Merge tag 'camera-kernel.qclinux.1.0-251125' into 0_0

* tag 'camera-kernel.qclinux.1.0-251125':
  msm: camera: sensor: enable sensor config flags for qcs615
  msm: camera: ope: Avoid UAF in ope driver
  msm: camera: isp: Fix for Init Config Handling on Offline IFE Hardware
  msm: camera: utils: Validate buffer offset properly during dump
  msm: camera: common: synchronization in CRM close and subdev register
  msm: camera: sensor: fix of graph error for sensor endpoint
  msm: camera: reqmgr: adding support sched_req ver3
  msm: camera: uapi: new structure for SAT frame sync
  msm: camera: tpg: fix issue when create debugfs for tpg
  msm: camera: common: Added qcs615 in Makefile
  msm: camera: lrme: Fix compilation issues in LRME driver
  msm: camera: common: Add config file for QCS615
  msm: camera: ope: Fix OOB write in cam_cdm_write_regrandom
  msm: camera: cci: Add sysfs utility to control cci and sensor powerup
  Revert "msm: camera: isp: Test code to simulate a SOF freeze scenario"
  msm: camera: flash: Copy flash info to avoid TOCTOU
  msm: camera: isp: Test code to simulate a SOF freeze scenario
  msm: camera: sensor: Validate packet to prevent OOB access
  msm: camera: cre: Fix out-of-bounds access in cre hw manager
  msm: camera: jpeg: Fix potential out of bound access for jpeg cmd buffer
  msm: camera: flash: Add support for I2C flash
  msm: camera: cam_req: Added support to extend delay during SOF Freeze

Change-Id: If6591a7ac91ce0f9d3f23e26b0ceb10c27ecec9d
Signed-off-by: Chandan Kumar Jha <cjha@qti.qualcomm.com>

Author: cjha01

Kbuild

@@ -659,6 +659,9 @@ camera_$(CAMERA_ARCH)-$(CONFIG_SPECTRA_TFE) += \
 	camera/drivers/cam_isp/isp_hw_mgr/isp_hw/tfe_csid_hw/cam_tfe_csid.o \
 	camera/drivers/cam_isp/isp_hw_mgr/cam_tfe_hw_mgr.o
 
+camera_$(CAMERA_ARCH)-$(CONFIG_SPECTRA_SENSOR_SYSFS_UTIL) += \
+	camera/drivers/cam_sensor_module/cam_cci/cam_cci_sysfs_util.o
+
 camera_$(CAMERA_ARCH)-y += camera/drivers/camera_main.o
 
 obj-m += camera_$(CAMERA_ARCH).o

camera/drivers/cam_cre/cam_cre_hw_mgr/cam_cre_hw_mgr.c

@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
  * Copyright (c) 2021, The Linux Foundation. All rights reserved.
- * Copyright (c) 2022-2025, Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries.
  */
 
 #include <linux/mutex.h>
@@ -137,6 +137,13 @@ static int cam_cre_mgr_process_cmd_io_buf_req(struct cam_cre_hw_mgr *hw_mgr,
 	struct   cam_buf_io_cfg *io_cfg_ptr = NULL;
 	struct   cam_cre_io_buf_info *acq_io_buf;
 
+	if (!ctx_data->cre_acquire.batch_size ||
+		(ctx_data->cre_acquire.batch_size > CRE_MAX_BATCH_SIZE)) {
+		CAM_ERR(CAM_CRE, "Invalid batch_size: %u ctx id: %u max_batch_size: %u",
+			ctx_data->cre_acquire.batch_size, ctx_data->ctx_id, CRE_MAX_BATCH_SIZE);
+		return -EINVAL;
+	}
+
 	io_cfg_ptr = (struct cam_buf_io_cfg *)((uint32_t *)&packet->payload_flex +
 			packet->io_configs_offset / 4);
 
@@ -163,6 +170,17 @@ static int cam_cre_mgr_process_cmd_io_buf_req(struct cam_cre_hw_mgr *hw_mgr,
 			}
 
 			io_buf = cre_request->io_buf[i][j];
+
+			if (!acq_io_buf->num_planes ||
+				(acq_io_buf->num_planes > CAM_PACKET_MAX_PLANES)) {
+				CAM_ERR(CAM_CRE,
+					"i %d j %d res_type %d Invalid num_planes: %u ctx id: %u max_planes: %u",
+					i, j, acq_io_buf->res_id, acq_io_buf->num_planes,
+					ctx_data->ctx_id, CAM_PACKET_MAX_PLANES);
+				cam_cre_free_io_config(cre_request);
+				return -EINVAL;
+			}
+
 			io_buf->num_planes = acq_io_buf->num_planes;
 			io_buf->resource_type = acq_io_buf->res_id;
 			io_buf->direction = acq_io_buf->direction;

camera/drivers/cam_isp/cam_isp_context.c

@@ -4356,6 +4356,9 @@ static int __cam_isp_ctx_handle_error(struct cam_isp_context *ctx_isp,
 	__cam_isp_ctx_notify_error_util(CAM_TRIGGER_POINT_SOF, error,
 		error_request_id, ctx_isp);
 
