Ratelimit log in msm_vb2_buf_cleanup to prevent excessive logging when
stream is NULL.
Change-Id: Ia687375c8e2a2683a4d32cd0eb984f731b2288e7
Signed-off-by: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
The camera generic buffer manager and isp buffer
manager keep references of vb2 buffers locally during
buffer circulation. If for some reason the vb2 buffers
are freed from a cleanup call from mediaserver. The memory
for the buffers is freed. But the camera buffer managers
still access them for a fraction of time before the cleanup
call is triggered from daemon process. Hence make sure
to access the vb2 buffers only after checking for
the existence in vb2 queues to avoid memory corruption.
Change-Id: I7a1e5f9a3af3345e0c37d3208facbab107a6b9ed
Signed-off-by: Lakshmi Narayana Kalavala <lkalaval@codeaurora.org>
Exclude 4 bytes which holds the size of the buffer while
calculating the actual buffer size to avoid OOB write.
CRs-Fixed: 2534791
Change-Id: Ic8a80e07a2cbadd6cce197dcf4f359bdaea373d6
Signed-off-by: Paras Nagda <pnagda@codeaurora.org>
Issue:
the region index is not validated against the region size.
this cause out-of-bound read on the KASAN kernel.
Fix:
Add restriction that region index smaller than region size.
CRs-Fixed: 2153841
Change-Id: I141bba45662769f0661c947fb642c2671578f32e
Signed-off-by: Haibin Liu <haibinl@codeaurora.org>
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
Use trusted packet size on the received packet and check for
the size of the data received against the expected size
before accessing the packet.
Bug: 140423290
Change-Id: I1bd6008249a0bf4edeec711ec8d23cf7b8dac1f1
Signed-off-by: Priyanka Gujjula <pgujjula@codeaurora.org>
validate structures and payload sizes in the
packet against packet size to avoid OOB access.
Change-Id: I3749ae5d322140c98eb0227cfa31ab32459fc492
Signed-off-by: Manikanta Kanamarlapudi <kmanikan@codeaurora.org>
Signed-off-by: Sanjay Singh <sisanj@codeaurora.org>
At start axi stream, we are acquiring the
buffer lock and releasing after completing
the stream configuration operations. In case
of live snapshot,this is causing the buffer
operations to halt and leading to sof freeze.
Change-Id: I2a3d05742e0cc8921787516c6d444937047c1fef
CRs-Fixed: 2149998
Signed-off-by: Meera Gande <mgande@codeaurora.org>
Signed-off-by: Vijay Kumar TM <vtmuni@codeaurora.org>
Signed-off-by: Darshan Kumsi Srinivasa <darssr@codeaurora.org>
In the code, start_fetch can try to access the
buffer pointer variable after free, as the
same pointer can be freed at RELEASE_BUF call at
the same time.
Change-Id: Ic83f22336504cf67afe12131f791eee25477f011
Signed-off-by: Meera Gande <mgande@codeaurora.org>
Signed-off-by: Darshan Kumsi Srinivasa <darssr@codeaurora.org>
currently only NULL pointer check is used to validate the return
value from clk_get, this change to handle all the failures.
This snapshot is taken from msm-4.9
Ported it from 4.9 to 3.18
Change-Id: Icd8b7e33d0f235a7c5dde2307972a594908e6a60
Signed-off-by: Sumalatha Malothu <smalot@codeaurora.org>
validate structures and payload sizes in the
packet against packet size to avoid OOB access
Change-Id: Id44e5c6be4dde3e6545d453f5edd3219776a4e58
Signed-off-by: Manikanta Kanamarlapudi <kmanikan@codeaurora.org>
Ensure the count of supported encoder and decoder returned
from firmware are within the range of supported sessions.
Change-Id: If3eae7bc82dc8302444e2e4104fb6ae3cfbfed5a
Signed-off-by: Dikshita Agarwal <dikshita@codeaurora.org>
TX and RX FIFOs of Microcontroller are used to exchange commands
and messages between Micro FW and CPP driver. TX FIFO depth is
16 32-bit words, incase of errors there is a chance of overflow.
To prevent possible out of bound access, TX FIFO depth or
level is checked for MAX depth before accessing the FIFO.
Change-Id: I5adf39b46ff10e358c4a2c03a2de07d44b99cedb
Signed-off-by: Pratap Nirujogi <pratapn@codeaurora.org>
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
Input num_streams cannot be greater than the max allowed
number of streams, otherwise this casue OOB read access.
