DivestOS/Patches/Linux_CVEs/CVE-2016-2061/ANY/0001.patch
2017-11-07 17:32:46 -05:00

240 lines
8.4 KiB
Diff

From 79db14ca9f791a14be9376a0340ad3b9b9a4d603 Mon Sep 17 00:00:00 2001
From: Jing Zhou <jzhou70@codeaurora.org>
Date: Fri, 11 Mar 2016 17:30:50 -0800
Subject: msm: camera: isp: Fix warning and errors based on static analysis
This change fixes the warning/errors from static analysis
CRs-fixed: 992942
Change-Id: Iaf90ab4c1d17f903d03458d76cab1b4c0a5c8836
Signed-off-by: Jing Zhou <jzhou70@codeaurora.org>
---
drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c | 3 +--
.../media/platform/msm/camera_v2/isp/msm_isp_axi_util.c | 13 ++++++++-----
.../platform/msm/camera_v2/isp/msm_isp_stats_util.c | 5 ++---
drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c | 16 +++++++++-------
drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c | 14 +++++++-------
5 files changed, 27 insertions(+), 24 deletions(-)
diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c b/drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c
index b196934..3331f0d 100644
--- a/drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c
+++ b/drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c
@@ -85,6 +85,7 @@ struct msm_isp_bufq *msm_isp_get_bufq(
/* bufq_handle cannot be 0 */
if ((bufq_handle == 0) ||
+ bufq_index >= BUF_MGR_NUM_BUF_Q ||
(bufq_index > buf_mgr->num_buf_q))
return NULL;
@@ -1329,8 +1330,6 @@ static int msm_isp_buf_mgr_debug(struct msm_isp_buf_mgr *buf_mgr,
for (i = 0; i < BUF_MGR_NUM_BUF_Q; i++) {
bufq = &buf_mgr->bufq[i];
- if (!bufq)
- continue;
spin_lock_irqsave(&bufq->bufq_lock, flags);
if (!bufq->bufq_handle) {
diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
index 61cc9b9..c98b8ad 100644
--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
@@ -60,7 +60,7 @@ int msm_isp_axi_create_stream(struct vfe_device *vfe_dev,
struct msm_vfe_axi_shared_data *axi_data,
struct msm_vfe_axi_stream_request_cmd *stream_cfg_cmd)
{
- int i = stream_cfg_cmd->stream_src;
+ uint32_t i = stream_cfg_cmd->stream_src;
if (i >= VFE_AXI_SRC_MAX) {
pr_err("%s:%d invalid stream_src %d\n", __func__, __LINE__,
@@ -1686,6 +1686,7 @@ static void msm_isp_handle_done_buf_frame_id_mismatch(
struct msm_isp_event_data error_event;
int ret = 0;
+ memset(&error_event, 0, sizeof(error_event));
error_event.frame_id =
vfe_dev->axi_data.src_info[VFE_PIX_0].frame_id;
error_event.u.error_info.err_type =
@@ -1709,7 +1710,7 @@ static int msm_isp_process_done_buf(struct vfe_device *vfe_dev,
struct msm_vfe_axi_stream *stream_info, struct msm_isp_buffer *buf,
struct timeval *time_stamp, uint32_t frame_id)
{
- int rc = 0, ret = 0;
+ int rc;
unsigned long flags;
struct msm_isp_event_data buf_event;
uint32_t stream_idx = HANDLE_TO_IDX(stream_info->stream_handle);
@@ -1771,7 +1772,7 @@ static int msm_isp_process_done_buf(struct vfe_device *vfe_dev,
if (rc == -EFAULT) {
msm_isp_halt_send_error(vfe_dev,
ISP_EVENT_BUF_FATAL_ERROR);
- return ret;
+ return rc;
}
if (!rc) {
ISP_DBG("%s:%d vfe_id %d Buffer dropped %d\n",
@@ -1827,7 +1828,7 @@ static int msm_isp_process_done_buf(struct vfe_device *vfe_dev,
if (rc == -EFAULT) {
msm_isp_halt_send_error(vfe_dev,
ISP_EVENT_BUF_FATAL_ERROR);
- return ret;
+ return rc;
}
}
@@ -2406,7 +2407,8 @@ static int msm_isp_update_dual_HW_ms_info_at_stop(
static int msm_isp_update_dual_HW_axi(struct vfe_device *vfe_dev,
struct msm_vfe_axi_stream *stream_info)
{
- int rc = 0, vfe_id;
+ int rc = 0;
+ int vfe_id;
uint32_t stream_idx = HANDLE_TO_IDX(stream_info->stream_handle);
struct dual_vfe_resource *dual_vfe_res = NULL;
@@ -2871,6 +2873,7 @@ static int msm_isp_return_empty_buffer(struct vfe_device *vfe_dev,
return rc;
}
+ memset(&error_event, 0, sizeof(error_event));
error_event.frame_id = frame_id;
error_event.u.error_info.err_type = ISP_ERROR_RETURN_EMPTY_BUFFER;
error_event.u.error_info.session_id = stream_info->session_id;
diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
index fe97f13..7eaffad 100644
--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
@@ -117,7 +117,7 @@ static int msm_isp_stats_cfg_ping_pong_address(struct vfe_device *vfe_dev,
= buf;
}
}
- } else if (!vfe_dev->is_split) {
+ } else {
if (buf)
vfe_dev->hw_info->vfe_ops.stats_ops.
