msm: camera: isp: Check the stream handles from user (ff9201d6) · Commits · e / devices / android_kernel_sony_msm8998

drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c

+29 −0

Original line number	Diff line number	Diff line
		@@ -2881,6 +2881,8 @@ static int msm_isp_start_axi_stream(struct vfe_device *vfe_dev_ioctl,
		msm_isp_get_timestamp(&timestamp);

		for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
		if (stream_cfg_cmd->stream_handle[i] == 0)
		continue;
		stream_info = msm_isp_get_stream_common_data(vfe_dev_ioctl,
		HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i]));
		if (SRC_TO_INTF(stream_info->stream_src) < VFE_SRC_MAX)
		@@ -3020,6 +3022,8 @@ static int msm_isp_stop_axi_stream(struct vfe_device *vfe_dev_ioctl,
		return -EINVAL;

		for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
		if (stream_cfg_cmd->stream_handle[i] == 0)
		continue;
		stream_info = msm_isp_get_stream_common_data(vfe_dev_ioctl,
		HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i]));

		@@ -3046,12 +3050,37 @@ int msm_isp_cfg_axi_stream(struct vfe_device vfe_dev, void arg)
		{
		int rc = 0, ret;
		struct msm_vfe_axi_stream_cfg_cmd *stream_cfg_cmd = arg;
		uint32_t stream_idx[MAX_NUM_STREAM];
		int i;
		int vfe_idx;
		struct msm_vfe_axi_stream *stream_info;

		memset(stream_idx, 0, sizeof(stream_idx));

		for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
		if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i]) >=
		VFE_AXI_SRC_MAX)
		return -EINVAL;
		stream_info = msm_isp_get_stream_common_data(vfe_dev,
		HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i]));
		vfe_idx = msm_isp_get_vfe_idx_for_stream_user(vfe_dev,
		stream_info);
		if (vfe_idx == -ENOTTY \|\| stream_info->stream_handle[vfe_idx] !=
		stream_cfg_cmd->stream_handle[i]) {
		pr_err("%s: Invalid stream handle %x vfe_idx %d expected %x\n",
		__func__, stream_cfg_cmd->stream_handle[i],
		vfe_idx,
		(vfe_idx != -ENOTTY) ?
		stream_info->stream_handle[vfe_idx] : 0);
		return -EINVAL;
		}
		/* check for duplicate stream handle */
		if (stream_idx[stream_info->stream_src] ==
		stream_cfg_cmd->stream_handle[i])
		stream_cfg_cmd->stream_handle[i] = 0;
		else
		stream_idx[stream_info->stream_src] =
		stream_cfg_cmd->stream_handle[i];
		}
		if (stream_cfg_cmd->cmd == START_STREAM) {
		msm_isp_axi_update_cgc_override(vfe_dev, stream_cfg_cmd, 1);

drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c

+11 −1

Original line number	Diff line number	Diff line
		@@ -960,7 +960,9 @@ static int msm_isp_check_stream_cfg_cmd(struct vfe_device *vfe_dev,
		struct msm_vfe_stats_stream *stream_info;
		uint32_t idx;
		int vfe_idx;
		uint32_t stats_idx[MSM_ISP_STATS_MAX];

		memset(stats_idx, 0, sizeof(stats_idx));
		for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
		idx = STATS_IDX(stream_cfg_cmd->stream_handle[i]);

		@@ -980,6 +982,11 @@ static int msm_isp_check_stream_cfg_cmd(struct vfe_device *vfe_dev,
		stream_info->stream_handle[vfe_idx]);
		return -EINVAL;
		}
		/* remove duplicate handles */
		if (stats_idx[idx] == stream_cfg_cmd->stream_handle[i])
		stream_cfg_cmd->stream_handle[i] = 0;
		else
		stats_idx[idx] = stream_cfg_cmd->stream_handle[i];
		}
		return 0;
		}
		@@ -1083,6 +1090,8 @@ static int msm_isp_start_stats_stream(struct vfe_device *vfe_dev_ioctl,
		num_stats_comp_mask =
		vfe_dev_ioctl->hw_info->stats_hw_info->num_stats_comp_mask;
		for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
		if (stream_cfg_cmd->stream_handle[i] == 0)
		continue;
		idx = STATS_IDX(stream_cfg_cmd->stream_handle[i]);
		stream_info = msm_isp_get_stats_stream_common_data(
		vfe_dev_ioctl, idx);
		@@ -1169,7 +1178,8 @@ static int msm_isp_stop_stats_stream(struct vfe_device *vfe_dev,
		vfe_dev->hw_info->stats_hw_info->num_stats_comp_mask;

		for (i = 0; i < stream_cfg_cmd->num_streams; i++) {

		if (stream_cfg_cmd->stream_handle[i] == 0)
		continue;
		idx = STATS_IDX(stream_cfg_cmd->stream_handle[i]);

		stream_info = msm_isp_get_stats_stream_common_data(