated based on number of devices.

Access IPE1 device interface if it is only allocated to avoid
out of bound access to read

Change-Id: I8a99e57ee4640d68e43855d4e63b4f32119e8398
Signed-off-by: default avatarSuresh Vankadara <svankada@codeaurora.org>
parent bbd59a1f

drivers/media/platform/msm/camera/cam_icp/icp_hw/icp_hw_mgr/cam_icp_hw_mgr.c

+40 −33
Original line number Diff line number Diff line
@@ -60,7 +60,7 @@ static int cam_icp_send_ubwc_cfg(struct cam_icp_hw_mgr *hw_mgr) 
	struct cam_hw_intf *a5_dev_intf = NULL;

	int rc;



	a5_dev_intf = hw_mgr->devices[CAM_ICP_DEV_A5][0];

	a5_dev_intf = hw_mgr->a5_dev_intf;

	if (!a5_dev_intf) {

		CAM_ERR(CAM_ICP, "a5_dev_intf is NULL");

		return -EINVAL;
@@ -627,9 +627,9 @@ static int cam_icp_update_clk_rate(struct cam_icp_hw_mgr *hw_mgr, 
	struct cam_hw_intf *bps_dev_intf = NULL;

	struct cam_hw_intf *dev_intf = NULL;



	ipe0_dev_intf = hw_mgr->devices[CAM_ICP_DEV_IPE][0];

	ipe1_dev_intf = hw_mgr->devices[CAM_ICP_DEV_IPE][1];

	bps_dev_intf = hw_mgr->devices[CAM_ICP_DEV_BPS][0];

	ipe0_dev_intf = hw_mgr->ipe0_dev_intf;

	ipe1_dev_intf = hw_mgr->ipe1_dev_intf;

	bps_dev_intf = hw_mgr->bps_dev_intf;





	if ((!ipe0_dev_intf) || (!bps_dev_intf)) {
@@ -670,9 +670,9 @@ static int cam_icp_update_cpas_vote(struct cam_icp_hw_mgr *hw_mgr, 
	struct cam_icp_clk_info *clk_info;

	struct cam_icp_cpas_vote clk_update;



	ipe0_dev_intf = hw_mgr->devices[CAM_ICP_DEV_IPE][0];

	ipe1_dev_intf = hw_mgr->devices[CAM_ICP_DEV_IPE][1];

	bps_dev_intf = hw_mgr->devices[CAM_ICP_DEV_BPS][0];

	ipe0_dev_intf = hw_mgr->ipe0_dev_intf;

	ipe1_dev_intf = hw_mgr->ipe1_dev_intf;

	bps_dev_intf = hw_mgr->bps_dev_intf;



	if ((!ipe0_dev_intf) || (!bps_dev_intf)) {

		CAM_ERR(CAM_ICP, "dev intfs are wrong, failed to update clk");
@@ -729,9 +729,9 @@ static int cam_icp_mgr_ipe_bps_resume(struct cam_icp_hw_mgr *hw_mgr, 
	struct cam_hw_intf *bps_dev_intf = NULL;

	int rc = 0;



	ipe0_dev_intf = hw_mgr->devices[CAM_ICP_DEV_IPE][0];

	ipe1_dev_intf = hw_mgr->devices[CAM_ICP_DEV_IPE][1];

	bps_dev_intf = hw_mgr->devices[CAM_ICP_DEV_BPS][0];

	ipe0_dev_intf = hw_mgr->ipe0_dev_intf;

	ipe1_dev_intf = hw_mgr->ipe1_dev_intf;

	bps_dev_intf = hw_mgr->bps_dev_intf;



	if ((!ipe0_dev_intf) || (!bps_dev_intf)) {

		CAM_ERR(CAM_ICP, "dev intfs are wrong, failed to close");
@@ -793,9 +793,9 @@ static int cam_icp_mgr_ipe_bps_power_collapse(struct cam_icp_hw_mgr *hw_mgr, 
	struct cam_hw_intf *ipe1_dev_intf = NULL;

	struct cam_hw_intf *bps_dev_intf = NULL;



	ipe0_dev_intf = hw_mgr->devices[CAM_ICP_DEV_IPE][0];

	ipe1_dev_intf = hw_mgr->devices[CAM_ICP_DEV_IPE][1];

	bps_dev_intf = hw_mgr->devices[CAM_ICP_DEV_BPS][0];

	ipe0_dev_intf = hw_mgr->ipe0_dev_intf;

	ipe1_dev_intf = hw_mgr->ipe1_dev_intf;

	bps_dev_intf = hw_mgr->bps_dev_intf;



	if ((!ipe0_dev_intf) || (!bps_dev_intf)) {

		CAM_ERR(CAM_ICP, "dev intfs are wrong, failed to close");
@@ -1615,7 +1615,7 @@ static int cam_icp_mgr_send_pc_prep(struct cam_icp_hw_mgr *hw_mgr) 
	unsigned long rem_jiffies;

