Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2fe83f72 authored by Hariram Purushothaman's avatar Hariram Purushothaman
Browse files

msm: camera: Fix invalid access of vb2 buffer 



vb2 buffers in camera generic buffer manager should
be accessed only in get buff on success. In other calls
we should not access without validation of the buffer
which is done only as part of msm vb2 driver.

CRs-Fixed: 2007389
Change-Id: Iae57ca1389ebc5ffd0a4a88e132ad30b205f7c9e
Signed-off-by: default avatarHariram Purushothaman <hariramp@codeaurora.org>
parent 3ba1a36a

drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c

+4 −7
Original line number Original line Diff line number Diff line 
/* Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.

/* Copyright (c) 2013-2017, The Linux Foundation. All rights reserved.

 *

 *

 * This program is free software; you can redistribute it and/or modify

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and

 * it under the terms of the GNU General Public License version 2 and
@@ -149,10 +149,7 @@ static int32_t msm_buf_mngr_buf_done(struct msm_buf_mngr_device *buf_mngr_dev, 
	list_for_each_entry_safe(bufs, save, &buf_mngr_dev->buf_qhead, entry) {

	list_for_each_entry_safe(bufs, save, &buf_mngr_dev->buf_qhead, entry) {

		if ((bufs->session_id == buf_info->session_id) &&

		if ((bufs->session_id == buf_info->session_id) &&

			(bufs->stream_id == buf_info->stream_id) &&

			(bufs->stream_id == buf_info->stream_id) &&

			(bufs->vb2_v4l2_buf->vb2_buf.index ==

			(bufs->index == buf_info->index)) {

				buf_info->index)) {

			bufs->vb2_v4l2_buf->sequence  = buf_info->frame_id;

			bufs->vb2_v4l2_buf->timestamp = buf_info->timestamp;

			ret = buf_mngr_dev->vb2_ops.buf_done

			ret = buf_mngr_dev->vb2_ops.buf_done

					(bufs->vb2_v4l2_buf,

					(bufs->vb2_v4l2_buf,

						buf_info->session_id,

						buf_info->session_id,
@@ -181,7 +178,7 @@ static int32_t msm_buf_mngr_put_buf(struct msm_buf_mngr_device *buf_mngr_dev, 
	list_for_each_entry_safe(bufs, save, &buf_mngr_dev->buf_qhead, entry) {

	list_for_each_entry_safe(bufs, save, &buf_mngr_dev->buf_qhead, entry) {

		if ((bufs->session_id == buf_info->session_id) &&

		if ((bufs->session_id == buf_info->session_id) &&

			(bufs->stream_id == buf_info->stream_id) &&

			(bufs->stream_id == buf_info->stream_id) &&

			(bufs->vb2_v4l2_buf->vb2_buf.index == buf_info->index)) {

			(bufs->index == buf_info->index)) {

			ret = buf_mngr_dev->vb2_ops.put_buf(bufs->vb2_v4l2_buf,

			ret = buf_mngr_dev->vb2_ops.put_buf(bufs->vb2_v4l2_buf,

				buf_info->session_id, buf_info->stream_id);

				buf_info->session_id, buf_info->stream_id);

			list_del_init(&bufs->entry);

			list_del_init(&bufs->entry);
@@ -214,7 +211,7 @@ static int32_t msm_generic_buf_mngr_flush( 
						buf_info->session_id,

						buf_info->session_id,

						buf_info->stream_id, 0, &ts, 0);

						buf_info->stream_id, 0, &ts, 0);

			pr_err("Bufs not flushed: str_id = %d buf_index = %d ret = %d\n",

			pr_err("Bufs not flushed: str_id = %d buf_index = %d ret = %d\n",

			buf_info->stream_id, bufs->vb2_v4l2_buf->vb2_buf.index,

			buf_info->stream_id, bufs->index,

			ret);

			ret);

			list_del_init(&bufs->entry);

			list_del_init(&bufs->entry);

			kfree(bufs);

			kfree(bufs);