This change adds extra checking for frame_info_idx to
avoid accessing invalid items in the array.
CRs-Fixed: 3863925
Change-Id: I9f2350aa7d3da35108d26e50ed5198255fc4237a
Signed-off-by: Haochen Yang <quic_haocyang@quicinc.com>
Un-clocked access of registers during dumping the registers while
handling the start failure.
Reason for the issue is that handle regdump trying to read the hw
registers when HW clocks are disabled.
This commits adds a check to validate if the hw is initialized before
accessing the registers.
CRs-Fixed: 3865839
Change-Id: I46878fe1b5442689f8fd909b6bfc9fda0686dac9
Signed-off-by: Pranav Sanwal <quic_psanwal@quicinc.com>
Add check for upperbound for num devices obtained from query cap v2
preventing integer overflow.
CRs-Fixed: 3864081
Change-Id: I899c794bad2278f39dbea3f80ca701e54cf8d1a9
Signed-off-by: Pranav Sanwal <quic_psanwal@quicinc.com>
This change fixes a potential OOB access issue due to
culprit checking.
CRs-Fixed: 3851339
Change-Id: I5a8b8977f815376eeb41a4a227df6e307c7bd99d
Signed-off-by: Haochen Yang <quic_haocyang@quicinc.com>
Current condition to verify that num_links lies in range, is always false.
This change adds fix to condition, while checking num_links range to avoid OOB acccess.
CRs-Fixed: 3830586
Change-Id: I6e69cd373c6d15d2133fc6a286b4dde23234a6b3
Signed-off-by: Yash Upadhyay <quic_yupadhya@quicinc.com>
IO config can be modified due to access to shared memory.
This change scopes the data locally so as to avoid
vulnerability of count being modified by external
means while executing due to being in shared memory.
CRs-Fixed: 3777635
Change-Id: Ia5dd9138dcf8449e2d800aca9ffed73d9c4ba3ea
Signed-off-by: Akash Puliyadi Jegannathan <quic_apuliyad@quicinc.com>
I2C cmd can be modified due to access to shared memory.
This change scopes the data locally so as to avoid
vulnerability of count being modified by external
means while executing due to being in shared memory.
CRs-Fixed: 3777534
Change-Id: I4637f49db67d1bd1d5ca418435e3627b5652f604
Signed-off-by: Akash Puliyadi Jegannathan <quic_apuliyad@quicinc.com>
addr variable to have address bound check, due to that increamenting
of that variable can go corrupt other memory address which could lead to
our of bound access. This change will add extra address change before
access addr variable.
CRs-Fixed: 3802568
Change-Id: I0a2804403dc92fa005f8dda5263242eeb01f4765
Signed-off-by: Soumen Ghosh <quic_soumeng@quicinc.com>
Update and refactor SCM calling procedure in accordance to
CSF2.5 framework for supported targets.
isolate domain_id changes to bypass if only csf2.5 supported.
CRs-Fixed: 3806801
Signed-off-by: Pranav Sanwal <quic_psanwal@quicinc.com>
Change-Id: Idf8ff9716d1e47fb2cea8ea8a34ae3555b29855e
This change fixes OOB access by dynamically allocating memory
for defer bufdone index array and ensuring that allocation
happens after acquire is successful.
CRs-Fixed: 3815399
Change-Id: Icdf5417a74e940ed8ab9f28ac9e0ae22c7bd3c35
Signed-off-by: Yash Upadhyay <quic_yupadhya@quicinc.com>
Adds changes to dynamically allocate memory for defer bufdone
index array as per number of ports acquired instead of
hardcoded max resource value which could change target wise.
CRs-Fixed: 3788295
Change-Id: I5d5f43ac41e6abbac0b270eeaf97475b4e39a5d7
Signed-off-by: Yash Upadhyay <quic_yupadhya@quicinc.com>
Currently applied clock rate variable is getting updated
with default -ve value for clocks for which no rate set.
This is giving wrong impression of clock rate being applied.
Updated applied clock rate based on clock rate value set.
