capture-isp: Fix allocations for unpins_list

When allocating a memory for a list of pinned buffers, capture-isp wrongly uses size of a pointer to "unpin" element instead of a size of element itself. As a result, allocation size is too small to fit all possible unpin buffer elements for a longer ISP capture requests, resulting in out-of-bound array access. Use full capture element size when calculating a total size of unpins_list allocation. Bug 3272255 Change-Id: I9fc96787c84d18e9416ce374540374c99bb5c7fc Reviewed-on: https://git-master.nvidia.com/r/c/linux-nvidia/+/2495613 Signed-off-by: Kirill Artamonov <kartamonov@nvidia.com> Reviewed-on: https://git-master.nvidia.com/r/c/linux-nvidia/+/2545371 Reviewed-by: svcacv <svcacv@nvidia.com> Reviewed-by: Igor Mitsyanko <imitsyanko@nvidia.com> Reviewed-by: Semi Malinen <smalinen@nvidia.com> Reviewed-by: Pekka Pessi <ppessi@nvidia.com> Reviewed-by: Mika Liljeberg <mliljeberg@nvidia.com> Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com> Tested-by: Igor Mitsyanko <imitsyanko@nvidia.com> Tested-by: mobile promotions <svcmobile_promotions@nvidia.com> GVS: Gerrit_Virtual_Submit
author: Kirill Artamonov <kartamonov@nvidia.com> 2021-06-15 09:39:18 -0400
committer: mobile promotions <svcmobile_promotions@nvidia.com> 2021-06-21 04:55:08 -0400
commit: a3e0092daa86331377677f31cac622c04e7a184d (patch)
tree: ae60463d02adb997ad258a49cb48687da5a9d52a
parent: 6e262c637e5116e3057b73788c02358bafe2b725 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/media/platform/tegra/camera/isp/capture_isp.c b/drivers/media/platform/tegra/camera/isp/capture_isp.c
index e399df22b..1da564bab 100644
--- a/drivers/media/platform/tegra/camera/isp/capture_isp.c
+++ b/drivers/media/platform/tegra/camera/isp/capture_isp.c
@@ -476,7 +476,7 @@ int isp_capture_setup(struct tegra_isp_channel *chan,
        /* allocate isp capture desc unpin list based on queue depth */
        capture->capture_desc_ctx.unpins_list = vzalloc(
                capture->capture_desc_ctx.queue_depth *
-                        sizeof(struct capture_common_unpins *));
+                        sizeof(*capture->capture_desc_ctx.unpins_list));
        if (unlikely(capture->capture_desc_ctx.unpins_list == NULL)) {
                dev_err(chan->isp_dev, "failed to allocate unpins array\n");
@@ -514,7 +514,7 @@ int isp_capture_setup(struct tegra_isp_channel *chan,
        /* allocate isp program unpin list based on queue depth */
        capture->program_desc_ctx.unpins_list = vzalloc(
                        capture->program_desc_ctx.queue_depth *
-                                sizeof(struct capture_common_unpins *));
+                         sizeof(*capture->program_desc_ctx.unpins_list));
        if (unlikely(capture->program_desc_ctx.unpins_list == NULL)) {
                dev_err(chan->isp_dev,
author	Kirill Artamonov <kartamonov@nvidia.com>	2021-06-15 09:39:18 -0400
committer	mobile promotions <svcmobile_promotions@nvidia.com>	2021-06-21 04:55:08 -0400
commit	a3e0092daa86331377677f31cac622c04e7a184d (patch)
tree	ae60463d02adb997ad258a49cb48687da5a9d52a
parent	6e262c637e5116e3057b73788c02358bafe2b725 (diff)

diff --git a/drivers/media/platform/tegra/camera/isp/capture_isp.c b/drivers/media/platform/tegra/camera/isp/capture_isp.c index e399df22b..1da564bab 100644 --- a/drivers/media/platform/tegra/camera/isp/capture_isp.c +++ b/drivers/media/platform/tegra/camera/isp/capture_isp.c
@@ -476,7 +476,7 @@ int isp_capture_setup(struct tegra_isp_channel *chan,
476	/* allocate isp capture desc unpin list based on queue depth */	476	/* allocate isp capture desc unpin list based on queue depth */
477	capture->capture_desc_ctx.unpins_list = vzalloc(	477	capture->capture_desc_ctx.unpins_list = vzalloc(
478	capture->capture_desc_ctx.queue_depth *	478	capture->capture_desc_ctx.queue_depth *
479	sizeof(struct capture_common_unpins *));	479	sizeof(*capture->capture_desc_ctx.unpins_list));
480		480
481	if (unlikely(capture->capture_desc_ctx.unpins_list == NULL)) {	481	if (unlikely(capture->capture_desc_ctx.unpins_list == NULL)) {
482	dev_err(chan->isp_dev, "failed to allocate unpins array\n");	482	dev_err(chan->isp_dev, "failed to allocate unpins array\n");
@@ -514,7 +514,7 @@ int isp_capture_setup(struct tegra_isp_channel *chan,
514	/* allocate isp program unpin list based on queue depth */	514	/* allocate isp program unpin list based on queue depth */
515	capture->program_desc_ctx.unpins_list = vzalloc(	515	capture->program_desc_ctx.unpins_list = vzalloc(
516	capture->program_desc_ctx.queue_depth *	516	capture->program_desc_ctx.queue_depth *
517	sizeof(struct capture_common_unpins *));	517	sizeof(*capture->program_desc_ctx.unpins_list));
518		518
519	if (unlikely(capture->program_desc_ctx.unpins_list == NULL)) {	519	if (unlikely(capture->program_desc_ctx.unpins_list == NULL)) {
520	dev_err(chan->isp_dev,	520	dev_err(chan->isp_dev,