Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7f0041eb authored by Jeyaprakash Soundrapandian's avatar Jeyaprakash Soundrapandian Committed by Gerrit - the friendly Code Review server
Browse files

Merge "msm: camera: Add validation check for cpu buffers before accessing" into dev/msm-4.14-camx

parents 663ff1ae ee26a0af

drivers/media/platform/msm/camera/cam_cdm/cam_cdm_hw_core.c

+8 −0
Original line number Diff line number Diff line
@@ -482,6 +482,14 @@ int cam_hw_cdm_submit_bl(struct cam_hw_info *cdm_hw, 


		if ((!rc) && (hw_vaddr_ptr) && (len) &&

			(len >= cdm_cmd->cmd[i].offset)) {



			if ((len - cdm_cmd->cmd[i].offset) <

				cdm_cmd->cmd[i].len) {

				CAM_ERR(CAM_CDM, "Not enough buffer");

				rc = -EINVAL;

				break;

			}



			CAM_DBG(CAM_CDM, "Got the HW VA");

			if (core->bl_tag >=

				(CAM_CDM_HWFIFO_SIZE - 1))

drivers/media/platform/msm/camera/cam_fd/fd_hw_mgr/cam_fd_hw_mgr.c

+9 −0
Original line number Diff line number Diff line
@@ -596,6 +596,15 @@ static int cam_fd_mgr_util_prepare_io_buf_info(int32_t iommu_hdl, 
					return -ENOMEM;

				}



				if (io_cfg[i].offsets[plane] >= size) {

					CAM_ERR(CAM_FD,

						"Invalid cpu buf %d %d %d",

						io_cfg[i].direction,

						io_cfg[i].resource_type, plane);

					rc = -EINVAL;

					goto rel_cpu_buf;

				}



				io_addr[plane] += io_cfg[i].offsets[plane];

			}

drivers/media/platform/msm/camera/cam_icp/cam_icp_context.c

+6 −0
Original line number Diff line number Diff line
@@ -137,6 +137,12 @@ static int __cam_icp_config_dev_in_ready(struct cam_context *ctx, 
		return rc;

	}



	if ((len < sizeof(struct cam_packet)) ||

		(cmd->offset >= (len - sizeof(struct cam_packet)))) {

		CAM_ERR(CAM_CTXT, "Not enough buf");

		return -EINVAL;

	}



	packet = (struct cam_packet *) ((uint8_t *)packet_addr +

		(uint32_t)cmd->offset);

drivers/media/platform/msm/camera/cam_icp/icp_hw/icp_hw_mgr/cam_icp_hw_mgr.c

+11 −0
Original line number Diff line number Diff line
@@ -3449,6 +3449,17 @@ static int cam_icp_mgr_process_cmd_desc(struct cam_icp_hw_mgr *hw_mgr, 
				goto rel_cmd_buf;

			}

			*fw_cmd_buf_iova_addr = addr;



			if (cmd_desc[i].offset >= len ||

				((len - cmd_desc[i].offset) <

				cmd_desc[i].size)){

				CAM_ERR(CAM_ICP,

					"Invalid offset/length, i %d offset 0x%x len 0x%x size 0x%x",

					i, cmd_desc[i].offset,

					len, cmd_desc[i].size);

				goto rel_cmd_buf;

			}



			*fw_cmd_buf_iova_addr =

				(*fw_cmd_buf_iova_addr + cmd_desc[i].offset);

			rc = cam_mem_get_cpu_buf(cmd_desc[i].mem_handle,

drivers/media/platform/msm/camera/cam_jpeg/jpeg_hw/cam_jpeg_hw_mgr.c

+6 −0
Original line number Diff line number Diff line
@@ -157,6 +157,12 @@ static int cam_jpeg_mgr_process_irq(void *priv, void *data) 


	cmd_buf_kaddr = (uint32_t *)kaddr;



	if ((p_cfg_req->hw_cfg_args.hw_update_entries[CAM_JPEG_PARAM].offset /

			sizeof(uint32_t)) >= cmd_buf_len) {

		CAM_ERR(CAM_JPEG, "Not enough buf");

		return -EINVAL;

	}



	cmd_buf_kaddr =

		(cmd_buf_kaddr +

		(p_cfg_req->hw_cfg_args.hw_update_entries[CAM_JPEG_PARAM].offset