Просмотр исходного кода

msm: camera: common: NULL pointer and array fixes

Fix NULL pointer checks in cam_mem dma_buf functions.
Fix local array bounds check for cam_vfe_top_set_axi_bw_vote.

CRs-Fixed: 2906570
Change-Id: Ib41223ad56cbb5618d73e8aa6907907dd6f8f4fb
Signed-off-by: Karthik Jayakumar <[email protected]>
Karthik Jayakumar 4 лет назад
Родитель
Сommit
67707a7305

+ 8 - 1
drivers/cam_isp/isp_hw_mgr/isp_hw/vfe_hw/vfe_top/cam_vfe_top_common.c

@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
- * Copyright (c) 2019, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2021, The Linux Foundation. All rights reserved.
  */
 
 #include "cam_vfe_top_common.h"
@@ -59,6 +59,13 @@ int cam_vfe_top_set_axi_bw_vote(struct cam_vfe_soc_private *soc_private,
 	bool bw_unchanged = true;
 	bool apply_bw_update = false;
 
+	if (top_common->num_mux > CAM_VFE_TOP_MUX_MAX) {
+		CAM_ERR(CAM_PERF,
+			"Number of Mux exceeds max, # Mux: %d > Limit: %d",
+			top_common->num_mux, CAM_VFE_TOP_MUX_MAX);
+		return -EINVAL;
+	}
+
 	for (i = 0; i < top_common->num_mux; i++) {
 		if (top_common->axi_vote_control[i] ==
 			CAM_VFE_BW_CONTROL_INCLUDE) {

+ 1 - 1
drivers/cam_isp/isp_hw_mgr/isp_hw/vfe_hw/vfe_top/cam_vfe_top_ver4.c

@@ -1339,7 +1339,7 @@ int cam_vfe_top_ver4_start(void *device_priv,
 	}
 
 	mux_res = (struct cam_isp_resource_node *)start_args;
-	hw_info = (struct cam_hw_info  *)mux_res->hw_intf->hw_priv;
+	hw_info = (struct cam_hw_info *)mux_res->hw_intf->hw_priv;
 
 	if (hw_info->hw_state == CAM_HW_STATE_POWER_UP) {
 		rc = cam_vfe_top_ver4_set_hw_clk_rate(top_priv);

+ 16 - 8
drivers/cam_req_mgr/cam_mem_mgr.c

@@ -604,7 +604,7 @@ static int cam_mem_util_get_dma_buf(size_t len,
 
 	if (try_heap) {
 		*buf = dma_heap_buffer_alloc(try_heap, len, O_RDWR, 0);
-		if (IS_ERR_OR_NULL(*buf)) {
+		if (IS_ERR(*buf)) {
 			CAM_WARN(CAM_MEM,
 				"Failed in allocating from try heap, heap=%pK, len=%zu, err=%d",
 				try_heap, len, PTR_ERR(*buf));
@@ -614,7 +614,7 @@ static int cam_mem_util_get_dma_buf(size_t len,
 
 	if (*buf == NULL) {
 		*buf = dma_heap_buffer_alloc(heap, len, O_RDWR, 0);
-		if (IS_ERR_OR_NULL(*buf)) {
+		if (IS_ERR(*buf)) {
 			rc = PTR_ERR(*buf);
 			CAM_ERR(CAM_MEM,
 				"Failed in allocating from heap, heap=%pK, len=%zu, err=%d",
@@ -924,6 +924,12 @@ int cam_mem_mgr_alloc_and_map(struct cam_mem_mgr_alloc_cmd *cmd)
 		cam_mem_mgr_print_tbl();
 		return rc;
 	}
+	if (!dmabuf) {
+		CAM_ERR(CAM_MEM,
+			"Ion Alloc return NULL dmabuf! fd=%d, len=%d", fd, len);
+		cam_mem_mgr_print_tbl();
+		return rc;
+	}
 
 	idx = cam_mem_get_slot();
 	if (idx < 0) {
@@ -1453,13 +1459,14 @@ int cam_mem_mgr_request_mem(struct cam_mem_mgr_request_desc *inp,
 		return -EINVAL;
 	}
 
-	rc = cam_mem_util_get_dma_buf(inp->size,
-		inp->flags,
-		&buf);
+	rc = cam_mem_util_get_dma_buf(inp->size, inp->flags, &buf);
 
 	if (rc) {
 		CAM_ERR(CAM_MEM, "ION alloc failed for shared buffer");
 		goto ion_fail;
+	} else if (!buf) {
+		CAM_ERR(CAM_MEM, "ION alloc returned NULL buffer");
+		goto ion_fail;
 	} else {
 		CAM_DBG(CAM_MEM, "Got dma_buf = %pK", buf);
 	}
@@ -1627,13 +1634,14 @@ int cam_mem_mgr_reserve_memory_region(struct cam_mem_mgr_request_desc *inp,
 		return -EINVAL;
 	}
 
-	rc = cam_mem_util_get_dma_buf(inp->size,
-		0,
-		&buf);
+	rc = cam_mem_util_get_dma_buf(inp->size, 0, &buf);
 
 	if (rc) {
 		CAM_ERR(CAM_MEM, "ION alloc failed for sec heap buffer");
 		goto ion_fail;
+	} else if (!buf) {
+		CAM_ERR(CAM_MEM, "ION alloc returned NULL buffer");
+		goto ion_fail;
 	} else {
 		CAM_DBG(CAM_MEM, "Got dma_buf = %pK", buf);
 	}