diff options
| author | Hariram Purushothaman <hariramp@codeaurora.org> | 2017-02-16 11:41:27 -0800 |
|---|---|---|
| committer | Hariram Purushothaman <hariramp@codeaurora.org> | 2017-02-16 13:47:15 -0800 |
| commit | 2fe83f727bfb8734fbd5fed424e24885de58d456 (patch) | |
| tree | c6e4c02ab3bfae8fa6b90e437a008e48bc7b7eab | |
| parent | 3ba1a36ad812171629b91f5a49e486b2529c22a2 (diff) | |
msm: camera: Fix invalid access of vb2 buffer
vb2 buffers in camera generic buffer manager should
be accessed only in get buff on success. In other calls
we should not access without validation of the buffer
which is done only as part of msm vb2 driver.
CRs-Fixed: 2007389
Change-Id: Iae57ca1389ebc5ffd0a4a88e132ad30b205f7c9e
Signed-off-by: Hariram Purushothaman <hariramp@codeaurora.org>
| -rw-r--r-- | drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c | 11 |
1 files changed, 4 insertions, 7 deletions
diff --git a/drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c b/drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c index 730f8b32ff1a..76a7c6942c68 100644 --- a/drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c +++ b/drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2013-2016, The Linux Foundation. All rights reserved. +/* Copyright (c) 2013-2017, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -149,10 +149,7 @@ static int32_t msm_buf_mngr_buf_done(struct msm_buf_mngr_device *buf_mngr_dev, list_for_each_entry_safe(bufs, save, &buf_mngr_dev->buf_qhead, entry) { if ((bufs->session_id == buf_info->session_id) && (bufs->stream_id == buf_info->stream_id) && - (bufs->vb2_v4l2_buf->vb2_buf.index == - buf_info->index)) { - bufs->vb2_v4l2_buf->sequence = buf_info->frame_id; - bufs->vb2_v4l2_buf->timestamp = buf_info->timestamp; + (bufs->index == buf_info->index)) { ret = buf_mngr_dev->vb2_ops.buf_done (bufs->vb2_v4l2_buf, buf_info->session_id, @@ -181,7 +178,7 @@ static int32_t msm_buf_mngr_put_buf(struct msm_buf_mngr_device *buf_mngr_dev, list_for_each_entry_safe(bufs, save, &buf_mngr_dev->buf_qhead, entry) { if ((bufs->session_id == buf_info->session_id) && (bufs->stream_id == buf_info->stream_id) && - (bufs->vb2_v4l2_buf->vb2_buf.index == buf_info->index)) { + (bufs->index == buf_info->index)) { ret = buf_mngr_dev->vb2_ops.put_buf(bufs->vb2_v4l2_buf, buf_info->session_id, buf_info->stream_id); list_del_init(&bufs->entry); @@ -214,7 +211,7 @@ static int32_t msm_generic_buf_mngr_flush( buf_info->session_id, buf_info->stream_id, 0, &ts, 0); pr_err("Bufs not flushed: str_id = %d buf_index = %d ret = %d\n", - buf_info->stream_id, bufs->vb2_v4l2_buf->vb2_buf.index, + buf_info->stream_id, bufs->index, ret); list_del_init(&bufs->entry); kfree(bufs); |