Currently ion can only share buffers with dma buf fd's. Fd's can not be
used inside the kernel as they are process specific so support for
sharing buffers with dma buf kernel handles is needed to support kernel
only use cases. An example use case could be a GPU driver using ion
that wants to share its output buffers with a 3d party display
controller driver supporting dma buf.
Change-Id: I74388160ad65ee5380b87dbb20521a97ddf6727a
Signed-off-by: Johan Mossberg <johan.mossberg@stericsson.com>
Git-commit: 1a6c74e0d58f6ca028f36c3d794fecff8543bbfb
Git-repo: https://android.googlesource.com/kernel/common
[lauraa@codeaurora.org: update callers of function]
Signed-off-by: Laura Abbott <lauraa@codeaurora.org>
We need to remove stale entries in the cache when allocating buffers, as
the ION driver doesn't invalidate the cache.
CRs-Fixed: 456500
Change-Id: Ibe931251b6f06c6acbe6bc8a095b0e925dc08857
Signed-off-by: Rajeshwar Kurapaty <rkurapat@codeaurora.org>
Use proper synchronization to ensure driver file is opened
only once.
CRs-Fixed: 2023513
Change-Id: I71e55e2d487fe561d3f596590b3e8102c5e921b5
Signed-off-by: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
(cherry picked from commit 84f8c42e5d848b1d04f49d253f98296e8c2280b9)
Validate eeprom_name string length before copying into
the userspace buffer.
If more data than required is copied, userspace has the access to
some of kernel data which is not intended.
CRs-Fixed: 1090007
Change-Id: Id40a287e0b1a93cc15d9b02c757fe9f347e285f2
Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
Signed-off-by: Yang Guang <guyang@codeaurora.org>
Add a check to return value before calling csid config which will
otherwise lead to use after free scenario.
CRs-Fixed: 1040857
Change-Id: I4f4d9e38eeb537875e0d01de0e99913a44dd3f3f
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
These structs have holes and reserved struct members which aren't
cleared. I've added a memset() so we don't leak stack information.
Change-Id: Ie3c281fd75181b10650a4f7f7d791b8dd4aa1eb3
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Verifying the i2c table index value before accessing
the i2c table to avoid memory corruption issues.
CRs-Fixed: 1065916
Change-Id: I0e31c22f90006f27a77cd420288334b8355cee95
Signed-off-by: Sureshnaidu Laveti <lsuresh@codeaurora.org>
Signed-off-by: Suman Mukherjee <sumam@codeaurora.org>
This change fixes several incorrect or missing array index bound checks.
Bug: 28814502
Change-Id: Icd96555c01330ec11e94c6173d8df1973fe39c33
Signed-off-by: Petar Sivenov <psiven@codeaurora.org>
Added bounds check to user input num_streams at several location,
without checking a position outside array could be dereferenced
Bug: 28749629
Change-Id: I6e82d8b51e4ec6772316c7daef243240c029db96
Signed-off-by: Jim Rasche <jrasche@codeaurora.org>
I2C command length is of 11 bytes, it includes 10 bytes of data and
1 byte of WR command. Use 11 bytes char array to create command.
Bug: 28770207
Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
Change-Id: I5292f238d612810a514b6a8bba9e70e07eb2627f
The index of used stats register is derived from a stream handle least
significant byte and thus can be up to 255. However the stats registers
are up to 8 depending of the target. Thus a bound check is done before
use of the received stats register index value.
Bug: 28749728
Change-Id: I23f1add81eb8e0844103a3a3f59f4e4c2af14ffd
Add a check for the stats index MAX using
MSM_ISP_STATS_MAX before accessing stream info
using that index to avoid any invalid memory access.
Bug: 28749728
Change-Id: I29d9b62cec045598645fbc0e6e62c500eb74bb97
The value csi_lane_mask which is uint16_t is controllable from userspace.
The while loop can loop for 2^16 - 1, Hence extract the required
bit combination from the userspace argument, used it for further
processing.
Bug: 28749721
CRs-Fixed: 511976
Change-Id: I80b0fe7ac273352503d9705510f05debe6cbb10a
Signed-off-by: Lakshmi Narayana Kalavala <lkalaval@codeaurora.org>
Upper and lower bound checks are enforced for num_cid
which is passed from userspace with lower as 1 and
max of 16.
Bug: 28747684
Change-Id: Ic5456289cb2f2b4ea17610a7672eb2c5225b7954
Signed-off-by: Hariram Purushothaman <hpurus@codeaurora.org>
struct media_link_desc is copy_to_user'ed as the return value of
MEDIA_IOC_ENUM_LINKS. When copying, the driver is omitting to initialise
the reserved fields. This commit fixes that by initialising the
reserved fields to 0.
