msm: camera: isp: Fixing OOB access while defer bufdone

This change fixes OOB access by dynamically allocating memory
for defer bufdone index array and ensuring that allocation
happens after acquire is successful.

CRs-Fixed: 3815399
Change-Id: Icdf5417a74e940ed8ab9f28ac9e0ae22c7bd3c35
Signed-off-by: Yash Upadhyay <quic_yupadhya@quicinc.com>

drivers/cam_isp/cam_isp_context.c

@@ -7285,13 +7285,6 @@ static int __cam_isp_ctx_acquire_dev_in_available(struct cam_context *ctx,
 	param.num_acq = cmd->num_resources;
 	param.acquire_info = (uintptr_t) isp_res;
 
-	rc = __cam_isp_ctx_allocate_mem_hw_entries(ctx, &param);
-	if (rc) {
-		CAM_ERR(CAM_ISP, "Ctx[%u] link: 0x%x allocate hw entry fail",
-			ctx->ctx_id, ctx->link_hdl);
-		goto free_res;
-	}
-
 	/* call HW manager to reserve the resource */
 	rc = ctx->hw_mgr_intf->hw_acquire(ctx->hw_mgr_intf->hw_mgr_priv,
 		&param);
@@ -7301,6 +7294,13 @@ static int __cam_isp_ctx_acquire_dev_in_available(struct cam_context *ctx,
 		goto free_res;
 	}
 
+	rc = __cam_isp_ctx_allocate_mem_hw_entries(ctx, &param);
+	if (rc) {
+		CAM_ERR(CAM_ISP, "Ctx[%u] link: 0x%x allocate hw entry fail",
+			ctx->ctx_id, ctx->link_hdl);
+		goto free_res;
+	}
+
 	/* Query the context has rdi only resource */
 	hw_cmd_args.ctxt_to_hw_map = param.ctxt_to_hw_map;
 	hw_cmd_args.cmd_type = CAM_HW_MGR_CMD_INTERNAL;
@@ -7475,14 +7475,6 @@ static int __cam_isp_ctx_acquire_hw_v1(struct cam_context *ctx,
 	param.mini_dump_cb = __cam_isp_ctx_minidump_cb;
 	param.link_hdl = ctx->link_hdl;
 
-	rc = __cam_isp_ctx_allocate_mem_hw_entries(ctx,
-		&param);
-	if (rc) {
-		CAM_ERR(CAM_ISP, "Ctx[%u] link: 0x%x allocate hw entry fail",
-			ctx->ctx_id, ctx->link_hdl);
-		goto free_res;
-	}
-
 	/* call HW manager to reserve the resource */
 	rc = ctx->hw_mgr_intf->hw_acquire(ctx->hw_mgr_intf->hw_mgr_priv,
 		&param);
@@ -7492,6 +7484,14 @@ static int __cam_isp_ctx_acquire_hw_v1(struct cam_context *ctx,
 		goto free_res;
 	}
 
+	rc = __cam_isp_ctx_allocate_mem_hw_entries(ctx,
+		&param);
+	if (rc) {
+		CAM_ERR(CAM_ISP, "Ctx[%u] link: 0x%x allocate hw entry fail",
+			ctx->ctx_id, ctx->link_hdl);
+		goto free_res;
+	}
+
 	ctx_isp->last_num_exp = 0;
 	ctx_isp->support_consumed_addr =
 		(param.op_flags & CAM_IFE_CTX_CONSUME_ADDR_EN);

drivers/cam_isp/isp_hw_mgr/cam_ife_hw_mgr.c

@@ -6014,6 +6014,7 @@ static int cam_ife_mgr_acquire_dev(void *hw_mgr_priv, void *acquire_hw_args)
 	uint32_t                               total_rdi_port = 0;
 	uint32_t                               in_port_length = 0;
 	uint32_t                               acquired_rdi_res = 0;
+	uint32_t                               total_ports = 0;
 
 	CAM_DBG(CAM_ISP, "Enter...");
 
@@ -6121,6 +6122,9 @@ static int cam_ife_mgr_acquire_dev(void *hw_mgr_priv, void *acquire_hw_args)
 		}
 	}
 
+	total_ports = total_pix_port + total_rdi_port + total_pd_port;
+	acquire_args->total_ports_acq = total_ports;
+
 	/* Check whether context has only RDI resource */
 	if (!total_pix_port || !total_pd_port) {
 		ife_ctx->flags.is_rdi_only_context = true;

drivers/cam_isp/isp_hw_mgr/cam_tfe_hw_mgr.c

@@ -2651,7 +2651,9 @@ static int cam_tfe_mgr_acquire_dev(void *hw_mgr_priv, void *acquire_hw_args)
 	uint32_t                           pdad_enable         = 0;
 	uint32_t                           total_pix_port = 0;
 	uint32_t                           total_rdi_port = 0;
+	uint32_t                           total_pd_port = 0;
 	uint32_t                           in_port_length = 0;
+	uint32_t                           total_ports = 0;
 
 	CAM_DBG(CAM_ISP, "Enter...");
 
@@ -2776,6 +2778,7 @@ static int cam_tfe_mgr_acquire_dev(void *hw_mgr_priv, void *acquire_hw_args)
 				&pdad_enable);
 			total_pix_port += num_pix_port_per_in;
 			total_rdi_port += num_rdi_port_per_in;
+			total_pd_port += num_pd_port_per_in;
 
 			kfree(in_port);
 			in_port = NULL;
@@ -2792,6 +2795,9 @@ static int cam_tfe_mgr_acquire_dev(void *hw_mgr_priv, void *acquire_hw_args)
 		}
 	}
 
+	total_ports = total_pix_port + total_rdi_port + total_pd_port;
+	acquire_args->total_ports_acq = total_ports;
+
 	/* Check whether context has only RDI resource */
 	if (!total_pix_port) {
 		tfe_ctx->is_rdi_only_context = 1;