Эхлэл Бүгдийг харах Тусламж
Нэвтрэх
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Салаа 0
Файлууд Асуудлууд 0 Хуулах хүсэлтүүд 0 Мэдлэгийн сан
Эх сурвалжийг харах

msm: camera: reqmgr: Validate the link handle

Instead of correct link handle, if some other handle like
dev handle is passed then it may access some other data space.
To avoid such scenario, need to check whether link handle
passed by ioctl is same as retrieved link handle.

CRs-Fixed: 3120454
Change-Id: Idff2e3c25b60563788ffb426c7cabc367c3c97f8
Signed-off-by: Yash Upadhyay <[email protected]>
Yash Upadhyay 3 жил өмнө
parent
be8df059d5
commit
6c2f7f959f
2 өөрчлөгдсөн 54 нэмэгдсэн , 28 устгасан
Өөрчлөлтийг ялгаж харах Өөрчлөлтийн статистик харах
  1. 52 28
      drivers/cam_req_mgr/cam_req_mgr_core.c
  2. 2 0
      drivers/cam_req_mgr/cam_req_mgr_core.h

+ 52 - 28
drivers/cam_req_mgr/cam_req_mgr_core.c
Файл харах 

@@ -4013,8 +4013,10 @@ int cam_req_mgr_destroy_session(
 
 	mutex_lock(&g_crm_core_dev->crm_lock);
 
 	cam_session = (struct cam_req_mgr_core_session *)
 
 		cam_get_device_priv(ses_info->session_hdl);
 
-	if (!cam_session) {
 
-		CAM_ERR(CAM_CRM, "failed to get session priv");
 
+	if (!cam_session || (cam_session->session_hdl != ses_info->session_hdl)) {
 
+		CAM_ERR(CAM_CRM, "session: %s, ses_info->ses_hdl:%x, session->ses_hdl:%x",
 
+			CAM_IS_NULL_TO_STR(cam_session), ses_info->session_hdl,
 
+			(!cam_session) ? CAM_REQ_MGR_DEFAULT_HDL_VAL : cam_session->session_hdl);
 
 		rc = -ENOENT;
 
 		goto end;
 
 
@@ -4084,8 +4086,10 @@ int cam_req_mgr_link(struct cam_req_mgr_ver_info *link_info)
 
 	/* session hdl's priv data is cam session struct */
 
 	cam_session = (struct cam_req_mgr_core_session *)
 
 		cam_get_device_priv(link_info->u.link_info_v1.session_hdl);
 
-	if (!cam_session) {
 
-		CAM_DBG(CAM_CRM, "NULL pointer");
 
+	if (!cam_session || (cam_session->session_hdl != link_info->u.link_info_v1.session_hdl)) {
 
+		CAM_ERR(CAM_CRM, "session: %s, link_info->ses_hdl:%x, session->ses_hdl:%x",
 
+			CAM_IS_NULL_TO_STR(cam_session), link_info->u.link_info_v1.session_hdl,
 
+			(!cam_session) ? CAM_REQ_MGR_DEFAULT_HDL_VAL : cam_session->session_hdl);
 
 		mutex_unlock(&g_crm_core_dev->crm_lock);
 
 		return -EINVAL;
 
 	}
 
@@ -4194,8 +4198,10 @@ int cam_req_mgr_link_v2(struct cam_req_mgr_ver_info *link_info)
 
 	/* session hdl's priv data is cam session struct */
 
 	cam_session = (struct cam_req_mgr_core_session *)
 
 		cam_get_device_priv(link_info->u.link_info_v2.session_hdl);
 
-	if (!cam_session) {
 
-		CAM_DBG(CAM_CRM, "NULL pointer");
 
+	if (!cam_session || (cam_session->session_hdl != link_info->u.link_info_v2.session_hdl)) {
 
+		CAM_ERR(CAM_CRM, "session: %s, link_info->ses_hdl:%x, session->ses_hdl:%x",
 
+			CAM_IS_NULL_TO_STR(cam_session), link_info->u.link_info_v2.session_hdl,
 
+			(!cam_session) ? CAM_REQ_MGR_DEFAULT_HDL_VAL : cam_session->session_hdl);
 
 		mutex_unlock(&g_crm_core_dev->crm_lock);
 
 		return -EINVAL;
 
 	}
 
@@ -4303,16 +4309,20 @@ int cam_req_mgr_unlink(struct cam_req_mgr_unlink_info *unlink_info)
 
 	/* session hdl's priv data is cam session struct */
 
 	cam_session = (struct cam_req_mgr_core_session *)
 
 		cam_get_device_priv(unlink_info->session_hdl);
 
-	if (!cam_session) {
 
-		CAM_ERR(CAM_CRM, "NULL pointer");
 
