samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge "msm: camera: sensor: TOCTOU error handling in eeprom" into camera-kernel.lnx.7.0

Browse Source
This commit is contained in:
Camera Software Integration
2024-07-09 01:46:23 -07:00
committed by Gerrit - the friendly Code Review server
parent 37c2bd7cb9 533ee451e6
commit 8fbdd92875
1 changed files with 12 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
drivers/cam_sensor_module/cam_eeprom/cam_eeprom_core.c
View File

@@ -1087,6 +1087,8 @@ static int32_t cam_eeprom_get_cal_data(struct cam_eeprom_ctrl_t *e_ctrl,
{ {
struct cam_buf_io_cfg *io_cfg; struct cam_buf_io_cfg *io_cfg;
uint32_t i = 0; uint32_t i = 0;
size_t plane_offset;
int32_t mem_handle;
int rc = 0; int rc = 0;
uintptr_t buf_addr; uintptr_t buf_addr;
size_t buf_size; size_t buf_size;
@@ -1096,6 +1098,8 @@ static int32_t cam_eeprom_get_cal_data(struct cam_eeprom_ctrl_t *e_ctrl,
io_cfg = (struct cam_buf_io_cfg *) ((uint8_t *) io_cfg = (struct cam_buf_io_cfg *) ((uint8_t *)
&csl_packet->payload + &csl_packet->payload +
csl_packet->io_configs_offset); csl_packet->io_configs_offset);
plane_offset = io_cfg->offsets[0];
mem_handle = io_cfg->mem_handle[0];
CAM_DBG(CAM_EEPROM, "number of IO configs: %d:", CAM_DBG(CAM_EEPROM, "number of IO configs: %d:",
csl_packet->num_io_configs); csl_packet->num_io_configs);
@@ -1103,21 +1107,21 @@ static int32_t cam_eeprom_get_cal_data(struct cam_eeprom_ctrl_t *e_ctrl,
for (i = 0; i < csl_packet->num_io_configs; i++) { for (i = 0; i < csl_packet->num_io_configs; i++) {
CAM_DBG(CAM_EEPROM, "Direction: %d:", io_cfg->direction); CAM_DBG(CAM_EEPROM, "Direction: %d:", io_cfg->direction);
if (io_cfg->direction == CAM_BUF_OUTPUT) { if (io_cfg->direction == CAM_BUF_OUTPUT) {
rc = cam_mem_get_cpu_buf(io_cfg->mem_handle[0], rc = cam_mem_get_cpu_buf(mem_handle,
&buf_addr, &buf_size); &buf_addr, &buf_size);
if (rc) { if (rc) {
CAM_ERR(CAM_EEPROM, "Fail in get buffer: %d", CAM_ERR(CAM_EEPROM, "Fail in get buffer: %d",
rc); rc);
return rc; return rc;
} }
if (buf_size <= io_cfg->offsets[0]) { if (buf_size <= plane_offset) {
CAM_ERR(CAM_EEPROM, "Not enough buffer"); CAM_ERR(CAM_EEPROM, "Not enough buffer");
cam_mem_put_cpu_buf(io_cfg->mem_handle[0]); cam_mem_put_cpu_buf(mem_handle);
rc = -EINVAL; rc = -EINVAL;
return rc; return rc;
} }
remain_len = buf_size - io_cfg->offsets[0]; remain_len = buf_size - plane_offset;
CAM_DBG(CAM_EEPROM, "buf_addr : %pK, buf_size : %zu\n", CAM_DBG(CAM_EEPROM, "buf_addr : %pK, buf_size : %zu\n",
(void *)buf_addr, buf_size); (void *)buf_addr, buf_size);
@@ -1125,16 +1129,16 @@ static int32_t cam_eeprom_get_cal_data(struct cam_eeprom_ctrl_t *e_ctrl,
if (!read_buffer) { if (!read_buffer) {
CAM_ERR(CAM_EEPROM, CAM_ERR(CAM_EEPROM,
"invalid buffer to copy data"); "invalid buffer to copy data");
cam_mem_put_cpu_buf(io_cfg->mem_handle[0]); cam_mem_put_cpu_buf(mem_handle);
rc = -EINVAL; rc = -EINVAL;
return rc; return rc;
} }
read_buffer += io_cfg->offsets[0]; read_buffer += plane_offset;
if (remain_len < e_ctrl->cal_data.num_data) { if (remain_len < e_ctrl->cal_data.num_data) {
CAM_ERR(CAM_EEPROM, CAM_ERR(CAM_EEPROM,
"failed to copy, Invalid size"); "failed to copy, Invalid size");
cam_mem_put_cpu_buf(io_cfg->mem_handle[0]); cam_mem_put_cpu_buf(mem_handle);
rc = -EINVAL; rc = -EINVAL;
return rc; return rc;
} }
@@ -1143,7 +1147,7 @@ static int32_t cam_eeprom_get_cal_data(struct cam_eeprom_ctrl_t *e_ctrl,
e_ctrl->cal_data.num_data); e_ctrl->cal_data.num_data);
memcpy(read_buffer, e_ctrl->cal_data.mapdata, memcpy(read_buffer, e_ctrl->cal_data.mapdata,
e_ctrl->cal_data.num_data); e_ctrl->cal_data.num_data);
cam_mem_put_cpu_buf(io_cfg->mem_handle[0]); cam_mem_put_cpu_buf(mem_handle);
} else { } else {
CAM_ERR(CAM_EEPROM, "Invalid direction"); CAM_ERR(CAM_EEPROM, "Invalid direction");
rc = -EINVAL; rc = -EINVAL;