+	if (ctx_isp->isp_external_recovery)
+		req_mgr_err_code = CAM_REQ_MGR_ISP_FATAL_ERROR;
+
 	/*
 	 * Need to send error occurred in KMD
 	 * This will help UMD to take necessary action
@@ -7160,6 +7163,7 @@ static int __cam_isp_ctx_release_dev_in_top_state(struct cam_context *ctx,
 	ctx_isp->req_info.last_bufdone_req_id = 0;
 	ctx_isp->v4l2_event_sub_ids = 0;
 	ctx_isp->resume_hw_in_flushed = false;
+	ctx_isp->isp_external_recovery = false;
 
 	atomic64_set(&ctx_isp->dbg_monitors.state_monitor_head, -1);
 	atomic64_set(&ctx_isp->dbg_monitors.frame_monitor_head, -1);
@@ -9062,7 +9066,7 @@ static int __cam_isp_ctx_process_evt(struct cam_context *ctx,
 	struct cam_isp_context *ctx_isp =
 		(struct cam_isp_context *) ctx->ctx_priv;
 
-	if ((ctx->state == CAM_CTX_ACQUIRED) &&
+	if ((ctx->state == CAM_CTX_ACQUIRED || ctx->state == CAM_CTX_READY) &&
 		(link_evt_data->evt_type != CAM_REQ_MGR_LINK_EVT_UPDATE_PROPERTIES)) {
 		CAM_WARN(CAM_ISP,
 			"Get unexpect evt:%d in acquired state, ctx: %u on link: 0x%x",
@@ -9102,12 +9106,17 @@ static int __cam_isp_ctx_process_evt(struct cam_context *ctx,
 		break;
 	case CAM_REQ_MGR_LINK_EVT_UPDATE_PROPERTIES:
 		if (link_evt_data->u.properties_mask &
+			CAM_LINK_PROPERTY_SENSOR_EXTERNAL_RECOVERY)
+			ctx_isp->isp_external_recovery = true;
+		else if (link_evt_data->u.properties_mask &
 			CAM_LINK_PROPERTY_SENSOR_STANDBY_AFTER_EOF)
 			ctx_isp->vfps_aux_context = true;
 		else
 			ctx_isp->vfps_aux_context = false;
-		CAM_DBG(CAM_ISP, "vfps_aux_context:%s on ctx: %u link: 0x%x",
-			CAM_BOOL_TO_YESNO(ctx_isp->vfps_aux_context), ctx->ctx_id, ctx->link_hdl);
+		CAM_DBG(CAM_ISP, "vfps_aux_context:%s external recovery:%s on ctx: %u link: 0x%x",
+			CAM_BOOL_TO_YESNO(ctx_isp->vfps_aux_context),
+			CAM_BOOL_TO_YESNO(ctx_isp->isp_external_recovery),
+			ctx->ctx_id, ctx->link_hdl);
 		break;
 	default:
 		CAM_WARN(CAM_ISP,
@@ -9502,6 +9511,7 @@ static struct cam_ctx_ops
 			.unlink = __cam_isp_ctx_unlink_in_ready,
 			.get_dev_info = __cam_isp_ctx_get_dev_info,
 			.flush_req = __cam_isp_ctx_flush_req_in_ready,
+			.process_evt = __cam_isp_ctx_process_evt,
 			.dump_req = __cam_isp_ctx_dump_in_top_state,
 		},
 		.irq_ops = NULL,

camera/drivers/cam_isp/cam_isp_context.h

@@ -431,6 +431,7 @@ struct cam_isp_fcg_prediction_tracker {
  * @flush_in_progress          indicates whether flush is in progress
  * @bubble_recover_dis:        Bubble recovery disabled
  * @sfe_en:                    Indicates if SFE is being used
+ * @isp_external_recovery:     Indicates if external recovery enabled
  */
 struct cam_isp_context {
 	struct cam_context              *base;
@@ -500,6 +501,7 @@ struct cam_isp_context {
 	struct mutex                          isp_mutex;
 	bool                                  bubble_recover_dis;
 	bool                                  sfe_en;
+	bool                                  isp_external_recovery;
 };
 
