msm: camera: tfe: Fix several issues involving access violation in TFE

This change fixes issues involving out-of-bounds, uninitialized access and
NULL pointer dereference.
Out-of-bounds access issue was present in cam_tfe_mgr_get_hw_caps_v2 as
address of pointer was passed to copy_to_user instead of the pointer.
Uninitialized data access with query_isp as it was not initialized before
being passed to copy_to_user in cam_tfe_mgr_get_hw_caps.
NULL pointer dereference in cam_tfe_process_cmd as in case of invalid
argument there was an attempt to print the TFE core index.

CRs-Fixed: 3555879
Change-Id: Ib706eea896a04e1d4e9612e4e763b674c4256e77
Signed-off-by: Abhilash Kumar <quic_krabhi@quicinc.com>

drivers/cam_isp/isp_hw_mgr/cam_tfe_hw_mgr.c

@@ -225,7 +225,7 @@ static int cam_tfe_mgr_get_hw_caps(void *hw_mgr_priv,
 	uint32_t version = 0;
 	struct cam_query_cap_cmd               *query = hw_caps_args;
 	struct cam_tfe_hw_mgr                  *hw_mgr = hw_mgr_priv;
-	struct cam_isp_tfe_query_cap_cmd        query_isp;
+	struct cam_isp_tfe_query_cap_cmd        query_isp = {0};
 	struct cam_isp_tfe_query_cap_cmd_v2    *query_isp_v2;
 
 	query_size = sizeof(struct cam_isp_tfe_query_cap_cmd_v2) +
@@ -317,7 +317,7 @@ static int cam_tfe_mgr_get_hw_caps_v2(void *hw_mgr_priv,
 		return -EINVAL;
 	}
 
-	if (copy_to_user(u64_to_user_ptr(query->caps_handle), &query_isp_v2,
+	if (copy_to_user(u64_to_user_ptr(query->caps_handle), query_isp_v2,
 		(sizeof(struct cam_isp_tfe_query_cap_cmd_v2) + ((query_isp_v2->num_dev - 1)
 		* sizeof(struct cam_isp_tfe_dev_cap_info))))) {
 		CAM_ERR(CAM_ISP, "copy to user failed, query cap version %d",

drivers/cam_isp/isp_hw_mgr/isp_hw/tfe_hw/cam_tfe_core.c

@@ -3460,6 +3460,12 @@ int cam_tfe_process_cmd(void *hw_priv, uint32_t cmd_type,
 		rc = -EINVAL;
 		break;
 	}
+
+	if (rc) {
+		CAM_ERR(CAM_ISP, "TFE: %d error with cmd type: %d",
+			core_info->core_index, cmd_type);
+	}
+
 	return rc;
 }