update_ping_pong_addr(
@@ -285,8 +285,7 @@ static int32_t msm_isp_stats_configure(struct vfe_device *vfe_dev,
if (rc < 0) {
pr_err("%s:%d failed: stats buf divert rc %d\n",
__func__, __LINE__, rc);
- if (0 == result)
- result = rc;
+ result = rc;
}
}
if (is_composite && comp_stats_type_mask) {
diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
index 4535d20..8a6c395e 100644
--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
@@ -944,6 +944,7 @@ static long msm_isp_ioctl_unlocked(struct v4l2_subdev *sd,
unsigned int cmd, void *arg)
{
long rc = 0;
+ long rc2 = 0;
struct vfe_device *vfe_dev = v4l2_get_subdevdata(sd);
if (!vfe_dev || !vfe_dev->vfe_base) {
@@ -1023,7 +1024,9 @@ static long msm_isp_ioctl_unlocked(struct v4l2_subdev *sd,
if (atomic_read(&vfe_dev->error_info.overflow_state)
!= HALT_ENFORCED) {
rc = msm_isp_stats_reset(vfe_dev);
- rc |= msm_isp_axi_reset(vfe_dev, arg);
+ rc2 = msm_isp_axi_reset(vfe_dev, arg);
+ if (!rc && rc2)
+ rc = rc2;
} else {
pr_err_ratelimited("%s: no HW reset, halt enforced.\n",
__func__);
@@ -1035,7 +1038,9 @@ static long msm_isp_ioctl_unlocked(struct v4l2_subdev *sd,
if (atomic_read(&vfe_dev->error_info.overflow_state)
!= HALT_ENFORCED) {
rc = msm_isp_stats_restart(vfe_dev);
- rc |= msm_isp_axi_restart(vfe_dev, arg);
+ rc2 = msm_isp_axi_restart(vfe_dev, arg);
+ if (!rc && rc2)
+ rc = rc2;
} else {
pr_err_ratelimited("%s: no AXI restart, halt enforced.\n",
__func__);
@@ -1822,8 +1827,6 @@ void msm_isp_update_error_frame_count(struct vfe_device *vfe_dev)
{
struct msm_vfe_error_info *error_info = &vfe_dev->error_info;
error_info->info_dump_frame_count++;
- if (error_info->info_dump_frame_count == 0)
- error_info->info_dump_frame_count++;
}
@@ -1922,6 +1925,7 @@ static void msm_isp_process_overflow_irq(
if (atomic_read(&vfe_dev->error_info.overflow_state)
!= HALT_ENFORCED) {
+ memset(&error_event, 0, sizeof(error_event));
error_event.frame_id =
vfe_dev->axi_data.src_info[VFE_PIX_0].frame_id;
error_event.u.error_info.err_type =
@@ -1939,10 +1943,8 @@ void msm_isp_reset_burst_count_and_frame_drop(
stream_info->stream_type != BURST_STREAM) {
return;
}
- if (stream_info->stream_type == BURST_STREAM &&
- stream_info->num_burst_capture != 0) {
+ if (stream_info->num_burst_capture != 0)
msm_isp_reset_framedrop(vfe_dev, stream_info);
- }
}
static void msm_isp_enqueue_tasklet_cmd(struct vfe_device *vfe_dev,
diff --git a/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c b/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
index dc6af17..640379d 100644
--- a/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
+++ b/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
@@ -467,23 +467,23 @@ static void msm_ispif_sel_csid_core(struct ispif_device *ispif,
switch (intftype) {
case PIX0:
data &= ~(BIT(1) | BIT(0));
- data |= csid;
+ data |= (uint32_t) csid;
break;
case RDI0:
data &= ~(BIT(5) | BIT(4));
- data |= (csid << 4);
+ data |= ((uint32_t) csid) << 4;
break;
case PIX1:
data &= ~(BIT(9) | BIT(8));
- data |= (csid << 8);
+ data |= ((uint32_t) csid) << 8;
break;
case RDI1:
data &= ~(BIT(13) | BIT(12));
- data |= (csid << 12);
+ data |= ((uint32_t) csid) << 12;
break;
case RDI2:
data &= ~(BIT(21) | BIT(20));
- data |= (csid << 20);
+ data |= ((uint32_t) csid) << 20;
break;
}
@@ -559,9 +559,9 @@ static void msm_ispif_enable_intf_cids(struct ispif_device *ispif,
data = msm_camera_io_r(ispif->base + intf_addr);
if (enable)
- data |= cid_mask;
+ data |= (uint32_t) cid_mask;
else
- data &= ~cid_mask;
+ data &= ~((uint32_t) cid_mask);
msm_camera_io_w_mb(data, ispif->base + intf_addr);
}
--
cgit v1.1