msm: camera: ope: Check array size of input sync obj

Incase of input buffer, check array size of input sync obj before assigning
fence.

CRs-Fixed: 2821583
Change-Id: I5cd7968cfbe0be86a8967565616bf6eb1cf7fcf7
Signed-off-by: Shravya Samala <[email protected]>

drivers/cam_ope/ope_hw_mgr/cam_ope_hw_mgr.c

@@ -1757,7 +1757,7 @@ end:
 
 static int cam_ope_mgr_process_io_cfg(struct cam_ope_hw_mgr *hw_mgr,
 	struct cam_packet *packet,
-	struct cam_hw_prepare_update_args *prep_args,
+	struct cam_hw_prepare_update_args *prep_arg,
 	struct cam_ope_ctx *ctx_data, uint32_t req_idx)
 {
 
@@ -1768,8 +1768,8 @@ static int cam_ope_mgr_process_io_cfg(struct cam_ope_hw_mgr *hw_mgr,
 	struct cam_ope_request *ope_request;
 
 	ope_request = ctx_data->req_list[req_idx];
-	prep_args->num_out_map_entries = 0;
-	prep_args->num_in_map_entries = 0;
+	prep_arg->num_out_map_entries = 0;
+	prep_arg->num_in_map_entries = 0;
 
 	ope_request = ctx_data->req_list[req_idx];
 	CAM_DBG(CAM_OPE, "E: req_idx = %u %x", req_idx, packet);
@@ -1779,8 +1779,16 @@ static int cam_ope_mgr_process_io_cfg(struct cam_ope_hw_mgr *hw_mgr,
 			io_buf = ope_request->io_buf[i][l];
 			if (io_buf->direction == CAM_BUF_INPUT) {
 				if (io_buf->fence != -1) {
-					sync_in_obj[j++] = io_buf->fence;
-					prep_args->num_in_map_entries++;
+					if (j < CAM_MAX_IN_RES) {
+						sync_in_obj[j++] =
+							io_buf->fence;
+						prep_arg->num_in_map_entries++;
+					} else {
+						CAM_ERR(CAM_OPE,
+						"reached max in_res %d %d",
+						io_buf->resource_type,
+						ope_request->request_id);
+					}
 				} else {
 					CAM_ERR(CAM_OPE, "Invalid fence %d %d",
 						io_buf->resource_type,
@@ -1788,10 +1796,10 @@ static int cam_ope_mgr_process_io_cfg(struct cam_ope_hw_mgr *hw_mgr,
 				}
 			} else {
 				if (io_buf->fence != -1) {
-					prep_args->out_map_entries[k].sync_id =
+					prep_arg->out_map_entries[k].sync_id =
 						io_buf->fence;
 					k++;
-					prep_args->num_out_map_entries++;
+					prep_arg->num_out_map_entries++;
 				} else {
 					if (io_buf->resource_type
 						!= OPE_OUT_RES_STATS_LTM) {
@@ -1812,38 +1820,38 @@ static int cam_ope_mgr_process_io_cfg(struct cam_ope_hw_mgr *hw_mgr,
 		}
 	}
 
-	if (prep_args->num_in_map_entries > 1 &&
-		prep_args->num_in_map_entries <= CAM_MAX_IN_RES)
-		prep_args->num_in_map_entries =
+	if (prep_arg->num_in_map_entries > 1 &&
+		prep_arg->num_in_map_entries <= CAM_MAX_IN_RES)
+		prep_arg->num_in_map_entries =
 			cam_common_util_remove_duplicate_arr(
-			sync_in_obj, prep_args->num_in_map_entries);
+			sync_in_obj, prep_arg->num_in_map_entries);
 
-	if (prep_args->num_in_map_entries > 1 &&
-		prep_args->num_in_map_entries <= CAM_MAX_IN_RES) {
+	if (prep_arg->num_in_map_entries > 1 &&
+		prep_arg->num_in_map_entries <= CAM_MAX_IN_RES) {
 		rc = cam_sync_merge(&sync_in_obj[0],
-			prep_args->num_in_map_entries, &merged_sync_in_obj);
+			prep_arg->num_in_map_entries, &merged_sync_in_obj);
 		if (rc) {
-			prep_args->num_out_map_entries = 0;
-			prep_args->num_in_map_entries = 0;
+			prep_arg->num_out_map_entries = 0;
+			prep_arg->num_in_map_entries = 0;
 			return rc;
 		}
 
 		ope_request->in_resource = merged_sync_in_obj;
 
-		prep_args->in_map_entries[0].sync_id = merged_sync_in_obj;
-		prep_args->num_in_map_entries = 1;
+		prep_arg->in_map_entries[0].sync_id = merged_sync_in_obj;
+		prep_arg->num_in_map_entries = 1;
 		CAM_DBG(CAM_REQ, "ctx_id: %u req_id: %llu Merged Sync obj: %d",
 			ctx_data->ctx_id, packet->header.request_id,
 			merged_sync_in_obj);
-	} else if (prep_args->num_in_map_entries == 1) {
-		prep_args->in_map_entries[0].sync_id = sync_in_obj[0];
-		prep_args->num_in_map_entries = 1;
+	} else if (prep_arg->num_in_map_entries == 1) {
+		prep_arg->in_map_entries[0].sync_id = sync_in_obj[0];
+		prep_arg->num_in_map_entries = 1;
 		ope_request->in_resource = 0;
 		CAM_DBG(CAM_OPE, "fence = %d", sync_in_obj[0]);
 	} else {
 		CAM_DBG(CAM_OPE, "Invalid count of input fences, count: %d",
-			prep_args->num_in_map_entries);
-		prep_args->num_in_map_entries = 0;
+			prep_arg->num_in_map_entries);
+		prep_arg->num_in_map_entries = 0;
 		ope_request->in_resource = 0;
 		rc = -EINVAL;
 	}