Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3eb45f50 authored by Lakshmi Narayana Kalavala's avatar Lakshmi Narayana Kalavala
Browse files

msm: camera: Handle array out of bounds and null pointer dereferences 



Add checks for array size while accessing arrays and also
handle null pointer dereferences in ISP drivers

Change-Id: I4d22b8c0500119f17925070a63bcc7533be3b492
Signed-off-by: default avatarLakshmi Narayana Kalavala <lkalaval@codeaurora.org>
parent 0dea33bc

drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c

+16 −0
Original line number Diff line number Diff line
@@ -302,6 +302,10 @@ static int msm_isp_buf_unprepare(struct msm_isp_buf_mgr *buf_mgr, 


	for (i = 0; i < bufq->num_bufs; i++) {

		buf_info = msm_isp_get_buf_ptr(buf_mgr, buf_handle, i);

		if (!buf_info) {

			pr_err("%s: buf not found\n", __func__);

			return rc;

		}

		if (buf_info->state == MSM_ISP_BUFFER_STATE_UNUSED ||

				buf_info->state ==

					MSM_ISP_BUFFER_STATE_INITIALIZED)
@@ -675,11 +679,19 @@ static int msm_isp_buf_enqueue(struct msm_isp_buf_mgr *buf_mgr, 
	if (buf_state == MSM_ISP_BUFFER_STATE_DIVERTED) {

		buf_info = msm_isp_get_buf_ptr(buf_mgr,

						info->handle, info->buf_idx);

		if (!buf_info) {

			pr_err("%s: buf not found\n", __func__);

			return rc;

		}

		if (info->dirty_buf) {

			rc = msm_isp_put_buf(buf_mgr,

				info->handle, info->buf_idx);

		} else {

			bufq = msm_isp_get_bufq(buf_mgr, info->handle);

			if (!bufq) {

				pr_err("%s: Invalid bufq\n", __func__);

				return rc;

			}

			if (BUF_SRC(bufq->stream_id))

				pr_err("%s: Invalid native buffer state\n",

					__func__);
@@ -690,6 +702,10 @@ static int msm_isp_buf_enqueue(struct msm_isp_buf_mgr *buf_mgr, 
		}

	} else {

		bufq = msm_isp_get_bufq(buf_mgr, info->handle);

		if (!bufq) {

			pr_err("%s: Invalid bufq\n", __func__);

			return rc;

			}

		if (MSM_ISP_BUFFER_SRC_HAL != BUF_SRC(bufq->stream_id)) {

			rc = msm_isp_put_buf(buf_mgr,

					info->handle, info->buf_idx);

drivers/media/platform/msm/camera_v2/isp/msm_isp.c

+28 −12
Original line number Diff line number Diff line
@@ -260,16 +260,26 @@ static int vfe_probe(struct platform_device *pdev) 
	};



	vfe_dev = kzalloc(sizeof(struct vfe_device), GFP_KERNEL);

	vfe_dev->stats = kzalloc(sizeof(struct msm_isp_statistics), GFP_KERNEL);

	if (!vfe_dev) {

		pr_err("%s: no enough memory\n", __func__);

		return -ENOMEM;

		rc = -ENOMEM;

		goto end;

	}

	vfe_dev->stats = kzalloc(sizeof(struct msm_isp_statistics), GFP_KERNEL);

	if (!vfe_dev->stats) {

		pr_err("%s: no enough memory\n", __func__);

		rc = -ENOMEM;

		goto probe_fail1;

	}



	if (pdev->dev.of_node) {

		of_property_read_u32((&pdev->dev)->of_node,

			"cell-index", &pdev->id);

		match_dev = of_match_device(msm_vfe_dt_match, &pdev->dev);

		if (!match_dev) {

			pr_err("%s: No vfe hardware info\n", __func__);

			rc = -EINVAL;

			goto probe_fail2;

		}

		vfe_dev->hw_info =

			(struct msm_vfe_hardware_info *) match_dev->data;

	} else {
@@ -279,7 +289,8 @@ static int vfe_probe(struct platform_device *pdev) 


	if (!vfe_dev->hw_info) {

		pr_err("%s: No vfe hardware info\n", __func__);

		return -EINVAL;

		rc = -EINVAL;

		goto probe_fail2;

