This change fixes a potential OOB access issue due to
culprit checking.
CRs-Fixed: 3851339
Change-Id: I5a8b8977f815376eeb41a4a227df6e307c7bd99d
Signed-off-by: Haochen Yang <quic_haocyang@quicinc.com>
IO config can be modified due to access to shared memory.
This change scopes the data locally so as to avoid
vulnerability of count being modified by external
means while executing due to being in shared memory.
CRs-Fixed: 3777635
Change-Id: Ia5dd9138dcf8449e2d800aca9ffed73d9c4ba3ea
Signed-off-by: Akash Puliyadi Jegannathan <quic_apuliyad@quicinc.com>
addr variable to have address bound check, due to that increamenting
of that variable can go corrupt other memory address which could lead to
our of bound access. This change will add extra address change before
access addr variable.
CRs-Fixed: 3802568
Change-Id: I0a2804403dc92fa005f8dda5263242eeb01f4765
Signed-off-by: Soumen Ghosh <quic_soumeng@quicinc.com>
Update and refactor SCM calling procedure in accordance to
CSF2.5 framework for supported targets.
isolate domain_id changes to bypass if only csf2.5 supported.
CRs-Fixed: 3806801
Signed-off-by: Pranav Sanwal <quic_psanwal@quicinc.com>
Change-Id: Idf8ff9716d1e47fb2cea8ea8a34ae3555b29855e
This change fixes OOB access by dynamically allocating memory
for defer bufdone index array and ensuring that allocation
happens after acquire is successful.
CRs-Fixed: 3815399
Change-Id: Icdf5417a74e940ed8ab9f28ac9e0ae22c7bd3c35
Signed-off-by: Yash Upadhyay <quic_yupadhya@quicinc.com>
Adds changes to dynamically allocate memory for defer bufdone
index array as per number of ports acquired instead of
hardcoded max resource value which could change target wise.
CRs-Fixed: 3788295
Change-Id: I5d5f43ac41e6abbac0b270eeaf97475b4e39a5d7
Signed-off-by: Yash Upadhyay <quic_yupadhya@quicinc.com>
Currently applied clock rate variable is getting updated
with default -ve value for clocks for which no rate set.
This is giving wrong impression of clock rate being applied.
Updated applied clock rate based on clock rate value set.
CRs-Fixed: 3794045
Change-Id: Ib37165dbaf4c1ec56abff1d3ba3eaf21eae79734
Signed-off-by: Alok Chauhan <quic_alokc@quicinc.com>
Corrected board list of supported msm-mmrm boards to include volcano.
CRs-Fixed: 3794045
Change-Id: I469c6b795716cae98bc29cf396c6ffd7b810343c
Signed-off-by: Alok Chauhan <quic_alokc@quicinc.com>
kref operation is atmoic operation, so no need to use mutex
to protect it, and the cam_mem_put_cpu_buf is also called
in spinlock context, so we can't use mutex lock in this
function. This change removes the mutex lock for kref
variable protextion.
CRs-Fixed: 3786887
Change-Id: Ic05bdafacf06cde6a8d8dbae7512e5d22eb7f514
Signed-off-by: Depeng Shao <quic_depengs@quicinc.com>
(cherry picked from commit bb64b99c83b3bb6da0c241eda74ebe8a19b51840)
Adds proper sanity on virtual cdm right operation to avoid
OOB register space access. After getting the mapped buffers
through cam_mem_get_cpu_buf() in kernel, userspace is still
able to access those buffers. So, the validation of offsets
and sizes does not have any advantage if userspace can alter
those parameters after we have validated them. That's why we
copied the information in kernel before we validate that.
CRs-Fixed: 3778045
Change-Id: I3b53549419b40a92333263e29d93220577d691e9
Signed-off-by: Yash Upadhyay <quic_yupadhya@quicinc.com>
This change add support to update camera qos statically
and dynamically via hyp.
For each NIU camera driver can call scm API with each NIU's
register offsets, value and number of registers offset that need to be
programed.
CRs-Fixed: 3781697
Change-Id: I42705dd2b379e29f7f32f9c2564cc476dc8c1308
Signed-off-by: Dharmender Sharma <quic_dharshar@quicinc.com>
Two threads can access same dma fence, one to get_fence and other
to put_fence. Missing locks and checks on fence could lead to use
after free case. This change adds proper locks and checks before
dma fence get call to avoid this.
CRs-Fixed: 3782903
Change-Id: I283e87f09c44b57bed3dbb782113f3629c9a29bd
Signed-off-by: Yash Upadhyay <quic_yupadhya@quicinc.com>
- Validation of settings_array_offset which is populated
from umd as sizeof(CSLTPGSettingsConfigCmd).
CRs-Fixed: 3788500
Change-Id: Ic848d537f1b56bcfc47b295b063e9670313c9a33
Signed-off-by: Abhilash Mahapatra <quic_abhmah@quicinc.com>
Currently krefcount is using by umd and kmd. Due to sometimes
there is issue in umd, such as release twice. That maybe causes
buffer release before kmd access the buffer. This commit add
a new refcount to track umd in use buffers and use current krefcount
to track kmd in use buffers. For the same buffer use in kmd and umd
only when all refcount become zero, the buffer start to release.
CRs-Fixed: 3692103
Change-Id: I5a58d9bab4c82bdb192d6a6a3d2b3d254dc04c9e
Signed-off-by: zhuo <quic_zhuo@quicinc.com>
TFE is programming WM's bw limiters with default value
without considering if it's already set via blob from UMD.
Skip bw limiter programming for TFE WMs for which
limiter values programmed via blob.
CRs-Fixed: 3767707
Change-Id: I30190def8b2a08c577b3bf1fa71fd2fe3db53c86
Signed-off-by: Alok Chauhan <quic_alokc@quicinc.com>
I2C cmd is coming from user space which can be modified due to
access to shared memory. This change scopes the data locally so
as to avoid vulnerability of count being modified by external
means while executing due to being in shared memory.
CRs-Fixed: 3707472
Change-Id: I8a89e23e99b80b089ed4c4cf3098feead752356e
Signed-off-by: Shivi Mangal <quic_smangal@quicinc.com>
(cherry picked from commit 4e00cc5f9f81bf471d58ee5d6beb210a5326fcff)
Handle out_of_sync_frame_drop interrupt as non fatal till
3 successive occurences. fix prevention of mup bit override
when programming RDI.
CRs-Fixed: 3638271
Change-Id: Ie2f7ef476b76b5074b12b0eb503ae0be1100611a
Signed-off-by: Pranav Sanwal <quic_psanwal@quicinc.com>
Decrease max value of usleep_range during sensor power on/off
CRs-Fixed: 3698124
Change-Id: If152fce49331fa057cf6bcb63f99b17b184dd00e
Signed-off-by: liji <quic_liji@quicinc.com>
(cherry picked from commit a4c76acef4188da15247304a58d262b4d2bb9c8d)
This change fixes prevent issues like incorrect
sizeof expression and incorrect format specifiers
in cam_isp.
CRs-Fixed: 3751374
Change-Id: Ia1383a655412176c4de30ef17412c2ff900f768e
Signed-off-by: Shivakumar Malke <quic_smalke@quicinc.com>
Fixes missing logging parameter in few of the logs.
CRs-Fixed: 3758192
Change-Id: Ic4d351fdf11213c515d975bda48a299e885e123d
Signed-off-by: Yash Upadhyay <quic_yupadhya@quicinc.com>
