Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 29964e85 authored by Alok Chauhan's avatar Alok Chauhan
Browse files

msm: camera: ope: Fix the length check for debug buffer 



Debug buffer passed by UMD is smaller than the required
size to collect the replay dump.

Corrected the debug buffer length check and don't dump
replay data incase of flush.

CRs-Fixed: 2629735
Change-Id: I07bc3c9585ab8ad00cd858ecd807e473075795aa
Signed-off-by: default avatarAlok Chauhan <alokc@codeaurora.org>
parent 82ebc5e7

drivers/cam_ope/ope_hw_mgr/cam_ope_hw_mgr.c

+14 −5
Original line number Diff line number Diff line
@@ -551,8 +551,14 @@ static void cam_ope_dump_req_data(struct cam_ope_request *ope_req) 
		(struct cam_packet *)ope_req->hang_data.packet;



	if (!ope_req->ope_debug_buf.cpu_addr ||

		ope_req->ope_debug_buf.len < sizeof(struct cam_ope_hang_dump)) {

		CAM_ERR(CAM_OPE, "OPE debug buf is invalid");

		ope_req->ope_debug_buf.len < sizeof(struct cam_ope_hang_dump) ||

		(ope_req->ope_debug_buf.offset + ope_req->ope_debug_buf.len)

			> ope_req->ope_debug_buf.size) {

		CAM_ERR(CAM_OPE, "Invalid debug buf, size %d %d len %d off %d",

				sizeof(struct cam_ope_hang_dump),

				ope_req->ope_debug_buf.size,

				ope_req->ope_debug_buf.len,

				ope_req->ope_debug_buf.offset);

		return;

	}

	dump = (struct cam_ope_hang_dump *)ope_req->ope_debug_buf.cpu_addr;
@@ -1503,6 +1509,7 @@ static void cam_ope_ctx_cdm_callback(uint32_t handle, void *userdata, 
			 handle, userdata, status, cookie, ope_req->request_id);

		CAM_ERR(CAM_OPE, "Rst of CDM and OPE for error reqid = %lld",

			ope_req->request_id);

		if (status != CAM_CDM_CB_STATUS_HW_FLUSH)

			cam_ope_dump_req_data(ope_req);

		rc = cam_ope_mgr_reset_hw();

		flag = true;
@@ -1996,9 +2003,11 @@ static int cam_ope_mgr_process_cmd_buf_req(struct cam_ope_hw_mgr *hw_mgr, 
					ope_request->ope_debug_buf.iova_addr =

						iova_addr;

					ope_request->ope_debug_buf.len =

						len;

						cmd_buf->length;

					ope_request->ope_debug_buf.size =

						cmd_buf->size;

						len;

					ope_request->ope_debug_buf.offset =

						cmd_buf->offset;

					CAM_DBG(CAM_OPE, "dbg buf = %x",

					ope_request->ope_debug_buf.cpu_addr);

					break;

drivers/cam_ope/ope_hw_mgr/cam_ope_hw_mgr.h

+2 −0
Original line number Diff line number Diff line
@@ -225,12 +225,14 @@ struct cdm_dmi_cmd { 
 * @iova_addr:        IOVA address

 * @len:              Buffer length

 * @size:             Buffer Size

 * @offset:	      buffer offset

 */

struct ope_debug_buffer {

	uintptr_t cpu_addr;

	dma_addr_t iova_addr;

	size_t len;

	uint32_t size;

	uint32_t offset;

};



/**