Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1468e8ad authored by Andy Sun's avatar Andy Sun Committed by Terence Ho
Browse files

ais: Port bounds checking from camera_v2 



Port bounds check fixes from camera_v2 branch
to address security issues.
CRs-fixed: 2006015 2005647 2008469 1110793

Change-Id: I503db2e186644ac5d1e371c902de33f5f76f9d69
Signed-off-by: default avatarTerence Ho <terenceh@codeaurora.org>
parent 436612f5

drivers/media/platform/msm/ais/isp/msm_isp_stats_util.c

+12 −0
Original line number Diff line number Diff line
@@ -601,6 +601,12 @@ static int msm_isp_stats_update_cgc_override(struct vfe_device *vfe_dev, 
	int i;

	uint32_t stats_mask = 0, idx;



	if (stream_cfg_cmd->num_streams > MSM_ISP_STATS_MAX) {

		pr_err("%s invalid num_streams %d\n", __func__,

			stream_cfg_cmd->num_streams);

		return -EINVAL;

	}



	for (i = 0; i < stream_cfg_cmd->num_streams; i++) {

		idx = STATS_IDX(stream_cfg_cmd->stream_handle[i]);
@@ -672,12 +678,18 @@ static int msm_isp_start_stats_stream(struct vfe_device *vfe_dev, 
	struct msm_vfe_stats_stream *stream_info;

	struct msm_vfe_stats_shared_data *stats_data = &vfe_dev->stats_data;



	if (stream_cfg_cmd->num_streams > MSM_ISP_STATS_MAX) {

		pr_err("%s invalid num_streams %d\n", __func__,

			stream_cfg_cmd->num_streams);

		return -EINVAL;

	}

	num_stats_comp_mask =

		vfe_dev->hw_info->stats_hw_info->num_stats_comp_mask;

	rc = vfe_dev->hw_info->vfe_ops.stats_ops.check_streams(

		stats_data->stream_info);

	if (rc < 0)

		return rc;



	for (i = 0; i < stream_cfg_cmd->num_streams; i++) {

		idx = STATS_IDX(stream_cfg_cmd->stream_handle[i]);

drivers/media/platform/msm/ais/isp/msm_isp_util.c

+5 −0
Original line number Diff line number Diff line
@@ -678,6 +678,11 @@ static int msm_isp_set_dual_HW_master_slave_mode( 
	}

	ISP_DBG("%s: vfe %d num_src %d\n", __func__, vfe_dev->pdev->id,

		dual_hw_ms_cmd->num_src);

	if (dual_hw_ms_cmd->num_src > VFE_SRC_MAX) {

		pr_err("%s: Error! Invalid num_src %d\n", __func__,

			dual_hw_ms_cmd->num_src);

		return -EINVAL;

	}

	/* This for loop is for non-primary intf to be marked with Master/Slave

	 * in order for frame id sync. But their timestamp is not saved.

	 * So no sof_info resource is allocated */

drivers/media/platform/msm/ais/ispif/msm_ispif.c

+1 −1
Original line number Diff line number Diff line
@@ -74,7 +74,7 @@ static void msm_ispif_io_dump_reg(struct ispif_device *ispif) 




static inline int msm_ispif_is_intf_valid(uint32_t csid_version,

	uint8_t intf_type)

	enum msm_ispif_vfe_intf intf_type)

{

	return ((csid_version <= CSID_VERSION_V22 && intf_type != VFE0) ||

		(intf_type >= VFE_MAX)) ? false : true;

drivers/media/platform/msm/ais/sensor/csid/msm_csid.c

+7 −0
Original line number Diff line number Diff line
@@ -61,6 +61,7 @@ 
#define TRUE   1

#define FALSE  0



#define MAX_LANE_COUNT 4

#define CSID_TIMEOUT msecs_to_jiffies(100)



#undef CDBG
@@ -318,6 +319,12 @@ static int msm_csid_config(struct csid_device *csid_dev) 
		csid_params->lane_assign);

	CDBG("%s csid_params phy_sel = %d\n", __func__,

		csid_params->phy_sel);

	if ((csid_params->lane_cnt == 0) ||

		(csid_params->lane_cnt > MAX_LANE_COUNT)) {

		pr_err("%s:%d invalid lane count = %d\n",

			__func__, __LINE__, csid_params->lane_cnt);

		return -EINVAL;

	}



#ifdef RESET_CSID_CFG

	rc = msm_csid_reset(csid_dev);