Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4638ef11 authored by Shravya Samala's avatar Shravya Samala Committed by Gerrit - the friendly Code Review server
Browse files

msm: camera: lrme: BL command length validation at LRME 



This change is to validate BL commands length and addresses
before submitting to CDM. Also as part of recovery
avoid moving wrong packet submit request
to pending queue.

CRs-Fixed: 2576948
Change-Id: I47ef05e38a2eb179f7267e2316fe54f51d0097aa
Signed-off-by: default avatarShravya Samala <shravyas@codeaurora.org>
parent 6d50cef7

drivers/media/platform/msm/camera/cam_lrme/lrme_hw_mgr/cam_lrme_hw_mgr.c

+46 −15
Original line number Diff line number Diff line 
/* Copyright (c) 2017-2019, The Linux Foundation. All rights reserved.

/* Copyright (c) 2017-2020, The Linux Foundation. All rights reserved.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and
@@ -261,6 +261,8 @@ static int cam_lrme_mgr_util_prepare_hw_update_entries( 
	uint32_t kmd_buf_used_bytes = 0;

	struct cam_hw_update_entry *hw_entry;

	struct cam_cmd_buf_desc *cmd_desc = NULL;

	uintptr_t vaddr_ptr = 0;

	size_t len = 0;



	hw_device = config_args->hw_device;

	if (!hw_device) {
@@ -330,7 +332,17 @@ static int cam_lrme_mgr_util_prepare_hw_update_entries( 
			CAM_ERR(CAM_LRME, "Exceed max num of entry");

			return -EINVAL;

		}

		rc = cam_mem_get_cpu_buf(cmd_desc[i].mem_handle,

			 &vaddr_ptr, &len);



		if (rc || (!vaddr_ptr) || (!len)) {

			CAM_ERR(CAM_LRME,

				"hdl=%x vaddr=%pK offset=%d cmdBufflen=%d cmdlen=%d index=%d num_cmd_buf=%d",

				cmd_desc[i].mem_handle, (void *)vaddr_ptr,

				cmd_desc[i].offset, cmd_desc[i].length, len, i,

				prepare->packet->num_cmd_buf);

			return -EINVAL;

		}

		hw_entry[num_entry].handle = cmd_desc[i].mem_handle;

		hw_entry[num_entry].len = cmd_desc[i].length;

		hw_entry[num_entry].offset = cmd_desc[i].offset;
@@ -425,22 +437,27 @@ static int cam_lrme_mgr_util_submit_req(void *priv, void *data) 
			CAM_LRME_HW_CMD_SUBMIT,

			&submit_args, sizeof(struct cam_lrme_hw_submit_args));



		if (rc == -EBUSY)

			CAM_DBG(CAM_LRME, "device busy");

		else if (rc)

			CAM_ERR(CAM_LRME, "submit request failed rc %d", rc);

		if (rc) {

			req_prio == 0 ? spin_lock(&hw_device->high_req_lock) :

			if (rc == -EBUSY) {

				CAM_DBG(CAM_LRME, "device busy");



				req_prio == 0 ?

					spin_lock(&hw_device->high_req_lock) :

					spin_lock(&hw_device->normal_req_lock);

				list_add(&frame_req->frame_list,

					(req_prio == 0 ?

					&hw_device->frame_pending_list_high :

					&hw_device->frame_pending_list_normal));

			req_prio == 0 ? spin_unlock(&hw_device->high_req_lock) :

				spin_unlock(&hw_device->normal_req_lock);

		}

		if (rc == -EBUSY)

				req_prio == 0 ?

					spin_unlock(&hw_device->high_req_lock) :

					spin_unlock(

						&hw_device->normal_req_lock);

				rc = 0;

			} else

				CAM_ERR(CAM_LRME,

					"submit request failed for frame req id: %llu rc %d",

					frame_req->req_id, rc);

		}

	} else {

		req_prio == 0 ? spin_lock(&hw_device->high_req_lock) :

			spin_lock(&hw_device->normal_req_lock);
@@ -734,6 +751,20 @@ static int cam_lrme_mgr_hw_flush(void *hw_mgr_priv, void *hw_flush_args) 
		goto end;

	}



	spin_lock(&hw_device->high_req_lock);

	list_for_each_entry(frame_req, &hw_device->frame_pending_list_high,

		frame_list) {

		list_del_init(&frame_req->frame_list);

	}

	spin_unlock(&hw_device->high_req_lock);



	spin_lock(&hw_device->normal_req_lock);

	list_for_each_entry(frame_req, &hw_device->frame_pending_list_normal,

		frame_list) {

		list_del_init(&frame_req->frame_list);

	}

	spin_unlock(&hw_device->normal_req_lock);



	req_list = (struct cam_lrme_frame_request **)args->flush_req_pending;

	for (i = 0; i < args->num_req_pending; i++) {

		frame_req = req_list[i];