CRs-Fixed: 3794045
Change-Id: Ib37165dbaf4c1ec56abff1d3ba3eaf21eae79734
Signed-off-by: Alok Chauhan <quic_alokc@quicinc.com>
kref operation is atmoic operation, so no need to use mutex
to protect it, and the cam_mem_put_cpu_buf is also called
in spinlock context, so we can't use mutex lock in this
function. This change removes the mutex lock for kref
variable protextion.
CRs-Fixed: 3786887
Change-Id: Ic05bdafacf06cde6a8d8dbae7512e5d22eb7f514
Signed-off-by: Depeng Shao <quic_depengs@quicinc.com>
(cherry picked from commit bb64b99c83b3bb6da0c241eda74ebe8a19b51840)
Adds proper sanity on virtual cdm right operation to avoid
OOB register space access. After getting the mapped buffers
through cam_mem_get_cpu_buf() in kernel, userspace is still
able to access those buffers. So, the validation of offsets
and sizes does not have any advantage if userspace can alter
those parameters after we have validated them. That's why we
copied the information in kernel before we validate that.
CRs-Fixed: 3778045
Change-Id: I3b53549419b40a92333263e29d93220577d691e9
Signed-off-by: Yash Upadhyay <quic_yupadhya@quicinc.com>
This change add support to update camera qos statically
and dynamically via hyp.
For each NIU camera driver can call scm API with each NIU's
register offsets, value and number of registers offset that need to be
programed.
CRs-Fixed: 3781697
Change-Id: I42705dd2b379e29f7f32f9c2564cc476dc8c1308
Signed-off-by: Dharmender Sharma <quic_dharshar@quicinc.com>
Two threads can access same dma fence, one to get_fence and other
to put_fence. Missing locks and checks on fence could lead to use
after free case. This change adds proper locks and checks before
dma fence get call to avoid this.
CRs-Fixed: 3782903
Change-Id: I283e87f09c44b57bed3dbb782113f3629c9a29bd
Signed-off-by: Yash Upadhyay <quic_yupadhya@quicinc.com>
- Validation of settings_array_offset which is populated
from umd as sizeof(CSLTPGSettingsConfigCmd).
CRs-Fixed: 3788500
Change-Id: Ic848d537f1b56bcfc47b295b063e9670313c9a33
Signed-off-by: Abhilash Mahapatra <quic_abhmah@quicinc.com>
Currently krefcount is using by umd and kmd. Due to sometimes
there is issue in umd, such as release twice. That maybe causes
buffer release before kmd access the buffer. This commit add
a new refcount to track umd in use buffers and use current krefcount
to track kmd in use buffers. For the same buffer use in kmd and umd
only when all refcount become zero, the buffer start to release.
CRs-Fixed: 3692103
Change-Id: I5a58d9bab4c82bdb192d6a6a3d2b3d254dc04c9e
Signed-off-by: zhuo <quic_zhuo@quicinc.com>
TFE is programming WM's bw limiters with default value
without considering if it's already set via blob from UMD.
Skip bw limiter programming for TFE WMs for which
limiter values programmed via blob.
CRs-Fixed: 3767707
Change-Id: I30190def8b2a08c577b3bf1fa71fd2fe3db53c86
Signed-off-by: Alok Chauhan <quic_alokc@quicinc.com>
I2C cmd is coming from user space which can be modified due to
access to shared memory. This change scopes the data locally so
as to avoid vulnerability of count being modified by external
means while executing due to being in shared memory.
CRs-Fixed: 3707472
Change-Id: I8a89e23e99b80b089ed4c4cf3098feead752356e
Signed-off-by: Shivi Mangal <quic_smangal@quicinc.com>
(cherry picked from commit 4e00cc5f9f81bf471d58ee5d6beb210a5326fcff)
Handle out_of_sync_frame_drop interrupt as non fatal till
3 successive occurences. fix prevention of mup bit override
when programming RDI.
CRs-Fixed: 3638271
Change-Id: Ie2f7ef476b76b5074b12b0eb503ae0be1100611a
Signed-off-by: Pranav Sanwal <quic_psanwal@quicinc.com>
