Use proper synchronization to ensure driver file is opened
only once.
CRs-Fixed: 2023513
Change-Id: I71e55e2d487fe561d3f596590b3e8102c5e921b5
Signed-off-by: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
(cherry picked from commit 84f8c42e5d848b1d04f49d253f98296e8c2280b9)
Validate eeprom_name string length before copying into
the userspace buffer.
If more data than required is copied, userspace has the access to
some of kernel data which is not intended.
CRs-Fixed: 1090007
Change-Id: Id40a287e0b1a93cc15d9b02c757fe9f347e285f2
Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
Signed-off-by: Yang Guang <guyang@codeaurora.org>
Add a check to return value before calling csid config which will
otherwise lead to use after free scenario.
CRs-Fixed: 1040857
Change-Id: I4f4d9e38eeb537875e0d01de0e99913a44dd3f3f
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
Verifying the i2c table index value before accessing
the i2c table to avoid memory corruption issues.
CRs-Fixed: 1065916
Change-Id: I0e31c22f90006f27a77cd420288334b8355cee95
Signed-off-by: Sureshnaidu Laveti <lsuresh@codeaurora.org>
Signed-off-by: Suman Mukherjee <sumam@codeaurora.org>
This change fixes several incorrect or missing array index bound checks.
Bug: 28814502
Change-Id: Icd96555c01330ec11e94c6173d8df1973fe39c33
Signed-off-by: Petar Sivenov <psiven@codeaurora.org>
Added bounds check to user input num_streams at several location,
without checking a position outside array could be dereferenced
Bug: 28749629
Change-Id: I6e82d8b51e4ec6772316c7daef243240c029db96
Signed-off-by: Jim Rasche <jrasche@codeaurora.org>
I2C command length is of 11 bytes, it includes 10 bytes of data and
1 byte of WR command. Use 11 bytes char array to create command.
Bug: 28770207
Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
Change-Id: I5292f238d612810a514b6a8bba9e70e07eb2627f
The index of used stats register is derived from a stream handle least
significant byte and thus can be up to 255. However the stats registers
are up to 8 depending of the target. Thus a bound check is done before
use of the received stats register index value.
Bug: 28749728
Change-Id: I23f1add81eb8e0844103a3a3f59f4e4c2af14ffd
Add a check for the stats index MAX using
MSM_ISP_STATS_MAX before accessing stream info
using that index to avoid any invalid memory access.
Bug: 28749728
Change-Id: I29d9b62cec045598645fbc0e6e62c500eb74bb97
The value csi_lane_mask which is uint16_t is controllable from userspace.
The while loop can loop for 2^16 - 1, Hence extract the required
bit combination from the userspace argument, used it for further
processing.
Bug: 28749721
CRs-Fixed: 511976
Change-Id: I80b0fe7ac273352503d9705510f05debe6cbb10a
Signed-off-by: Lakshmi Narayana Kalavala <lkalaval@codeaurora.org>
Upper and lower bound checks are enforced for num_cid
which is passed from userspace with lower as 1 and
max of 16.
Bug: 28747684
Change-Id: Ic5456289cb2f2b4ea17610a7672eb2c5225b7954
Signed-off-by: Hariram Purushothaman <hpurus@codeaurora.org>
fix to prevent untrusted userspace pointer in actuator kernel
driver to lead DoS
Bug: 28768281
Change-Id: I1b64270deb494530d268539e7b420be5ec79b658
Signed-off-by: Vasko Kalanoski <vaskok@codeaurora.org>
Signed-off-by: Siqi Lin <siqilin@google.com>
step_boundary can take values upto the total_steps
Validate the step_boundary before consuming it.
Convert the type of step_index and region_index to uint16_t
step_index and region_index cannot be negative.
Bug: 27890772
CRs-Fixed: 1001092
Change-Id: I1f23fd6f28bb897824a1ef99a8873b9f986eee70
Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
fix to prevent kernel heap buffer overflow allows user
controlled data to be written to the heap via the
msm_camera actuator IOCTLs
Bug: 28557260
Change-Id: I4458831e28e0081fb2f5ae55506be866100e1b4f
Signed-off-by: Vasko Kalanoski <vaskok@codeaurora.org>
An enum value cci_i2c_master is not checked to be greater than 0.
Add the check.
Bug: 28441831
Change-Id: Ibe75ab7155def45d81b8127c5eda3fa2ed570bce
Signed-off-by: Xu Han <hanxu@codeaurora.org>
Remove some unused ioctl exposed, Also add
some bound checks for ioctl user params.
Bug: 28441831
Change-Id: Ifdd441fdb25fd20b005c4e4e1ebe4e203f1216ac
CRs-Fixed: 511382
Signed-off-by: Hariram Purushothaman <hpurus@codeaurora.org>
Signed-off-by: Shuzhen Wang <shuzhenw@codeaurora.org>
Bound check and validate userspace parameters direction,
number of steps and direction sign. Also fix possible
memory leak in certain error cases.
Bug: 28431531
CRs-Fixed: 511349
Change-Id: Icaa324468574494fb40f2de78e522090806744cb
Signed-off-by: Hariram Purushothaman <hpurus@codeaurora.org>
Userspace supplies the actual number of used VFEs in session to ISPIF.
