samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Förgrening 0
Kod Ärenden Pull-förfrågningar Actions Packages Projekt Släpp Wiki Aktiviteter

msm: camera: isp: Fixing OOB access while defer bufdone

Bläddra i källkod 
This change fixes OOB access by dynamically allocating memory
for defer bufdone index array and ensuring that allocation
happens after acquire is successful.

CRs-Fixed: 3815399
Change-Id: Icdf5417a74e940ed8ab9f28ac9e0ae22c7bd3c35
Signed-off-by: Yash Upadhyay <quic_yupadhya@quicinc.com>
This commit is contained in:
Yash Upadhyay
2024-05-17 14:54:09 +05:30
committad av Vara Adabala
förälder 308099da62
incheckning 5c0dd69c97
3 ändrade filer med 25 tillägg och 15 borttagningar
Download Patch File Download Diff File Expand all files Collapse all files

30
drivers/cam_isp/cam_isp_context.c
Visa fil

@@ -7285,13 +7285,6 @@ static int __cam_isp_ctx_acquire_dev_in_available(struct cam_context *ctx,
param.num_acq = cmd->num_resources;
param.acquire_info = (uintptr_t) isp_res;
rc = __cam_isp_ctx_allocate_mem_hw_entries(ctx, &param);
if (rc) {
CAM_ERR(CAM_ISP, "Ctx[%u] link: 0x%x allocate hw entry fail",
ctx->ctx_id, ctx->link_hdl);
goto free_res;
}
/* call HW manager to reserve the resource */
rc = ctx->hw_mgr_intf->hw_acquire(ctx->hw_mgr_intf->hw_mgr_priv,
&param);
@@ -7301,6 +7294,13 @@ static int __cam_isp_ctx_acquire_dev_in_available(struct cam_context *ctx,
goto free_res;
}
rc = __cam_isp_ctx_allocate_mem_hw_entries(ctx, &param);
if (rc) {
CAM_ERR(CAM_ISP, "Ctx[%u] link: 0x%x allocate hw entry fail",
ctx->ctx_id, ctx->link_hdl);
goto free_res;
}
/* Query the context has rdi only resource */
hw_cmd_args.ctxt_to_hw_map = param.ctxt_to_hw_map;
hw_cmd_args.cmd_type = CAM_HW_MGR_CMD_INTERNAL;
@@ -7475,14 +7475,6 @@ static int __cam_isp_ctx_acquire_hw_v1(struct cam_context *ctx,
param.mini_dump_cb = __cam_isp_ctx_minidump_cb;
param.link_hdl = ctx->link_hdl;
rc = __cam_isp_ctx_allocate_mem_hw_entries(ctx,
&param);
if (rc) {
CAM_ERR(CAM_ISP, "Ctx[%u] link: 0x%x allocate hw entry fail",
ctx->ctx_id, ctx->link_hdl);
goto free_res;
}
/* call HW manager to reserve the resource */
rc = ctx->hw_mgr_intf->hw_acquire(ctx->hw_mgr_intf->hw_mgr_priv,
&param);
@@ -7492,6 +7484,14 @@ static int __cam_isp_ctx_acquire_hw_v1(struct cam_context *ctx,
goto free_res;
}
rc = __cam_isp_ctx_allocate_mem_hw_entries(ctx,
&param);
if (rc) {
CAM_ERR(CAM_ISP, "Ctx[%u] link: 0x%x allocate hw entry fail",
ctx->ctx_id, ctx->link_hdl);
goto free_res;
}
ctx_isp->last_num_exp = 0;
ctx_isp->support_consumed_addr =
(param.op_flags & CAM_IFE_CTX_CONSUME_ADDR_EN);

4
drivers/cam_isp/isp_hw_mgr/cam_ife_hw_mgr.c
Visa fil

@@ -6014,6 +6014,7 @@ static int cam_ife_mgr_acquire_dev(void *hw_mgr_priv, void *acquire_hw_args)
uint32_t total_rdi_port = 0;
uint32_t in_port_length = 0;
uint32_t acquired_rdi_res = 0;
uint32_t total_ports = 0;
CAM_DBG(CAM_ISP, "Enter...");
@@ -6121,6 +6122,9 @@ static int cam_ife_mgr_acquire_dev(void *hw_mgr_priv, void *acquire_hw_args)
}
}
total_ports = total_pix_port + total_rdi_port + total_pd_port;
acquire_args->total_ports_acq = total_ports;
/* Check whether context has only RDI resource */
if (!total_pix_port || !total_pd_port) {
ife_ctx->flags.is_rdi_only_context = true;

6
drivers/cam_isp/isp_hw_mgr/cam_tfe_hw_mgr.c
Visa fil

@@ -2651,7 +2651,9 @@ static int cam_tfe_mgr_acquire_dev(void *hw_mgr_priv, void *acquire_hw_args)
uint32_t pdad_enable = 0;
uint32_t total_pix_port = 0;
uint32_t total_rdi_port = 0;
uint32_t total_pd_port = 0;
uint32_t in_port_length = 0;
uint32_t total_ports = 0;
CAM_DBG(CAM_ISP, "Enter...");
@@ -2776,6 +2778,7 @@ static int cam_tfe_mgr_acquire_dev(void *hw_mgr_priv, void *acquire_hw_args)
&pdad_enable);
total_pix_port += num_pix_port_per_in;
total_rdi_port += num_rdi_port_per_in;
total_pd_port += num_pd_port_per_in;
kfree(in_port);
in_port = NULL;
@@ -2792,6 +2795,9 @@ static int cam_tfe_mgr_acquire_dev(void *hw_mgr_priv, void *acquire_hw_args)
}
}
total_ports = total_pix_port + total_rdi_port + total_pd_port;
acquire_args->total_ports_acq = total_ports;
/* Check whether context has only RDI resource */
if (!total_pix_port) {
tfe_ctx->is_rdi_only_context = 1;