diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c index 66d084f6ef2f2674edf1360a5a01282305eedff8..ef7485e181f182e42a8f528832f6585a5e2cdd59 100644 --- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c +++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c @@ -330,8 +330,8 @@ int msm_isp_axi_check_stream_state( } for (i = 0; i < stream_cfg_cmd->num_streams; i++) { - if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i]) - > MAX_NUM_STREAM) { + if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i]) >= + MAX_NUM_STREAM) { return -EINVAL; } stream_info = &axi_data->stream_info[ @@ -622,8 +622,10 @@ int msm_isp_request_axi_stream(struct vfe_device *vfe_dev, void *arg) &vfe_dev->axi_data, stream_cfg_cmd); if (rc) { pr_err("%s: Request validation failed\n", __func__); - msm_isp_axi_destroy_stream(&vfe_dev->axi_data, - HANDLE_TO_IDX(stream_cfg_cmd->axi_stream_handle)); + if (HANDLE_TO_IDX(stream_cfg_cmd->axi_stream_handle) < + MAX_NUM_STREAM) + msm_isp_axi_destroy_stream(&vfe_dev->axi_data, + HANDLE_TO_IDX(stream_cfg_cmd->axi_stream_handle)); return rc; } stream_info = &vfe_dev->axi_data. @@ -695,11 +697,16 @@ int msm_isp_release_axi_stream(struct vfe_device *vfe_dev, void *arg) int rc = 0, i; struct msm_vfe_axi_stream_release_cmd *stream_release_cmd = arg; struct msm_vfe_axi_shared_data *axi_data = &vfe_dev->axi_data; - struct msm_vfe_axi_stream *stream_info = - &axi_data->stream_info[ - HANDLE_TO_IDX(stream_release_cmd->stream_handle)]; + struct msm_vfe_axi_stream *stream_info; struct msm_vfe_axi_stream_cfg_cmd stream_cfg; + if (HANDLE_TO_IDX(stream_release_cmd->stream_handle) >= + MAX_NUM_STREAM) { + pr_err("%s: Invalid stream handle\n", __func__); + return -EINVAL; + } + stream_info = &axi_data->stream_info[ + HANDLE_TO_IDX(stream_release_cmd->stream_handle)]; if (stream_info->state == AVALIABLE) { pr_err("%s: Stream already released\n", __func__); return -EINVAL; @@ -991,6 +998,11 @@ static void msm_isp_process_done_buf(struct vfe_device *vfe_dev, if (!buf || !ts) return; + if (stream_idx >= MAX_NUM_STREAM) { + pr_err("%s: Invalid stream_idx", __func__); + return; + } + if (SRC_TO_INTF(stream_info->stream_src) < VFE_SRC_MAX) frame_id = vfe_dev->axi_data. src_info[SRC_TO_INTF(stream_info->stream_src)].frame_id; @@ -1097,8 +1109,8 @@ static void msm_isp_update_camif_output_count( } for (i = 0; i < stream_cfg_cmd->num_streams; i++) { - if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i]) - > MAX_NUM_STREAM) { + if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i]) >= + MAX_NUM_STREAM) { return; } stream_info = @@ -1286,8 +1298,8 @@ static int msm_isp_axi_update_cgc_override(struct vfe_device *vfe_dev, return -EINVAL; for (i = 0; i < stream_cfg_cmd->num_streams; i++) { - if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i]) - > MAX_NUM_STREAM) { + if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i]) >= + MAX_NUM_STREAM) { return -EINVAL; } stream_info = &axi_data->stream_info[ @@ -1318,8 +1330,8 @@ static int msm_isp_start_axi_stream(struct vfe_device *vfe_dev, } for (i = 0; i < stream_cfg_cmd->num_streams; i++) { - if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i]) - > MAX_NUM_STREAM) { + if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i]) >= + MAX_NUM_STREAM) { return -EINVAL; } stream_info = &axi_data->stream_info[ @@ -1386,8 +1398,8 @@ static int msm_isp_stop_axi_stream(struct vfe_device *vfe_dev, } for (i = 0; i < stream_cfg_cmd->num_streams; i++) { - if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i]) - > MAX_NUM_STREAM) { + if (HANDLE_TO_IDX(stream_cfg_cmd->stream_handle[i]) >= + MAX_NUM_STREAM) { return -EINVAL; } stream_info = &axi_data->stream_info[ @@ -1688,8 +1700,8 @@ int msm_isp_update_axi_stream(struct vfe_device *vfe_dev, void *arg) for (i = 0; i < update_cmd->num_streams; i++) { update_info = &update_cmd->update_info[i]; /*check array reference bounds*/ - if (HANDLE_TO_IDX(update_info->stream_handle) - > MAX_NUM_STREAM) { + if (HANDLE_TO_IDX(update_info->stream_handle) >= + MAX_NUM_STREAM) { return -EINVAL; } stream_info = &axi_data->stream_info[ @@ -1818,53 +1830,56 @@ void msm_isp_process_axi_irq(struct vfe_device *vfe_dev, rc = 0; comp_info = &axi_data->composite_info[i]; if (comp_mask & (1 << i)) { - if (!comp_info->stream_handle) { + stream_idx = HANDLE_TO_IDX(comp_info->stream_handle); + if ((!comp_info->stream_handle) || + (stream_idx >= MAX_NUM_STREAM)) { pr_err("%s: Invalid handle for composite irq\n", __func__); - } else { - stream_idx = - HANDLE_TO_IDX(comp_info->stream_handle); - stream_info = - &axi_data->stream_info[stream_idx]; - ISP_DBG("%s: stream%d frame id: 0x%x\n", - __func__, - stream_idx, stream_info->frame_id); - stream_info->frame_id++; - - pingpong_bit = (~(pingpong_status >> - stream_info->wm[0]) & 0x1); - - if (stream_info->stream_type == BURST_STREAM) - stream_info-> - runtime_num_burst_capture--; - - msm_isp_get_done_buf(vfe_dev, stream_info, - pingpong_status, &done_buf); - if (stream_info->stream_type == - CONTINUOUS_STREAM || - stream_info-> - runtime_num_burst_capture > 1) { - rc = msm_isp_cfg_ping_pong_address( - vfe_dev, stream_info, - pingpong_status, - pingpong_bit); - } - if (done_buf && !rc) - msm_isp_process_done_buf(vfe_dev, - stream_info, done_buf, ts); + continue; + } + stream_idx = + HANDLE_TO_IDX(comp_info->stream_handle); + stream_info = + &axi_data->stream_info[stream_idx]; + ISP_DBG("%s: stream%d frame id: 0x%x\n", + __func__, + stream_idx, stream_info->frame_id); + stream_info->frame_id++; + + pingpong_bit = (~(pingpong_status >> + stream_info->wm[0]) & 0x1); + + if (stream_info->stream_type == BURST_STREAM) + stream_info-> + runtime_num_burst_capture--; + + msm_isp_get_done_buf(vfe_dev, stream_info, + pingpong_status, &done_buf); + if (stream_info->stream_type == + CONTINUOUS_STREAM || + stream_info-> + runtime_num_burst_capture > 1) { + rc = msm_isp_cfg_ping_pong_address( + vfe_dev, stream_info, + pingpong_status, + pingpong_bit); } + if (done_buf && !rc) + msm_isp_process_done_buf(vfe_dev, + stream_info, done_buf, ts); } wm_mask &= ~(comp_info->stream_composite_mask); } for (i = 0; i < axi_data->hw_info->num_wm; i++) { if (wm_mask & (1 << i)) { - if (!axi_data->free_wm[i]) { + stream_idx = HANDLE_TO_IDX(axi_data->free_wm[i]); + if ((!axi_data->free_wm[i]) || + (stream_idx >= MAX_NUM_STREAM)) { pr_err("%s: Invalid handle for wm irq\n", __func__); continue; } - stream_idx = HANDLE_TO_IDX(axi_data->free_wm[i]); stream_info = &axi_data->stream_info[stream_idx]; ISP_DBG("%s: stream%d frame id: 0x%x\n", __func__,