Validate the userspace input value and if found to be invalid, return
error.
BUG=27600832
Change-Id: I91944434e9a83d34af765c40bf8ad297a09ce2f5
Validate input parameters for read and write operations in vfe to
ensure operations are performed within vfe register boundary and
within structure limits passed by caller.
Bug: 19141655
Conflicts:
drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_io_util.c
drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_io_util.h
Change-Id: If3719de65b32773c2b6ff904da76a951dbfb11eb
Signed-off-by: Alok Kediya <kediya@codeaurora.org>
Signed-off-by: Patrick Tjin <pattjin@google.com>
Signed-off-by: Patrick Tjin <pattjin@google.com>
add sanity check for csid cid to ensute that we never read or write
outside csid_dev->mem buffer
Bug: 19134929
Change-Id: Ic8f0d689fa176720ae3a3316f2ad27556ae7bde5
Signed-off-by: Suman Mukherjee <sumam@codeaurora.org>
Signed-off-by: Patrick Tjin <pattjin@google.com>
Driver needs to propogate ERESTARTSYS return code instead
of changing it to some other value.
Signed-off-by: Shuzhen Wang <shuzhenw@codeaurora.org>
Signed-off-by: Ajay Dudani <adudani@codeaurora.org>
Signed-off-by: Mekala Natarajan <mekalan@codeaurora.org>
When kernel is interrupted with -ERESTARTSYS, don't perform any
more CCI transaction and return error immediately.
Bug: 11005919
Signed-off-by: Sreesudhan Ramakrish Ramkumar <srramku@codeaurora.org>
Signed-off-by: Mansoor Aftab <maftab@codeaurora.org>
Signed-off-by: Mekala Natarajan <mekalan@codeaurora.org>
Insertions and deletions into the session based command
ack queue need to be synchronized since they may be accessed
from more than one context.
CRs-fixed: 516599
Signed-off-by: Ankit Premrajka <ankitp@codeaurora.org>
Signed-off-by: Shuzhen Wang <shuzhenw@codeaurora.org>
Signed-off-by: Mekala Natarajan <mekalan@codeaurora.org>
For stop_session, we want to wait for it to complete before return.
Otherwise, we run into race condition when next start_session
happens.
Signed-off-by: Shuzhen Wang <shuzhenw@codeaurora.org>
Signed-off-by: Mekala Natarajan <mekalan@codeaurora.org>
In hw_exec_cmds()second argument m_cmds should be
of type unsigned interger
Bug:11518040
Signed-off-by: Apurva Rajguru <arajguru@codeaurora.org>
Signed-off-by: Mekala Natarajan <mekalan@codeaurora.org>
'len' is of type signed int 32bit,but the assigned value
may exceed maximum unsigned int32 range.Add overflow check
and graceful exit if 'm'exceeds UINT32_MAX value.
Bug:11518040
Signed-off-by: Apurva Rajguru <arajguru@codeaurora.org>
Signed-off-by: Mekala Natarajan <mekalan@codeaurora.org>
Add the missed "break" for CAMERA_FPS_FIX_15 case in
mi1040_sensor_set_fps()
Bug: 11016037
Signed-off-by: Rajaram Gudivada <rajaramg@codeaurora.org>
Signed-off-by: Mekala Natarajan <mekalan@codeaurora.org>
We need to set fine_integ_time_max, frame_length_lines, and
line_length_pck when changing fps to auto.
Bug: 9578220
Change-Id: I52ba353a72c40cff7dc3a3ea5120e9393f55426f
Signed-off-by: chiayi_wu <chiayi_wu@asus.com>
Remove setting fps in the function of setting resolution.
Modify the command sequence for setting frame rate to auto
Bug: 9578220
Change-Id: Ia3a2cbd0aef8194258d5d334815da7505a975b58
Signed-off-by: chiayi_wu <chiayi_wu@asus.com>
There're two sources for front camera, and we use gpios to identify them.
Change-Id: Ib9e9c46c908ca3e204cb81545f65ba023aaf2271
Signed-off-by: chiayi_wu <chiayi_wu@asus.com>
ISPIF clock enable/disable code has a bug with hard coded
value to enable the clock always.
Do not disable the ispif clock after reset while init, and thus
do enable it while ispif release.
Bug: 9306231
Signed-off-by: Nagesh Subba Reddy <nageshsreddy@codeaurora.org>
Signed-off-by: Mekala Natarajan <mekalan@codeaurora.org>
Added the NULL pointer check for isp_config
to avoid the crashes
Change-Id: I2df7eeb5c633b04c3aac5d985cf50c2ece7f1076
CRs-Fixed: 495652
Signed-off-by: Ajay Dudani <adudani@codeaurora.org>
OTP will be wriiten from bank 1.
If it's written fail, it will be written bank 2, and so on.
The maximum times is 3.
Vendor suggests us reading OTP from bank 3 to bank 1.
Change-Id: I1108fd7e3ce2b7652964b5995fc51cc488b5d191
Signed-off-by: chiayi_wu <chiayi_wu@asus.com>