Bug: 28750150
CRs-Fixed: 570757
Change-Id: I230e2666c0845cc36399518a0f2c94db664382d1
Signed-off-by: Deva Ramasubramanian <dramasub@codeaurora.org>
Signed-off-by: Siqi Lin <siqilin@google.com>
Use copy_from_user kernel api to copy any data from user space
to kernel space.
Bug: 28769546
Change-Id: Ia3b7bb0f98180bd8792c1c18e930cb5609b8dc82
CRs-Fixed: 540320
Signed-off-by: Ayaz Ahmad <aahmad@codeaurora.org>
Signed-off-by: Siqi Lin <siqilin@google.com>
Checking if driver's buffer is large enough to copy
the data from user space.
Bug: 28769546
Change-Id: I7b4eed81cf77ce2973669ce18ccd95a5df397d82
CRs-fixed: 552329
Signed-off-by: Satish Kodishala <skodisha@codeaurora.org>
Signed-off-by: Siqi Lin <siqilin@google.com>
casting a unsigned int into an integer, integer to
unsigned int may cause buffer overflow.
Bug: 28769368
Change-Id: I54be4d4c5470616a59a772c587fe6d5f32575c32
CRs-Fixed: 539008
Signed-off-by: Ayaz Ahmad <aahmad@codeaurora.org>
Signed-off-by: Siqi Lin <siqilin@google.com>
fix to prevent untrusted userspace pointer in actuator kernel
driver to lead DoS
Bug: 28768281
Change-Id: I1b64270deb494530d268539e7b420be5ec79b658
Signed-off-by: Vasko Kalanoski <vaskok@codeaurora.org>
Signed-off-by: Siqi Lin <siqilin@google.com>
step_boundary can take values upto the total_steps
Validate the step_boundary before consuming it.
Convert the type of step_index and region_index to uint16_t
step_index and region_index cannot be negative.
Bug: 27890772
CRs-Fixed: 1001092
Change-Id: I1f23fd6f28bb897824a1ef99a8873b9f986eee70
Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
fix to prevent kernel heap buffer overflow allows user
controlled data to be written to the heap via the
msm_camera actuator IOCTLs
Bug: 28557260
Change-Id: I4458831e28e0081fb2f5ae55506be866100e1b4f
Signed-off-by: Vasko Kalanoski <vaskok@codeaurora.org>
An enum value cci_i2c_master is not checked to be greater than 0.
Add the check.
Bug: 28441831
Change-Id: Ibe75ab7155def45d81b8127c5eda3fa2ed570bce
Signed-off-by: Xu Han <hanxu@codeaurora.org>
Remove some unused ioctl exposed, Also add
some bound checks for ioctl user params.
Bug: 28441831
Change-Id: Ifdd441fdb25fd20b005c4e4e1ebe4e203f1216ac
CRs-Fixed: 511382
Signed-off-by: Hariram Purushothaman <hpurus@codeaurora.org>
Signed-off-by: Shuzhen Wang <shuzhenw@codeaurora.org>
Bound check and validate userspace parameters direction,
number of steps and direction sign. Also fix possible
memory leak in certain error cases.
Bug: 28431531
CRs-Fixed: 511349
Change-Id: Icaa324468574494fb40f2de78e522090806744cb
Signed-off-by: Hariram Purushothaman <hpurus@codeaurora.org>
commit a66b0c41ad277ae62a3ae6ac430a71882f899557 upstream.
The input_dev is already gone when the rc device is being unregistered
so checking for its presence only means that no remove uevent will be
generated.
Signed-off-by: David Härdeman <david@hardeman.nu>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Zefan Li <lizefan@huawei.com>
Userspace supplies the actual number of used VFEs in session to ISPIF.
Validate the userspace input value and if found to be invalid, return
error.
BUG=27600832
Change-Id: I91944434e9a83d34af765c40bf8ad297a09ce2f5
Validate input parameters for read and write operations in vfe to
ensure operations are performed within vfe register boundary and
within structure limits passed by caller.
Bug: 19141655
Conflicts:
drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_io_util.c
drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_io_util.h
Change-Id: If3719de65b32773c2b6ff904da76a951dbfb11eb
Signed-off-by: Alok Kediya <kediya@codeaurora.org>
Signed-off-by: Patrick Tjin <pattjin@google.com>
Signed-off-by: Patrick Tjin <pattjin@google.com>
add sanity check for csid cid to ensute that we never read or write
outside csid_dev->mem buffer
Bug: 19134929
Change-Id: Ic8f0d689fa176720ae3a3316f2ad27556ae7bde5
Signed-off-by: Suman Mukherjee <sumam@codeaurora.org>
Signed-off-by: Patrick Tjin <pattjin@google.com>
commit 89f4d45b27 upstream.