 /**

camera/drivers/cam_isp/isp_hw_mgr/cam_ife_hw_mgr.c

@@ -8108,7 +8108,7 @@ int cam_ife_mgr_config_hw(
 					c_ctx->curr_num_exp = hw_update_data->num_exp;
 				}
 				hw_update_data->mup_en = false;
-
+				c_ctx->flags.init_cfg_done = true;
 				/* Try for INIT packet reg dump by default - no debugfs set */
 				if (cfg->init_packet && !g_ife_hw_mgr.debug_cfg.per_req_reg_dump)
 					cam_ife_mgr_handle_reg_dump(hw_mgr_ctx,
@@ -8489,6 +8489,7 @@ static int cam_ife_mgr_stop_hw(void *hw_mgr_priv, void *stop_hw_args)
 end:
 	c_ctx->flags.dump_on_error = false;
 	c_ctx->flags.dump_on_flush = false;
+	c_ctx->flags.init_cfg_done = false;
 	return rc;
 }
 

camera/drivers/cam_isp/isp_hw_mgr/cam_ife_hw_mgr.h

@@ -208,6 +208,7 @@ struct cam_ife_hw_mgr_ctx_scratch_buf_info {
  * @rdi_pd_context:      Flag to specify the context has
  *                       only rdi and PD resource without PIX port.
  * @per_port_en:         Indicates if per port feature is enabled or not
+ * @init_cfg_done:       indicate whether init configuration for hw is done or not.
 
  */
 struct cam_ife_hw_mgr_ctx_flags {
@@ -231,6 +232,7 @@ struct cam_ife_hw_mgr_ctx_flags {
 	bool   sys_cache_usage[CAM_LLCC_MAX];
 	bool   rdi_pd_context;
 	bool   per_port_en;
+	bool   init_cfg_done;
 };
 
 /**

camera/drivers/cam_isp/isp_hw_mgr/cam_ife_hw_mgr_addons.c

@@ -183,8 +183,15 @@ int cam_ife_mgr_check_start_processing(void *hw_mgr_priv,
 		list_for_each_entry_safe(c_elem, c_elem_temp,
 				&ife_hw_mgr->input_queue.list, list) {
 			is_init_pkt =
-				((c_elem->prepare.packet->header.op_code + 1) &
-					0xF) == CAM_ISP_PACKET_INIT_DEV;
+				(((c_elem->prepare.packet->header.op_code + 1) & 0xF) ==
+					CAM_ISP_PACKET_INIT_DEV);
+			if ((c_ctx->flags.init_cfg_done && is_init_pkt) ||
+				(!(c_ctx->flags.init_cfg_done) && !(is_init_pkt))) {
+				CAM_DBG(CAM_ISP, "#REJECT#: %s ctx id %d hw_id %d",
+				c_ctx->flags.init_cfg_done ? "Init already done" : "Init not done",
+				c_ctx->ctx_index, c_ctx->acquired_hw_id);
+				continue;
+			}
 			if (c_ctx->waiting_start &&
 				c_elem->ctx_idx != c_ctx->start_ctx_idx) {
 				CAM_DBG(CAM_ISP,

camera/drivers/cam_isp/isp_hw_mgr/isp_hw/ife_csid_hw/cam_ife_csid_hw_ver2.c

@@ -5560,7 +5560,7 @@ static int cam_ife_csid_ver2_deinit_hw(void *hw_priv,
 		return -EINVAL;
 	}
 
-	if (res->res_state == CAM_ISP_RESOURCE_STATE_RESERVED) {
+	if (res->res_state <= CAM_ISP_RESOURCE_STATE_RESERVED) {
 		CAM_DBG(CAM_ISP, "CSID:%u Res:%d already in De-init state",
 			csid_hw->hw_intf->hw_idx,
 			res->res_id);

camera/drivers/cam_jpeg/jpeg_hw/cam_jpeg_hw_mgr.c

@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
  * Copyright (c) 2017-2021, The Linux Foundation. All rights reserved.
- * Copyright (c) 2022-2025, Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries.
  */
 
 #include <linux/uaccess.h>
@@ -687,8 +687,8 @@ static int cam_jpeg_insert_cdm_change_base(
 		return rc;
 	}
 
-	if (config_args->hw_update_entries[CAM_JPEG_CHBASE_CMD_BUFF_IDX].offset >=
-		ch_base_len) {
+	if ((config_args->hw_update_entries[CAM_JPEG_CHBASE_CMD_BUFF_IDX].offset +
+		(2 * sizeof(uint32_t))) >= ch_base_len) {
 		CAM_ERR(CAM_JPEG, "Not enough buf offset %d len %d",
 			config_args->hw_update_entries[CAM_JPEG_CHBASE_CMD_BUFF_IDX].offset,
 			ch_base_len);

camera/drivers/cam_lrme/cam_lrme_context.c

@@ -231,7 +231,7 @@ static struct cam_ctx_ops
 int cam_lrme_context_init(struct cam_lrme_context *lrme_ctx,
 	struct cam_context *base_ctx,
 	struct cam_hw_mgr_intf *hw_intf,
-	uint32_t index
+	uint32_t index,
 	int img_iommu_hdl)
 {
 	int rc = 0;