msm: camera: reqmgr: reader writer locks to avoid memory faults

Shared memory is initialized by CRM and used by
other drivers; with CRM not active other drivers
would fail to access the shared memory if
memory manager is deinit. Reader Writer locks can
prevent the open/close/ioctl calls from other drivers
if CRM open/close is already being processed.

Issue observed with the below sequence if drivers
are opened from UMD directly without this change.
CRM Open successful,ICP open successful,
CRM close in progress, ICP open successful,
mem mgr deinit and CRM close successful,
ICP tries to access HFI memory and result in crash.

This change helps to serialze the calls and prevents
issue.

CRs-Fixed: 3019488
Change-Id: I84d50918713686a067c0e3deb64c9c6ae9edfcb5
Signed-off-by: Tejas Prajapati <[email protected]>

drivers/cam_core/cam_subdev.c

@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
  * Copyright (c) 2017-2018, 2021 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.
  */
 
 #include "cam_subdev.h"
@@ -54,8 +55,10 @@ static long cam_subdev_ioctl(struct v4l2_subdev *sd, unsigned int cmd,
 
 	switch (cmd) {
 	case VIDIOC_CAM_CONTROL:
+		cam_req_mgr_rwsem_read_op(CAM_SUBDEV_LOCK);
 		rc = cam_node_handle_ioctl(node,
 			(struct cam_control *) arg);
+		cam_req_mgr_rwsem_read_op(CAM_SUBDEV_UNLOCK);
 		break;
 	case CAM_SD_SHUTDOWN:
 		if (!cam_req_mgr_is_shutdown()) {

drivers/cam_fd/cam_fd_dev.c

@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
  * Copyright (c) 2017-2021, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.
  */
 
 #include <linux/device.h>
@@ -44,8 +45,11 @@ static int cam_fd_dev_open(struct v4l2_subdev *sd,
 {
 	struct cam_fd_dev *fd_dev = &g_fd_dev;
 
+	cam_req_mgr_rwsem_read_op(CAM_SUBDEV_LOCK);
+
 	if (!fd_dev->probe_done) {
 		CAM_ERR(CAM_FD, "FD Dev not initialized, fd_dev=%pK", fd_dev);
+		cam_req_mgr_rwsem_read_op(CAM_SUBDEV_UNLOCK);
 		return -ENODEV;
 	}
 
@@ -54,6 +58,8 @@ static int cam_fd_dev_open(struct v4l2_subdev *sd,
 	CAM_DBG(CAM_FD, "FD Subdev open count %d", fd_dev->open_cnt);
 	mutex_unlock(&fd_dev->lock);
 
+	cam_req_mgr_rwsem_read_op(CAM_SUBDEV_UNLOCK);
+
 	return 0;
 }
 

drivers/cam_icp/cam_icp_subdev.c

@@ -121,6 +121,8 @@ static int cam_icp_subdev_open(struct v4l2_subdev *sd,
 	struct cam_node *node = v4l2_get_subdevdata(sd);
 	int rc = 0;
 
+	cam_req_mgr_rwsem_read_op(CAM_SUBDEV_LOCK);
+
 	mutex_lock(&g_icp_dev.icp_lock);
 	if (g_icp_dev.open_cnt >= 1) {
 		CAM_ERR(CAM_ICP, "ICP subdev is already opened");
@@ -143,6 +145,7 @@ static int cam_icp_subdev_open(struct v4l2_subdev *sd,
 	g_icp_dev.open_cnt++;
 end:
 	mutex_unlock(&g_icp_dev.icp_lock);
+	cam_req_mgr_rwsem_read_op(CAM_SUBDEV_UNLOCK);
 	return rc;
 }
 

drivers/cam_isp/cam_isp_dev.c

@@ -81,10 +81,14 @@ static const struct of_device_id cam_isp_dt_match[] = {
 static int cam_isp_subdev_open(struct v4l2_subdev *sd,
 	struct v4l2_subdev_fh *fh)
 {
+	cam_req_mgr_rwsem_read_op(CAM_SUBDEV_LOCK);
+
 	mutex_lock(&g_isp_dev.isp_mutex);
 	g_isp_dev.open_cnt++;
 	mutex_unlock(&g_isp_dev.isp_mutex);
 