	}

	ISP_DBG("%s: device id = %d\n", __func__, pdev->id);
@@ -287,8 +298,8 @@ static int vfe_probe(struct platform_device *pdev) 
	rc = vfe_dev->hw_info->vfe_ops.core_ops.get_platform_data(vfe_dev);

	if (rc < 0) {

		pr_err("%s: failed to get platform resources\n", __func__);

		kfree(vfe_dev);

		return -ENOMEM;

		rc = -ENOMEM;

		goto probe_fail2;

	}



	INIT_LIST_HEAD(&vfe_dev->tasklet_q);
@@ -317,8 +328,7 @@ static int vfe_probe(struct platform_device *pdev) 
	rc = msm_sd_register(&vfe_dev->subdev);

	if (rc != 0) {

		pr_err("%s: msm_sd_register error = %d\n", __func__, rc);

		kfree(vfe_dev);

		goto end;

		goto probe_fail2;

	}



	msm_isp_v4l2_subdev_fops.owner = v4l2_subdev_fops.owner;
@@ -335,8 +345,8 @@ static int vfe_probe(struct platform_device *pdev) 
		&vfe_vb2_ops, &vfe_layout);

	if (rc < 0) {

		pr_err("%s: Unable to create buffer manager\n", __func__);

		kfree(vfe_dev);

		return -EINVAL;

		rc = -EINVAL;

		goto probe_fail2;

	}

	/* create secure context banks*/

	if (vfe_dev->hw_info->num_iommu_secure_ctx) {
@@ -353,8 +363,8 @@ static int vfe_probe(struct platform_device *pdev) 
		if (rc < 0) {

			pr_err("%s: fail to create secure domain\n", __func__);

			msm_sd_unregister(&vfe_dev->subdev);

			kfree(vfe_dev);

			return -EINVAL;

			rc = -EINVAL;

			goto probe_fail2;

		}

	}

	msm_isp_enable_debugfs(vfe_dev->stats);
@@ -365,6 +375,12 @@ static int vfe_probe(struct platform_device *pdev) 


	vfe_dev->buf_mgr->init_done = 1;

	vfe_dev->vfe_open_cnt = 0;

	return rc;



probe_fail2:

	kfree(vfe_dev->stats);

probe_fail1:

	kfree(vfe_dev);

end:

	return rc;

}

drivers/media/platform/msm/camera_v2/isp/msm_isp32.c

+2 −1
Original line number Diff line number Diff line
@@ -121,6 +121,7 @@ vfe_remap_failed: 
				msm_vfe32_2_clk_info, vfe_dev->vfe_clk,

				ARRAY_SIZE(msm_vfe32_2_clk_info), 0);

clk_enable_failed:

	if (vfe_dev->fs_vfe)

		regulator_disable(vfe_dev->fs_vfe);

fs_failed:

	msm_isp_deinit_bandwidth_mgr(ISP_VFE0 + vfe_dev->pdev->id);

drivers/media/platform/msm/camera_v2/isp/msm_isp40.c

+2 −1
Original line number Diff line number Diff line
@@ -330,6 +330,7 @@ vfe_remap_failed: 
	msm_cam_clk_enable(&vfe_dev->pdev->dev, msm_vfe40_clk_info,

		vfe_dev->vfe_clk, ARRAY_SIZE(msm_vfe40_clk_info), 0);

clk_enable_failed:

	if (vfe_dev->fs_vfe)

		regulator_disable(vfe_dev->fs_vfe);

fs_failed:

	msm_isp_deinit_bandwidth_mgr(ISP_VFE0 + vfe_dev->pdev->id);

drivers/media/platform/msm/camera_v2/isp/msm_isp44.c

+2 −1
Original line number Diff line number Diff line
@@ -205,6 +205,7 @@ vfe_remap_failed: 
	msm_cam_clk_enable(&vfe_dev->pdev->dev, msm_vfe44_clk_info,

		vfe_dev->vfe_clk, vfe_dev->num_clk, 0);

clk_enable_failed:

	if (vfe_dev->fs_vfe)

		regulator_disable(vfe_dev->fs_vfe);

fs_failed:

	msm_isp_deinit_bandwidth_mgr(ISP_VFE0 + vfe_dev->pdev->id);