	int timeout = 5000;



	a5_dev_intf = hw_mgr->devices[CAM_ICP_DEV_A5][0];

	a5_dev_intf = hw_mgr->a5_dev_intf;

	if (!a5_dev_intf) {

		CAM_ERR(CAM_ICP, "a5_dev_intf is invalid\n");

		return -EINVAL;
@@ -1646,9 +1646,9 @@ static int cam_ipe_bps_deint(struct cam_icp_hw_mgr *hw_mgr) 
	struct cam_hw_intf *ipe1_dev_intf = NULL;

	struct cam_hw_intf *bps_dev_intf = NULL;



	ipe0_dev_intf = hw_mgr->devices[CAM_ICP_DEV_IPE][0];

	ipe1_dev_intf = hw_mgr->devices[CAM_ICP_DEV_IPE][1];

	bps_dev_intf = hw_mgr->devices[CAM_ICP_DEV_BPS][0];

	ipe0_dev_intf = hw_mgr->ipe0_dev_intf;

	ipe1_dev_intf = hw_mgr->ipe1_dev_intf;

	bps_dev_intf = hw_mgr->bps_dev_intf;

	if ((!ipe0_dev_intf) || (!bps_dev_intf)) {

		CAM_ERR(CAM_ICP, "dev intfs are wrong, failed to close");

		return 0;
@@ -1670,7 +1670,7 @@ static int cam_icp_mgr_icp_power_collapse(struct cam_icp_hw_mgr *hw_mgr) 


	CAM_DBG(CAM_ICP, "ENTER");



	a5_dev_intf = hw_mgr->devices[CAM_ICP_DEV_A5][0];

	a5_dev_intf = hw_mgr->a5_dev_intf;

	if (!a5_dev_intf) {

		CAM_ERR(CAM_ICP, "a5_dev_intf is invalid\n");

		return -EINVAL;
@@ -1692,7 +1692,7 @@ static int cam_icp_mgr_hfi_resume(struct cam_icp_hw_mgr *hw_mgr) 
	struct cam_hw_info *a5_dev = NULL;

	struct hfi_mem_info hfi_mem;



	a5_dev_intf = hw_mgr->devices[CAM_ICP_DEV_A5][0];

	a5_dev_intf = hw_mgr->a5_dev_intf;

	if (!a5_dev_intf) {

		CAM_ERR(CAM_ICP, "a5_dev_intf is invalid\n");

		return -EINVAL;
@@ -1740,7 +1740,7 @@ static int cam_icp_mgr_icp_resume(struct cam_icp_hw_mgr *hw_mgr) 
	struct cam_hw_intf *a5_dev_intf = NULL;



	CAM_DBG(CAM_ICP, "Enter");

	a5_dev_intf = hw_mgr->devices[CAM_ICP_DEV_A5][0];

	a5_dev_intf = hw_mgr->a5_dev_intf;



	if (!a5_dev_intf) {

		CAM_ERR(CAM_ICP, "a5 dev intf is wrong");
@@ -1941,10 +1941,10 @@ static void cam_icp_mgr_device_deinit(struct cam_icp_hw_mgr *hw_mgr) 
	struct cam_hw_intf *ipe1_dev_intf = NULL;

	struct cam_hw_intf *bps_dev_intf = NULL;



	a5_dev_intf = hw_mgr->devices[CAM_ICP_DEV_A5][0];

	ipe0_dev_intf = hw_mgr->devices[CAM_ICP_DEV_IPE][0];

	ipe1_dev_intf = hw_mgr->devices[CAM_ICP_DEV_IPE][1];

	bps_dev_intf = hw_mgr->devices[CAM_ICP_DEV_BPS][0];

	a5_dev_intf = hw_mgr->a5_dev_intf;

	ipe0_dev_intf = hw_mgr->ipe0_dev_intf;

	ipe1_dev_intf = hw_mgr->ipe1_dev_intf;

	bps_dev_intf = hw_mgr->bps_dev_intf;



	if ((!a5_dev_intf) || (!ipe0_dev_intf) || (!bps_dev_intf)) {

		CAM_ERR(CAM_ICP, "dev intfs are wrong, failed to close");
@@ -1974,7 +1974,7 @@ static int cam_icp_mgr_hw_close(void *hw_priv, void *hw_close_args) 
		return 0;