+	cam_req_mgr_rwsem_read_op(CAM_SUBDEV_UNLOCK);
+
 	return 0;
 }
 

drivers/cam_jpeg/cam_jpeg_dev.c

@@ -95,10 +95,12 @@ static const struct of_device_id cam_jpeg_dt_match[] = {
 static int cam_jpeg_subdev_open(struct v4l2_subdev *sd,
 	struct v4l2_subdev_fh *fh)
 {
+	cam_req_mgr_rwsem_read_op(CAM_SUBDEV_LOCK);
 
 	mutex_lock(&g_jpeg_dev.jpeg_mutex);
 	g_jpeg_dev.open_cnt++;
 	mutex_unlock(&g_jpeg_dev.jpeg_mutex);
+	cam_req_mgr_rwsem_read_op(CAM_SUBDEV_UNLOCK);
 
 	return 0;
 }

drivers/cam_lrme/cam_lrme_dev.c

@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
  * Copyright (c) 2017-2021, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.
  */
 
 #include <linux/device.h>
@@ -59,9 +60,12 @@ static int cam_lrme_dev_open(struct v4l2_subdev *sd,
 {
 	struct cam_lrme_dev *lrme_dev = g_lrme_dev;
 
+	cam_req_mgr_rwsem_read_op(CAM_SUBDEV_LOCK);
+
 	if (!lrme_dev) {
 		CAM_ERR(CAM_LRME,
 			"LRME Dev not initialized, dev=%pK", lrme_dev);
+		cam_req_mgr_rwsem_read_op(CAM_SUBDEV_UNLOCK);
 		return -ENODEV;
 	}
 
@@ -69,6 +73,8 @@ static int cam_lrme_dev_open(struct v4l2_subdev *sd,
 	lrme_dev->open_cnt++;
 	mutex_unlock(&lrme_dev->lock);
 
+	cam_req_mgr_rwsem_read_op(CAM_SUBDEV_UNLOCK);
+
 	return 0;
 }
 

drivers/cam_ope/cam_ope_subdev.c

@@ -85,6 +85,8 @@ static int cam_ope_subdev_open(struct v4l2_subdev *sd,
 	struct cam_node *node = v4l2_get_subdevdata(sd);
 	int rc = 0;
 
+	cam_req_mgr_rwsem_read_op(CAM_SUBDEV_LOCK);
+
 	mutex_lock(&g_ope_dev.ope_lock);
 	if (g_ope_dev.open_cnt >= 1) {
 		CAM_ERR(CAM_OPE, "OPE subdev is already opened");
@@ -108,6 +110,7 @@ static int cam_ope_subdev_open(struct v4l2_subdev *sd,
 	CAM_DBG(CAM_OPE, "OPE HW open success: %d", rc);
 end:
 	mutex_unlock(&g_ope_dev.ope_lock);
+	cam_req_mgr_rwsem_read_op(CAM_SUBDEV_UNLOCK);
 	return rc;
 }
 

drivers/cam_req_mgr/cam_req_mgr_dev.c

@@ -9,6 +9,7 @@
 #include <linux/platform_device.h>
 #include <linux/highmem.h>
 #include <linux/types.h>
+#include <linux/rwsem.h>
 
 #include <mm/slab.h>
 
@@ -36,6 +37,8 @@ static struct cam_req_mgr_device g_dev;
 struct kmem_cache *g_cam_req_mgr_timer_cachep;
 static struct list_head cam_req_mgr_ordered_sd_list;
 
+DECLARE_RWSEM(rwsem_lock);
+
 static struct device_attribute camera_debug_sysfs_attr =
 	__ATTR(debug_node, 0600, NULL, cam_debug_sysfs_node_store);
 
@@ -104,10 +107,28 @@ static void cam_v4l2_device_cleanup(void)
 	g_dev.v4l2_dev = NULL;
 }
 
+void cam_req_mgr_rwsem_read_op(enum cam_subdev_rwsem lock)
+{
+	if (lock == CAM_SUBDEV_LOCK)
+		down_read(&rwsem_lock);
+	else if (lock == CAM_SUBDEV_UNLOCK)
+		up_read(&rwsem_lock);
+}
+
+static void cam_req_mgr_rwsem_write_op(enum cam_subdev_rwsem lock)
+{
+	if (lock == CAM_SUBDEV_LOCK)
+		down_write(&rwsem_lock);
+	else if (lock == CAM_SUBDEV_UNLOCK)
+		up_write(&rwsem_lock);
+}
+
 static int cam_req_mgr_open(struct file *filep)
 {
 	int rc;
 