+	if (!cam_session || (cam_session->session_hdl != unlink_info->session_hdl)) {
 
+		CAM_ERR(CAM_CRM, "session: %s, unlink_info->ses_hdl:%x, cam_session->ses_hdl:%x",
 
+			CAM_IS_NULL_TO_STR(cam_session), unlink_info->session_hdl,
 
+			(!cam_session) ? CAM_REQ_MGR_DEFAULT_HDL_VAL : cam_session->session_hdl);
 
 		mutex_unlock(&g_crm_core_dev->crm_lock);
 
 		return -EINVAL;
 
 	}
 
 
 	/* link hdl's priv data is core_link struct */
 
 	link = cam_get_device_priv(unlink_info->link_hdl);
 
-	if (!link) {
 
-		CAM_ERR(CAM_CRM, "NULL pointer");
 
+	if (!link || (link->link_hdl != unlink_info->link_hdl)) {
 
+		CAM_ERR(CAM_CRM, "link: %s, unlink_info->link_hdl:%x, link->link_hdl:%x",
 
+			CAM_IS_NULL_TO_STR(link), unlink_info->link_hdl,
 
+			(!link) ? CAM_REQ_MGR_DEFAULT_HDL_VAL : link->link_hdl);
 
 		rc = -EINVAL;
 
 		goto done;
 
 	}
 
@@ -4345,8 +4355,10 @@ int cam_req_mgr_schedule_request(
 
 	mutex_lock(&g_crm_core_dev->crm_lock);
 
 	link = (struct cam_req_mgr_core_link *)
 
 		cam_get_device_priv(sched_req->link_hdl);
 
-	if (!link) {
 
-		CAM_DBG(CAM_CRM, "link ptr NULL %x", sched_req->link_hdl);
 
+	if (!link || (link->link_hdl != sched_req->link_hdl)) {
 
+		CAM_ERR(CAM_CRM, "link: %s, sched_req->link_hdl:%x, link->link_hdl:%x",
 
+			CAM_IS_NULL_TO_STR(link), sched_req->link_hdl,
 
+			(!link) ? CAM_REQ_MGR_DEFAULT_HDL_VAL : link->link_hdl);
 
 		rc = -EINVAL;
 
 		goto end;
 
 	}
 
@@ -4430,8 +4442,10 @@ int cam_req_mgr_sync_config(
 
 	/* session hdl's priv data is cam session struct */
 
 	cam_session = (struct cam_req_mgr_core_session *)
 
 		cam_get_device_priv(sync_info->session_hdl);
 
-	if (!cam_session) {
 
-		CAM_ERR(CAM_CRM, "NULL pointer");
 
+	if (!cam_session || (cam_session->session_hdl != sync_info->session_hdl)) {
 
+		CAM_ERR(CAM_CRM, "session: %s, sync_info->session_hdl:%x, session->ses_hdl:%x",
 
+			CAM_IS_NULL_TO_STR(cam_session), sync_info->session_hdl,
 
+			(!cam_session) ? CAM_REQ_MGR_DEFAULT_HDL_VAL : cam_session->session_hdl);
 
 		mutex_unlock(&g_crm_core_dev->crm_lock);
 
 		return -EINVAL;
 
 	}
 
@@ -4447,8 +4461,10 @@ int cam_req_mgr_sync_config(
 
 		}
 
 
 		link[i] = cam_get_device_priv(sync_info->link_hdls[i]);
 
-		if (!link[i]) {
 
-			CAM_ERR(CAM_CRM, "link%d NULL pointer", i);
 
+		if (!link[i] || (link[i]->link_hdl != sync_info->link_hdls[i])) {
 
+			CAM_ERR(CAM_CRM, "link: %s, sync_info->link_hdl:%x, link->link_hdl:%x",
 
+				CAM_IS_NULL_TO_STR(link), sync_info->link_hdls[i],
 
+				(!link[i]) ? CAM_REQ_MGR_DEFAULT_HDL_VAL : link[i]->link_hdl);
 
 			rc = -EINVAL;
 
 			goto done;
 
 		}
 
@@ -4524,8 +4540,10 @@ int cam_req_mgr_flush_requests(
 
 	/* session hdl's priv data is cam session struct */
 
 	session = (struct cam_req_mgr_core_session *)
 
 		cam_get_device_priv(flush_info->session_hdl);
 
-	if (!session) {
 
-		CAM_ERR(CAM_CRM, "Invalid session %x", flush_info->session_hdl);
 
+	if (!session || (session->session_hdl != flush_info->session_hdl)) {
 
+		CAM_ERR(CAM_CRM, "session: %s, flush_info->ses_hdl:%x, session->ses_hdl:%x",
 
+			CAM_IS_NULL_TO_STR(session), flush_info->session_hdl,
 
+			(!session) ? CAM_REQ_MGR_DEFAULT_HDL_VAL : session->session_hdl);
 
 		rc = -EINVAL;
 
 		goto end;
 
