123 lines
4.8 KiB
Diff
123 lines
4.8 KiB
Diff
From c46b2ecd901a12867d0dd91ae019f4b7256bcfec Mon Sep 17 00:00:00 2001
|
|
From: Haibin Liu <haibinl@codeaurora.org>
|
|
Date: Wed, 9 Aug 2017 16:26:41 +0800
|
|
Subject: [PATCH] msm: sensor: Fix crash when ioctl VIDIOC_MSM_SENSOR_INIT_CFG
|
|
|
|
Issue:
|
|
the invalid slave_info is used by msm_sensor_driver_probe.
|
|
This cause crash when ioctl VIDIOC_MSM_SENSOR_INIT_CFG repeatedly.
|
|
|
|
Fix:
|
|
1) avoid the same msm_sd_subdev added into the ordered_sd_list.
|
|
2) enlarge the buffer size for i2c addr and data.
|
|
|
|
Bug: 36492827
|
|
Change-Id: Idffcd3b82b9590dbfdcaf14b80668cc894178f54
|
|
Signed-off-by: Haibin Liu <haibinl@codeaurora.org>
|
|
---
|
|
drivers/media/platform/msm/camera_v2/msm.c | 5 +++++
|
|
.../msm/camera_v2/sensor/io/msm_camera_cci_i2c.c | 5 +++--
|
|
.../msm/camera_v2/sensor/msm_sensor_driver.c | 25 ++++++++++++++--------
|
|
3 files changed, 24 insertions(+), 11 deletions(-)
|
|
|
|
diff --git a/drivers/media/platform/msm/camera_v2/msm.c b/drivers/media/platform/msm/camera_v2/msm.c
|
|
index e517f0f589ce6..47ba2f99dd001 100644
|
|
--- a/drivers/media/platform/msm/camera_v2/msm.c
|
|
+++ b/drivers/media/platform/msm/camera_v2/msm.c
|
|
@@ -334,6 +334,11 @@ static void msm_add_sd_in_position(struct msm_sd_subdev *msm_subdev,
|
|
struct msm_sd_subdev *temp_sd;
|
|
|
|
list_for_each_entry(temp_sd, sd_list, list) {
|
|
+ if (temp_sd == msm_subdev) {
|
|
+ pr_err("%s :Fail to add the same sd %d\n",
|
|
+ __func__, __LINE__);
|
|
+ return;
|
|
+ }
|
|
if (msm_subdev->close_seq < temp_sd->close_seq) {
|
|
list_add_tail(&msm_subdev->list, &temp_sd->list);
|
|
return;
|
|
diff --git a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
|
|
index 877021edc776d..4243005beff50 100644
|
|
--- a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
|
|
+++ b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
|
|
@@ -17,7 +17,8 @@
|
|
#undef CDBG
|
|
#define CDBG(fmt, args...) pr_debug(fmt, ##args)
|
|
#define S_I2C_DBG(fmt, args...) pr_debug(fmt, ##args)
|
|
-
|
|
+#define MAX_I2C_ADDR_TYPE_SIZE (MSM_CAMERA_I2C_3B_ADDR + 1)
|
|
+#define MAX_I2C_DATA_TYPE_SIZE (MSM_CAMERA_I2C_SET_BYTE_WRITE_MASK_DATA + 1)
|
|
#define I2C_COMPARE_MATCH 0
|
|
#define I2C_COMPARE_MISMATCH 1
|
|
#define I2C_POLL_MAX_ITERATION 20
|
|
@@ -27,7 +28,7 @@ int32_t msm_camera_cci_i2c_read(struct msm_camera_i2c_client *client,
|
|
enum msm_camera_i2c_data_type data_type)
|
|
{
|
|
int32_t rc = -EFAULT;
|
|
- unsigned char buf[client->addr_type+data_type];
|
|
+ unsigned char buf[MAX_I2C_ADDR_TYPE_SIZE + MAX_I2C_DATA_TYPE_SIZE];
|
|
struct msm_camera_cci_ctrl cci_ctrl;
|
|
|
|
if ((client->addr_type != MSM_CAMERA_I2C_BYTE_ADDR
|
|
diff --git a/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c b/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c
|
|
index 5d3c56191e0d4..bd376ffa28c10 100644
|
|
--- a/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c
|
|
+++ b/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c
|
|
@@ -1,4 +1,4 @@
|
|
-/* Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.
|
|
+/* Copyright (c) 2013-2015,2017 The Linux Foundation. All rights reserved.
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License version 2 and
|
|
@@ -103,7 +103,11 @@ static int32_t msm_sensor_driver_create_i2c_v4l_subdev
|
|
s_ctrl->msm_sd.sd.entity.name = s_ctrl->msm_sd.sd.name;
|
|
s_ctrl->sensordata->sensor_info->session_id = session_id;
|
|
s_ctrl->msm_sd.close_seq = MSM_SD_CLOSE_2ND_CATEGORY | 0x3;
|
|
- msm_sd_register(&s_ctrl->msm_sd);
|
|
+ rc = msm_sd_register(&s_ctrl->msm_sd);
|
|
+ if (rc < 0) {
|
|
+ pr_err("failed: msm_sd_register rc %d", rc);
|
|
+ return rc;
|
|
+ }
|
|
CDBG("%s:%d\n", __func__, __LINE__);
|
|
return rc;
|
|
}
|
|
@@ -133,7 +137,11 @@ static int32_t msm_sensor_driver_create_v4l_subdev
|
|
s_ctrl->msm_sd.sd.entity.group_id = MSM_CAMERA_SUBDEV_SENSOR;
|
|
s_ctrl->msm_sd.sd.entity.name = s_ctrl->msm_sd.sd.name;
|
|
s_ctrl->msm_sd.close_seq = MSM_SD_CLOSE_2ND_CATEGORY | 0x3;
|
|
- msm_sd_register(&s_ctrl->msm_sd);
|
|
+ rc = msm_sd_register(&s_ctrl->msm_sd);
|
|
+ if (rc < 0) {
|
|
+ pr_err("failed: msm_sd_register rc %d", rc);
|
|
+ return rc;
|
|
+ }
|
|
msm_sensor_v4l2_subdev_fops = v4l2_subdev_fops;
|
|
#ifdef CONFIG_COMPAT
|
|
msm_sensor_v4l2_subdev_fops.compat_ioctl32 =
|
|
@@ -885,12 +893,6 @@ int32_t msm_sensor_driver_probe(void *setting,
|
|
|
|
pr_err("%s probe succeeded", slave_info->sensor_name);
|
|
|
|
- /*
|
|
- Set probe succeeded flag to 1 so that no other camera shall
|
|
- * probed on this slot
|
|
- */
|
|
- s_ctrl->is_probe_succeed = 1;
|
|
-
|
|
/*
|
|
* Update the subdevice id of flash-src based on availability in kernel.
|
|
*/
|
|
@@ -940,6 +942,11 @@ int32_t msm_sensor_driver_probe(void *setting,
|
|
|
|
msm_sensor_fill_sensor_info(s_ctrl, probed_info, entity_name);
|
|
|
|
+ /*
|
|
+ * Set probe succeeded flag to 1 so that no other camera shall
|
|
+ * probed on this slot
|
|
+ */
|
|
+ s_ctrl->is_probe_succeed = 1;
|
|
return rc;
|
|
|
|
camera_power_down:
|