	}



	a5_dev_intf = hw_mgr->devices[CAM_ICP_DEV_A5][0];

	a5_dev_intf = hw_mgr->a5_dev_intf;

	if (!a5_dev_intf) {

		CAM_DBG(CAM_ICP, "a5_dev_intf is NULL");

		mutex_unlock(&hw_mgr->hw_mgr_mutex);
@@ -2019,10 +2019,10 @@ static int cam_icp_mgr_device_init(struct cam_icp_hw_mgr *hw_mgr) 
	struct cam_hw_intf *ipe1_dev_intf = NULL;

	struct cam_hw_intf *bps_dev_intf = NULL;



	a5_dev_intf = hw_mgr->devices[CAM_ICP_DEV_A5][0];

	ipe0_dev_intf = hw_mgr->devices[CAM_ICP_DEV_IPE][0];

	ipe1_dev_intf = hw_mgr->devices[CAM_ICP_DEV_IPE][1];

	bps_dev_intf = hw_mgr->devices[CAM_ICP_DEV_BPS][0];

	a5_dev_intf = hw_mgr->a5_dev_intf;

	ipe0_dev_intf = hw_mgr->ipe0_dev_intf;

	ipe1_dev_intf = hw_mgr->ipe1_dev_intf;

	bps_dev_intf = hw_mgr->bps_dev_intf;



	if ((!a5_dev_intf) || (!ipe0_dev_intf) || (!bps_dev_intf)) {

		CAM_ERR(CAM_ICP, "dev intfs are wrong");
@@ -2067,7 +2067,7 @@ static int cam_icp_mgr_fw_download(struct cam_icp_hw_mgr *hw_mgr) 
	struct cam_icp_a5_set_irq_cb irq_cb;

	struct cam_icp_a5_set_fw_buf_info fw_buf_info;



	a5_dev_intf = hw_mgr->devices[CAM_ICP_DEV_A5][0];

	a5_dev_intf = hw_mgr->a5_dev_intf;

	if (!a5_dev_intf) {

		CAM_ERR(CAM_ICP, "a5_dev_intf is invalid");

		return -EINVAL;
@@ -2116,7 +2116,7 @@ static int cam_icp_mgr_hfi_init(struct cam_icp_hw_mgr *hw_mgr) 
	struct cam_hw_info *a5_dev = NULL;

	struct hfi_mem_info hfi_mem;



	a5_dev_intf = hw_mgr->devices[CAM_ICP_DEV_A5][0];

	a5_dev_intf = hw_mgr->a5_dev_intf;

	if (!a5_dev_intf) {

		CAM_ERR(CAM_ICP, "a5_dev_intf is invalid");

		return -EINVAL;
@@ -2158,7 +2158,7 @@ static int cam_icp_mgr_send_fw_init(struct cam_icp_hw_mgr *hw_mgr) 
	unsigned long rem_jiffies;

	int timeout = 5000;



	a5_dev_intf = hw_mgr->devices[CAM_ICP_DEV_A5][0];

	a5_dev_intf = hw_mgr->a5_dev_intf;

	if (!a5_dev_intf) {

		CAM_ERR(CAM_ICP, "a5_dev_intf is invalid");

		return -EINVAL;
@@ -2203,7 +2203,7 @@ static int cam_icp_mgr_hw_open(void *hw_mgr_priv, void *download_fw_args) 
		return rc;

	}



	a5_dev_intf = hw_mgr->devices[CAM_ICP_DEV_A5][0];

	a5_dev_intf = hw_mgr->a5_dev_intf;

	if (!a5_dev_intf) {

		CAM_ERR(CAM_ICP, "a5_dev_intf is invalid");

		mutex_unlock(&hw_mgr->hw_mgr_mutex);
@@ -3276,6 +3276,13 @@ static int cam_icp_mgr_init_devs(struct device_node *of_node) 
		of_node_put(child_node);

	}



	icp_hw_mgr.a5_dev_intf = icp_hw_mgr.devices[CAM_ICP_DEV_A5][0];

	icp_hw_mgr.bps_dev_intf = icp_hw_mgr.devices[CAM_ICP_DEV_BPS][0];

	icp_hw_mgr.ipe0_dev_intf = icp_hw_mgr.devices[CAM_ICP_DEV_IPE][0];

	if (icp_hw_mgr.ipe1_enable)

		icp_hw_mgr.ipe1_dev_intf =

			icp_hw_mgr.devices[CAM_ICP_DEV_IPE][1];



	return 0;

compat_hw_name_failed:

	kfree(icp_hw_mgr.devices[CAM_ICP_DEV_BPS]);

drivers/media/platform/msm/camera/cam_icp/icp_hw/icp_hw_mgr/cam_icp_hw_mgr.h

+4 −0
Original line number Diff line number Diff line
@@ -290,6 +290,10 @@ struct cam_icp_hw_mgr { 
	bool ipe1_enable;

	bool bps_enable;

	uint32_t core_info;

	struct cam_hw_intf *a5_dev_intf;

	struct cam_hw_intf *ipe0_dev_intf;

	struct cam_hw_intf *ipe1_dev_intf;

	struct cam_hw_intf *bps_dev_intf;

};



static int cam_icp_mgr_hw_close(void *hw_priv, void *hw_close_args);