+	cam_req_mgr_rwsem_write_op(CAM_SUBDEV_LOCK);
+
 	mutex_lock(&g_dev.cam_lock);
 	if (g_dev.open_cnt >= 1) {
 		rc = -EALREADY;
@@ -133,12 +154,14 @@ static int cam_req_mgr_open(struct file *filep)
 	}
 
 	mutex_unlock(&g_dev.cam_lock);
+	cam_req_mgr_rwsem_write_op(CAM_SUBDEV_UNLOCK);
 	return rc;
 
 mem_mgr_init_fail:
 	v4l2_fh_release(filep);
 end:
 	mutex_unlock(&g_dev.cam_lock);
+	cam_req_mgr_rwsem_write_op(CAM_SUBDEV_UNLOCK);
 	return rc;
 }
 
@@ -168,10 +191,14 @@ static int cam_req_mgr_close(struct file *filep)
 	CAM_WARN(CAM_CRM,
 		"release invoked associated userspace process has died, open_cnt: %d",
 		g_dev.open_cnt);
+
+	cam_req_mgr_rwsem_write_op(CAM_SUBDEV_LOCK);
+
 	mutex_lock(&g_dev.cam_lock);
 
 	if (g_dev.open_cnt <= 0) {
 		mutex_unlock(&g_dev.cam_lock);
+		cam_req_mgr_rwsem_write_op(CAM_SUBDEV_UNLOCK);
 		return -EINVAL;
 	}
 
@@ -202,6 +229,8 @@ static int cam_req_mgr_close(struct file *filep)
 	cam_mem_mgr_deinit();
 	mutex_unlock(&g_dev.cam_lock);
 
+	cam_req_mgr_rwsem_write_op(CAM_SUBDEV_UNLOCK);
+
 	return 0;
 }
 

drivers/cam_req_mgr/cam_req_mgr_util.c

@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
  * Copyright (c) 2017-2021, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.
  */
 
 #define pr_fmt(fmt) "CAM-REQ-MGR_UTIL %s:%d " fmt, __func__, __LINE__
@@ -14,6 +15,7 @@
 #include <media/cam_req_mgr.h>
 #include "cam_req_mgr_util.h"
 #include "cam_debug_util.h"
+#include "cam_subdev.h"
 
 static struct cam_req_mgr_util_hdl_tbl *hdl_tbl;
 static DEFINE_SPINLOCK(hdl_tbl_lock);
@@ -162,6 +164,13 @@ int32_t cam_create_device_hdl(struct cam_create_dev_hdl *hdl_data)
 	int idx;
 	int rand = 0;
 	int32_t handle;
+	bool crm_active;
+
+	crm_active = cam_req_mgr_is_open();
+	if (!crm_active) {
+		CAM_ERR(CAM_ICP, "CRM is not ACTIVE");
+		return -EINVAL;
+	}
 
 	spin_lock_bh(&hdl_tbl_lock);
 	if (!hdl_tbl) {

drivers/cam_req_mgr/cam_subdev.h

@@ -30,6 +30,11 @@ enum cam_subdev_close_seq_priority {
 	CAM_SD_CLOSE_LOW_PRIORITY
 };
 
+enum cam_subdev_rwsem {
+	CAM_SUBDEV_LOCK = 1,
+	CAM_SUBDEV_UNLOCK,
+};
+
 /**
  * struct cam_subdev - describes a camera sub-device
  *
@@ -132,6 +137,15 @@ int cam_register_subdev(struct cam_subdev *sd);
  */
 int cam_unregister_subdev(struct cam_subdev *sd);
 
