Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit abc597ef authored by Yiduo Wang's avatar Yiduo Wang
Browse files

msm: camera: Fix possible kernel panic in general buf manager 



Make sure vb2_buf is in the stream queue list to avoid potential
kernel panic if the content in the address of vb2_buf is invalid.

Change-Id: I43d66e33d0544b832b31378c01af182cfe0e8d49
Signed-off-by: default avatarYiduo Wang <yiduow@codeaurora.org>
parent 67a06d8e

drivers/media/platform/msm/camera_v2/msm_vb2/msm_vb2.c

+20 −9
Original line number Diff line number Diff line
@@ -226,6 +226,7 @@ static int msm_vb2_put_buf(struct vb2_buffer *vb, int session_id, 
{

	struct msm_stream *stream;

	struct msm_vb2_buffer *msm_vb2;

	struct vb2_buffer *vb2_buf = NULL;

	int rc = 0;

	unsigned long flags;

	stream = msm_get_stream(session_id, stream_id);
@@ -234,6 +235,17 @@ static int msm_vb2_put_buf(struct vb2_buffer *vb, int session_id, 


	spin_lock_irqsave(&stream->stream_lock, flags);

	if (vb) {

		list_for_each_entry(msm_vb2, &(stream->queued_list), list) {

			vb2_buf = &(msm_vb2->vb2_buf);

			if (vb2_buf == vb)

				break;

		}

		if (vb2_buf != vb) {

			pr_err("VB buffer is INVALID vb=%p, ses_id=%d, str_id=%d\n",

					vb, session_id, stream_id);

			spin_unlock_irqrestore(&stream->stream_lock, flags);

			return -EINVAL;

		}

		msm_vb2 =

			container_of(vb, struct msm_vb2_buffer, vb2_buf);

		if (msm_vb2->in_freeq) {
@@ -242,7 +254,8 @@ static int msm_vb2_put_buf(struct vb2_buffer *vb, int session_id, 
		} else

			rc = -EINVAL;

	} else {

		pr_err("%s: VB buffer is null\n", __func__);

		pr_err(" VB buffer is null for ses_id=%d, str_id=%d\n",

			    session_id, stream_id);

		rc = -EINVAL;

	}

	spin_unlock_irqrestore(&stream->stream_lock, flags);
@@ -269,11 +282,10 @@ static int msm_vb2_buf_done(struct vb2_buffer *vb, int session_id, 
				break;

		}

		if (vb2_buf != vb) {

			pr_err("%s:%d VB buffer is INVALID vb=%p, ses_id=%d, str_id=%d\n",

				__func__, __LINE__, vb,

				session_id, stream_id);

			rc = -EINVAL;

			goto out;

			pr_err("VB buffer is INVALID ses_id=%d, str_id=%d, vb=%p\n",

				    session_id, stream_id, vb);

			spin_unlock_irqrestore(&stream->stream_lock, flags);

			return -EINVAL;

		}

		msm_vb2 =

			container_of(vb, struct msm_vb2_buffer, vb2_buf);
@@ -285,11 +297,10 @@ static int msm_vb2_buf_done(struct vb2_buffer *vb, int session_id, 
		} else

			rc = -EINVAL;

	} else {

		pr_err("%s:%d VB buffer is NULL for ses_id=%d, str_id=%d\n",

			__func__, __LINE__, session_id, stream_id);

		pr_err(" VB buffer is NULL for ses_id=%d, str_id=%d\n",

			    session_id, stream_id);

		rc = -EINVAL;

	}

out:

	spin_unlock_irqrestore(&stream->stream_lock, flags);

	return rc;

}