 	}
 
@@ -4537,8 +4555,10 @@ int cam_req_mgr_flush_requests(
 
 
 	link = (struct cam_req_mgr_core_link *)
 
 		cam_get_device_priv(flush_info->link_hdl);
 
-	if (!link) {
 
-		CAM_DBG(CAM_CRM, "link ptr NULL %x", flush_info->link_hdl);
 
+	if (!link || (link->link_hdl != flush_info->link_hdl)) {
 
+		CAM_ERR(CAM_CRM, "link: %s, flush_info->link_hdl:%x, link->link_hdl:%x",
 
+			CAM_IS_NULL_TO_STR(link), flush_info->link_hdl,
 
+			(!link) ? CAM_REQ_MGR_DEFAULT_HDL_VAL : link->link_hdl);
 
 		rc = -EINVAL;
 
 		goto end;
 
 	}
 
@@ -4596,9 +4616,10 @@ int cam_req_mgr_link_control(struct cam_req_mgr_link_control *control)
 
 	for (i = 0; i < control->num_links; i++) {
 
 		link = (struct cam_req_mgr_core_link *)
 
 			cam_get_device_priv(control->link_hdls[i]);
 
-		if (!link) {
 
-			CAM_ERR(CAM_CRM, "Link(%d) is NULL on session 0x%x",
 
-				i, control->session_hdl);
 
+		if (!link || (link->link_hdl != control->link_hdls[i])) {
 
+			CAM_ERR(CAM_CRM, "link: %s, control->link_hdl:%x, link->link_hdl:%x",
 
+				CAM_IS_NULL_TO_STR(link), control->link_hdls[i],
 
+				(!link) ? CAM_REQ_MGR_DEFAULT_HDL_VAL : link->link_hdl);
 
 			rc = -EINVAL;
 
 			break;
 
 		}
 
@@ -4671,9 +4692,10 @@ int cam_req_mgr_dump_request(struct cam_dump_req_cmd *dump_req)
 
 	/* session hdl's priv data is cam session struct */
 
 	session = (struct cam_req_mgr_core_session *)
 
 	    cam_get_device_priv(dump_req->session_handle);
 
-	if (!session) {
 
-		CAM_ERR(CAM_CRM, "Invalid session %x",
 
-			dump_req->session_handle);
 
+	if (!session || (session->session_hdl != dump_req->session_handle)) {
 
+		CAM_ERR(CAM_CRM, "session: %s, dump_req->ses_hdl:%x, session->ses_hdl:%x",
 
+			CAM_IS_NULL_TO_STR(session), dump_req->session_handle,
 
+			(!session) ? CAM_REQ_MGR_DEFAULT_HDL_VAL : session->session_hdl);
 
 		rc = -EINVAL;
 
 		goto end;
 
 	}
 
@@ -4685,8 +4707,10 @@ int cam_req_mgr_dump_request(struct cam_dump_req_cmd *dump_req)
 
 
 	link = (struct cam_req_mgr_core_link *)
 
 		cam_get_device_priv(dump_req->link_hdl);
 
-	if (!link) {
 
-		CAM_DBG(CAM_CRM, "link ptr NULL %x", dump_req->link_hdl);
 
+	if (!link || (link->link_hdl != dump_req->link_hdl)) {
 
+		CAM_ERR(CAM_CRM, "link: %s, dump_req->link_hdl:%x, link->link_hdl:%x",
 
+			CAM_IS_NULL_TO_STR(link), dump_req->link_hdl,
 
+			(!link) ? CAM_REQ_MGR_DEFAULT_HDL_VAL : link->link_hdl);
 
 		rc = -EINVAL;
 
 		goto end;
 
 	}

+ 2 - 0
drivers/cam_req_mgr/cam_req_mgr_core.h
Файл харах 

@@ -1,6 +1,7 @@
 
 /* SPDX-License-Identifier: GPL-2.0-only */
 
 /*
 
  * Copyright (c) 2016-2021, The Linux Foundation. All rights reserved.
 
+ * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.
 
  */
 
 #ifndef _CAM_REQ_MGR_CORE_H_
 
 #define _CAM_REQ_MGR_CORE_H_
 
@@ -19,6 +20,7 @@
 
 #define CAM_REQ_MGR_WATCHDOG_TIMEOUT_MAX      50000
 
 #define CAM_REQ_MGR_SCHED_REQ_TIMEOUT         1000
 
 #define CAM_REQ_MGR_SIMULATE_SCHED_REQ        30
 
+#define CAM_REQ_MGR_DEFAULT_HDL_VAL           0
 
 
 #define FORCE_DISABLE_RECOVERY  2
 
 #define FORCE_ENABLE_RECOVERY   1