Add bounds check for num_streams which user input.
CRs-Fixed: 2330040
Change-Id: I76fb785dc54c597603d748d604844952cea659ea
Signed-off-by: Haibin Liu <haibinl@codeaurora.org>
The gerrit removes debug code which is not being
used anymore.
CRs-Fixed: 2054144
Change-Id: I579d641f00592fcbbd6d75c6a0845a1b986973da
Signed-off-by: Vikash Garodia <vgarodia@codeaurora.org>
jpeg driver is calling class_create with stack variable, which
can be overwritten by other stack variables.
Bug: 114041685
Change-Id: I3c22a5b3375b970ff6b1c6de983dd5833f4e11d0
Signed-off-by: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
Stability issues are observed, if pm qos request removes without adding it.
Check pm qos request status before remove it.
The default request type PM_QOS_REQ_ALL_CORES is applicable to
all CPU cores that are online and would have a power impact when there are
more number of CPUs. Specify a request type as PM_QOS_REQ_AFFINE_IRQ.
CRs-Fixed: 995426
Change-Id: I738f201ed126c6be4076c582c37999362e1d0e88
Signed-off-by: Srinu Gorle <sgorle@codeaurora.org>
During video playback, L2 power collapse is occurring far too often to
actually save power. As such, apply a vote to prevent L2 PC from
occurring.
Change-Id: I1d86b47a1ed9dffb02d099d3158892bf99ed955e
Signed-off-by: Deva Ramasubramanian <dramasub@codeaurora.org>
Signed-off-by: Vasantha Balla <vballa@codeaurora.org>
Secure decode doesn't need userptr and uses ion fd instead. We were
conducting userptr validation regardless of the decode mode (secure/
unsecure). This forced user to populate userptr with a dummy value
during QBUF in secure mode decode on both output and capture ports
to avoid a userptr validation fail.
CRs-Fixed: 2049213
Change-Id: I0060efb52792201a2634072f648a537ebb02d17c
Signed-off-by: Prabhakar Reddy Krishnappa <prkrishn@codeaurora.org>
Signed-off-by: Vasantha Balla <vballa@codeaurora.org>
When ion imports dma buf, it will return negative error number
in the case of failure like bad file number or invalid dma buf file.
check ion_handle for error numbers.
CRs-Fixed: 1071602
Change-Id: I1ea93161b85deb667cbb6f8515ff7c6943da6e3d
Signed-off-by: Karthikeyan Periasamy <kperiasa@codeaurora.org>
Signed-off-by: Venumadhav Kurva <kurva@codeaurora.org>
When video driver queues the flush event, it doesn't convey the
port which is flushed. Due to this userspace content has to
handle the event according to the flush status variables that it
maintains. This handling can go wrong when there are concurrent
flush commands from client.Address this by adding port detail
to flush event.
Change-Id: Ie9b7e35ad396ba8eed20dcca1f655b3e23f6626c
Signed-off-by: Abdulla Anam <abdullahanam@codeaurora.org>
Signed-off-by: Vasantha Balla <vballa@codeaurora.org>
Driver was holding a buffer whose ref count was 1. Since firmware had
already released the reference of this buffer, there was no need for
driver to hold it. By holding the buffer in driver, the buffer gets
lost and is not returned back to client after a flush is issued.
Fix this issue by holding the buffer in driver only if firmware is holding
a reference of the mapped buffer, i.e, the ref count of the buffer is 2.
Change-Id: I18f1de06eee72019f340f68407c07ec76f1539d1
Signed-off-by: Sanjay Singh <sisanj@codeaurora.org>
Firmware does not have any hard requirement for pre-announcement
of input/output buffers. So, remove this driver restriction.
Change-Id: I97786d69cd12c3f162f9a00465c7b3f71d69c06c
Signed-off-by: Sanjay Singh <sisanj@codeaurora.org>
Fix for possible information leak issue because of unintialised variable
Which can be accesed from userspace in camera fd driver
Bug: 73889358
Signed-off-by: annamraj <annamraj@codeaurora.org>
Change-Id: I4552c4829e9532d848e46fd123316b26105e310e
When set_buffers fails, binfo is freed and again accessed
while freeing smem memory.