In case of error, the function kthread_run() returns ERR_PTR()
and never returns NULL. The NULL test in the return value check
should be replaced with IS_ERR().
Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: Jianguo Wu <wujianguo@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2e923a0527 upstream.
free_buff_list and rec_buff_list are initialized in the middle of hdpvr_probe(),
but if something bad happens before that, error handling code calls hdpvr_delete(),
which contains iteration over the lists (via hdpvr_free_buffers()).
The patch moves the lists initialization to the beginning and by the way fixes
goto label in error handling of registering videodev.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: Jianguo Wu <wujianguo@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 280847b532 upstream.
Video nodes can be used at once after registration, so make sure the full
initialization is done before registering them.
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
[bwh: Backported to 3.2: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: Jianguo Wu <wujianguo@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 414abbd2cd upstream.
In dvb_ringbuffer lock-less synchronizationof reader and writer threads is done
with separateread and write pointers. Sincedvb_ringbuffer_flush() modifies the
read pointer, this function must not be called from the writer thread.
This patch removes the dvb_ringbuffer_flush() calls in the dmxdev ringbuffer
write functions, this fixes Oopses "Unable to handle kernel paging request"
I could observe for the call chaindvb_demux_read ->dvb_dmxdev_buffer_read ->
dvb_ringbuffer_read_user -> __copy_to_user (the reader side of the ringbuffer).
The flush calls at the write side are not necessary anyway since ringbuffer_flush
is also called in dvb_dmxdev_buffer_read() when an error condition is set in the
ringbuffer.
This patch should also be applied to stable kernels.
Signed-off-by: Soeren Moch <smoch@web.de>
Reviewed-by: Sakari Ailus <sakari.ailus@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: Jianguo Wu <wujianguo@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 55ee64b30a upstream.
Walking rbtree while it's modified is a Bad Idea(tm); besides,
the result of find_vma() can be freed just as it's getting returned
to caller. Fortunately, it's easy to fix - just take ->mmap_sem a bit
earlier (and don't bother with find_vma() at all if virtp >= PAGE_OFFSET -
in that case we don't even look at its result).
While we are at it, what prevents VIDIOC_PREPARE_BUF calling
v4l_prepare_buf() -> (e.g) vb2_ioctl_prepare_buf() -> vb2_prepare_buf() ->
__buf_prepare() -> __qbuf_userptr() -> vb2_vmalloc_get_userptr() -> find_vma(),
AFAICS without having taken ->mmap_sem anywhere in process? The code flow
is bloody convoluted and depends on a bunch of things done by initialization,
so I certainly might've missed something...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Cc: Sakari Ailus <sakari.ailus@iki.fi>
Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Cc: Archit Taneja <archit@ti.com>
Cc: Prabhakar Lad <prabhakar.lad@ti.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: Jianguo Wu <wujianguo@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 317efce991 upstream.
When subdev registration fails the subdev v4l2_dev field is left to a
non-NULL value. Later calls to v4l2_device_unregister_subdev() will
consider the subdev as registered and will module_put() the subdev
module without any matching module_get().
Fix this by setting the subdev v4l2_dev field to NULL in
v4l2_device_register_subdev() when the function fails.
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Acked-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
[bwh: Backported to 3.2: adjust context, filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: Jianguo Wu <wujianguo@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 98fd485795 upstream.
Add the USB ID for the Kinect for Windows RGB camera so it can be used
with the gspca_kinect driver.
Signed-off-by: Jacob Schloss <jacob.schloss@unlimitedautomata.com>
Signed-off-by: Antonio Ospite <ospite@studenti.unina.it>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: Jianguo Wu <wujianguo@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Driver needs to propogate ERESTARTSYS return code instead
of changing it to some other value.
Signed-off-by: Shuzhen Wang <shuzhenw@codeaurora.org>
Signed-off-by: Ajay Dudani <adudani@codeaurora.org>
Signed-off-by: Mekala Natarajan <mekalan@codeaurora.org>
When kernel is interrupted with -ERESTARTSYS, don't perform any
more CCI transaction and return error immediately.
Bug: 11005919
Signed-off-by: Sreesudhan Ramakrish Ramkumar <srramku@codeaurora.org>
Signed-off-by: Mansoor Aftab <maftab@codeaurora.org>
Signed-off-by: Mekala Natarajan <mekalan@codeaurora.org>