+/**
+ * cam_req_mgr_rwsem_read_op()
+ *
+ * @brief : API to acquire read semaphore lock to platform framework.
+ *
+ * @lock  : value indicates to lock or unlock the read lock
+ */
+void cam_req_mgr_rwsem_read_op(enum cam_subdev_rwsem lock);
+
 /**
  * cam_req_mgr_is_open()
  *

drivers/cam_sensor_module/cam_actuator/cam_actuator_core.c

@@ -865,6 +865,11 @@ int32_t cam_actuator_driver_cmd(struct cam_actuator_ctrl_t *a_ctrl,
 
 		actuator_acq_dev.device_handle =
 			cam_create_device_hdl(&bridge_params);
+		if (actuator_acq_dev.device_handle <= 0) {
+			rc = -EFAULT;
+			CAM_ERR(CAM_ACTUATOR, "Can not create device handle");
+			goto release_mutex;
+		}
 		a_ctrl->bridge_intf.device_hdl = actuator_acq_dev.device_handle;
 		a_ctrl->bridge_intf.session_hdl =
 			actuator_acq_dev.session_handle;

drivers/cam_sensor_module/cam_csiphy/cam_csiphy_core.c

@@ -1847,6 +1847,12 @@ int32_t cam_csiphy_core_cfg(void *phy_dev,
 		index = csiphy_dev->acquire_count;
 		csiphy_acq_dev.device_handle =
 			cam_create_device_hdl(&bridge_params);
+		if (csiphy_acq_dev.device_handle <= 0) {
+			rc = -EFAULT;
+			CAM_ERR(CAM_CSIPHY, "Can not create device handle");
+			goto release_mutex;
+		}
+
 		csiphy_dev->csiphy_info[index].hdl_data.device_hdl =
 			csiphy_acq_dev.device_handle;
 		csiphy_dev->csiphy_info[index].hdl_data.session_hdl =

drivers/cam_sensor_module/cam_eeprom/cam_eeprom_core.c

@@ -361,6 +361,10 @@ static int32_t cam_eeprom_get_dev_handle(struct cam_eeprom_ctrl_t *e_ctrl,
 
 	eeprom_acq_dev.device_handle =
 		cam_create_device_hdl(&bridge_params);
+	if (eeprom_acq_dev.device_handle <= 0) {
+		CAM_ERR(CAM_EEPROM, "Can not create device handle");
+		return -EFAULT;
+	}
 	e_ctrl->bridge_intf.device_hdl = eeprom_acq_dev.device_handle;
 	e_ctrl->bridge_intf.session_hdl = eeprom_acq_dev.session_handle;
 

drivers/cam_sensor_module/cam_flash/cam_flash_dev.c

@@ -67,6 +67,11 @@ static int32_t cam_flash_driver_cmd(struct cam_flash_ctrl *fctrl,
 
 		flash_acq_dev.device_handle =
 			cam_create_device_hdl(&bridge_params);
+		if (flash_acq_dev.device_handle <= 0) {
+			rc = -EFAULT;
+			CAM_ERR(CAM_FLASH, "Can not create device handle");
+			goto release_mutex;
+		}
 		fctrl->bridge_intf.device_hdl =
 			flash_acq_dev.device_handle;
 		fctrl->bridge_intf.session_hdl =

drivers/cam_sensor_module/cam_ois/cam_ois_core.c

@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
  * Copyright (c) 2017-2021, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.
  */
 
 #include <linux/module.h>
@@ -86,6 +87,10 @@ static int cam_ois_get_dev_handle(struct cam_ois_ctrl_t *o_ctrl,
 
 	ois_acq_dev.device_handle =
 		cam_create_device_hdl(&bridge_params);
+	if (ois_acq_dev.device_handle <= 0) {
+		CAM_ERR(CAM_OIS, "Can not create device handle");
+		return -EFAULT;
+	}
 	o_ctrl->bridge_intf.device_hdl = ois_acq_dev.device_handle;
 	o_ctrl->bridge_intf.session_hdl = ois_acq_dev.session_handle;
 

drivers/cam_sensor_module/cam_sensor/cam_sensor_core.c

@@ -968,6 +968,11 @@ int32_t cam_sensor_driver_cmd(struct cam_sensor_ctrl_t *s_ctrl,
 
 		sensor_acq_dev.device_handle =
 			cam_create_device_hdl(&bridge_params);
+		if (sensor_acq_dev.device_handle <= 0) {
+			rc = -EFAULT;
+			CAM_ERR(CAM_SENSOR, "Can not create device handle");
+			goto release_mutex;
+		}
 		s_ctrl->bridge_intf.device_hdl = sensor_acq_dev.device_handle;
 		s_ctrl->bridge_intf.session_hdl = sensor_acq_dev.session_handle;