CRs-Fixed: 2118860
Change-Id: Ifdd683f907862665e34d6d39d5a8634984804c01
Signed-off-by: Chinmay Sawarkar <chinmays@codeaurora.org>
CVE-2018-5844
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
In the code, start_fetch can try to access the
buffer pointer variable after free, as the
same pointer can be freed at RELEASE_BUF call
at the same time.
CRs-Fixed: 2149998
Change-Id: Ic83f22336504cf67afe12131f791eee25477f011
Signed-off-by: Meera Gande <mgande@codeaurora.org>
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
Bug: 69065862
Signed-off-by: Sean Callanan <spyffe@google.com>
Issue:
the region index is not validated against the region size.
this cause out-of-bound read on the KASAN kernel.
Fix:
Add restriction that region index smaller than region size.
CRs-Fixed: 2153841
Bug: 65122765
Change-Id: I141bba45662769f0661c947fb642c2671578f32e
Signed-off-by: Haibin Liu <haibinl@codeaurora.org>
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
Increase minimum input buffer count for VP9 decode to 6,as for
some vp9 clips which have superframes with more than 4 subframes
require more than 4 reference buffers to decode.
Bug: 65175134
Change-Id: I561f4c3ad4c4a94c36293c26aab3a9c9423e9268
Signed-off-by: Deepak Kushwah <dkushwah@codeaurora.org>
Signed-off-by: Santhosh Behara <santhoshbehara@codeaurora.org>
The pointer qbuf_buf comes from userspace.
qbuf_buf->num_planes is used with no bound check,
which if set to a large value, it will overflow
buf_info->mapped_info and qbuf_buf->planes
CRs-Fixed: 2003798
Change-Id: I332e0424e57bb14b481a740604a09350e6f029a8
Signed-off-by: Senthil Kumar Rajagopal <skrajago@codeaurora.org>
Issue:
i2c_reg_tbl may be null under error condition when set param.
then, other actuator function still may use the i2c_reg_tbl as null.
Fix:
1) the assignment total_steps follow on kmalloc buffer.
2) Add NULL pointer check for i2c tbl.
CRs-Fixed: 2152401
Change-Id: Ieec3d88e6dae0177787da0906f53d59ac4f5a624
Signed-off-by: Haibin Liu <haibinl@codeaurora.org>
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
If userspace issues write with string of length 21 or more then
there is a chance that kernel will overread lbuf array.
This change makes sure that lbuf is NULL terminated.
Change-Id: I9ad6d5a607b2ff1f293512be9746ee554b076b10
Signed-off-by: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
Variable "slave_info->sensor_name", "slave_info->eeprom_name",
"slave_info->actuator_name" and "slave_info->ois_name" are
from user input, which may be not NULL terminated.
OOB will be possible when accessing these variable.
Add a validation for these name length.
Change-Id: I9a570372707b7f8365a625d6b0662e87d1b4926e
Signed-off-by: Depeng Shao <dshao@codeaurora.org>
Prevent deadlock between tasklet and delete_stream by stopping
irq during delete_stream
CRs-Fixed: 2076578
Change-Id: Ibcc9fd44403d24112b01150a7d1f3c6e705ea99a
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
Issue:
When total_steps is updated, after that, copy_from_user
fails with an error, then, i2c_reg_tbl is not allocated.
In this case, when calling msm_actuator_parse_i2c_params,
it lead to out-of-bound memory write.
Fix:
1) Assign total_steps to zero when error from copying.
2) Add NULL pointer check for i2c tbl.
CRs-Fixed: 2111672
Change-Id: Ib9dcb182356e2df8078c131edfd0791fa95a35e0
Signed-off-by: Haibin Liu <haibinl@codeaurora.org>
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
- num of stream comes from userspace and used without
any bound check.It may result to overflow update_info.
CRs-Fixed: 2006829
Change-Id: I8226e8f7081b28108dbed738ea4579e2051a85f2
Signed-off-by: Alok Kediya <kediya@codeaurora.org>
Make use of mutex lock to access IOCTL so that two threads
can avoid race condition.
Change-Id: I00db78a42c86eef8a157b5b3547e4ca0006b0853
Signed-off-by: annamraj <annamraj@codeaurora.org>
Information leak issue is reported in mpq_sdmx_log_level_write
function. Added check to validate count is not zero and initialize
the string.
Change-Id: Ieb2ed88c2d7d778c56be2ec3b9875270a9c74dce
Signed-off-by: Udaya Bhaskara Reddy Mallavarapu <udaym@codeaurora.org>