From 7a26934e4196b4aa61944081989189d59b108768 Mon Sep 17 00:00:00 2001 From: Petar Sivenov Date: Tue, 13 Aug 2013 10:12:39 -0700 Subject: msm: camera: isp: Bound check for number stats registers The index of used stats register is derived from a stream handle least significant byte and thus can be up to 255. However the stats registers are up to 8 depending of the target. Thus a bound check is done before use of the received stats register index value. Change-Id: Ic008918f4263f57a5b8aabd34266ac1ba3612a9c Signed-off-by: Petar Sivenov --- .../msm/camera_v2/isp/msm_isp_stats_util.c | 50 ++++++++++++++++------ .../platform/msm/camera_v2/isp/msm_isp_util.c | 4 +- 2 files changed, 41 insertions(+), 13 deletions(-) diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c index 0840e30..b479857 100644 --- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c +++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c @@ -23,8 +23,16 @@ static int msm_isp_stats_cfg_ping_pong_address(struct vfe_device *vfe_dev, struct msm_isp_buffer *buf; uint32_t pingpong_bit = 0; uint32_t bufq_handle = stream_info->bufq_handle; - uint32_t stats_pingpong_offset = - STATS_IDX(stream_info->stream_handle) + + uint32_t stats_pingpong_offset; + + if (STATS_IDX(stream_info->stream_handle) >= + vfe_dev->hw_info->stats_hw_info->num_stats_type) { + pr_err("%s Invalid stats index %d", __func__, + STATS_IDX(stream_info->stream_handle)); + return -EINVAL; + } + + stats_pingpong_offset = STATS_IDX(stream_info->stream_handle) + vfe_dev->hw_info->stats_hw_info->stats_ping_pong_offset; pingpong_bit = (~(pingpong_status >> stats_pingpong_offset) & 0x1); @@ -151,10 +159,9 @@ int msm_isp_stats_create_stream(struct vfe_device *vfe_dev, stats_idx = vfe_dev->hw_info->vfe_ops.stats_ops. get_stats_idx(stream_req_cmd->stats_type); - if ((stats_idx > MSM_ISP_STATS_MAX) || - (stats_idx == -EINVAL)) { - pr_err("%s: Stats idx Error\n", __func__); - return rc; + if (stats_idx >= vfe_dev->hw_info->stats_hw_info->num_stats_type) { + pr_err("%s Invalid stats index %d", __func__, stats_idx); + return -EINVAL; } stream_info = &stats_data->stream_info[stats_idx]; @@ -209,9 +216,10 @@ int msm_isp_request_stats_stream(struct vfe_device *vfe_dev, void *arg) } stats_idx = STATS_IDX(stream_req_cmd->stream_handle); - if (stats_idx > MSM_ISP_STATS_MAX) { - pr_err("%s: Stats idx Error\n", __func__); - return rc; + + if (stats_idx >= vfe_dev->hw_info->stats_hw_info->num_stats_type) { + pr_err("%s Invalid stats index %d", __func__, stats_idx); + return -EINVAL; } stream_info = &stats_data->stream_info[stats_idx]; @@ -242,9 +250,9 @@ int msm_isp_release_stats_stream(struct vfe_device *vfe_dev, void *arg) int stats_idx = STATS_IDX(stream_release_cmd->stream_handle); struct msm_vfe_stats_stream *stream_info = NULL; - if (stats_idx > MSM_ISP_STATS_MAX) { - pr_err("%s: Stats idx Error\n", __func__); - return rc; + if (stats_idx >= vfe_dev->hw_info->stats_hw_info->num_stats_type) { + pr_err("%s Invalid stats index %d", __func__, stats_idx); + return -EINVAL; } stream_info = &stats_data->stream_info[stats_idx]; @@ -379,6 +387,12 @@ static int msm_isp_start_stats_stream(struct vfe_device *vfe_dev, struct msm_vfe_stats_shared_data *stats_data = &vfe_dev->stats_data; for (i = 0; i < stream_cfg_cmd->num_streams; i++) { idx = STATS_IDX(stream_cfg_cmd->stream_handle[i]); + + if (idx >= vfe_dev->hw_info->stats_hw_info->num_stats_type) { + pr_err("%s Invalid stats index %d", __func__, idx); + return -EINVAL; + } + stream_info = &stats_data->stream_info[idx]; if (stream_info->stream_handle != stream_cfg_cmd->stream_handle[i]) { @@ -423,6 +437,12 @@ static int msm_isp_stop_stats_stream(struct vfe_device *vfe_dev, struct msm_vfe_stats_shared_data *stats_data = &vfe_dev->stats_data; for (i = 0; i < stream_cfg_cmd->num_streams; i++) { idx = STATS_IDX(stream_cfg_cmd->stream_handle[i]); + + if (idx >= vfe_dev->hw_info->stats_hw_info->num_stats_type) { + pr_err("%s Invalid stats index %d", __func__, idx); + return -EINVAL; + } + stream_info = &stats_data->stream_info[idx]; if (stream_info->stream_handle != stream_cfg_cmd->stream_handle[i]) { @@ -453,6 +473,12 @@ static int msm_isp_stop_stats_stream(struct vfe_device *vfe_dev, for (i = 0; i < stream_cfg_cmd->num_streams; i++) { idx = STATS_IDX(stream_cfg_cmd->stream_handle[i]); + + if (idx >= vfe_dev->hw_info->stats_hw_info->num_stats_type) { + pr_err("%s Invalid stats index %d", __func__, idx); + return -EINVAL; + } + stream_info = &stats_data->stream_info[idx]; msm_isp_deinit_stats_ping_pong_reg(vfe_dev, stream_info); } diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c index fcdf34e..6dba4153 100644 --- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c +++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c @@ -768,6 +768,8 @@ void msm_isp_update_error_frame_count(struct vfe_device *vfe_dev) void msm_isp_process_error_info(struct vfe_device *vfe_dev) { int i; + uint8_t num_stats_type = + vfe_dev->hw_info->stats_hw_info->num_stats_type; struct msm_vfe_error_info *error_info = &vfe_dev->error_info; static DEFINE_RATELIMIT_STATE(rs, DEFAULT_RATELIMIT_INTERVAL, DEFAULT_RATELIMIT_BURST); @@ -791,7 +793,7 @@ void msm_isp_process_error_info(struct vfe_device *vfe_dev) error_info->stream_framedrop_count[i] = 0; } } - for (i = 0; i < MSM_ISP_STATS_MAX; i++) { + for (i = 0; i < num_stats_type; i++) { if (error_info->stats_framedrop_count[i] != 0 && __ratelimit(&rs_stats)) { pr_err("%s: Stats stream[%d]: dropped %d frames\n", -- cgit v1.1