From 5992dd48855d24ae91ff4e7b1f7491474e645826 Mon Sep 17 00:00:00 2001 From: Jigar Agrawal Date: Thu, 8 Apr 2021 18:45:06 -0700 Subject: [PATCH] msm: camera: common: Fix NULL pointer dereference Set the debugfs root entry pointer to null after recursive remove at unbinding to prevent null pointer dereference by kernel followed by kernel panic. Also, add checks to avoid null pointer dereference. CRs-Fixed: 2920490 Change-Id: I5a4f44f3d8f533f3a51e108472d5ccf93c261a98 Signed-off-by: Jigar Agrawal --- .../isp_hw_mgr/hw_utils/irq_controller/cam_irq_controller.c | 5 +++++ drivers/cam_req_mgr/cam_req_mgr_debug.c | 3 ++- drivers/cam_sensor_module/cam_cci/cam_cci_dev.c | 3 ++- drivers/cam_sensor_module/cam_res_mgr/cam_res_mgr.c | 5 +++-- 4 files changed, 12 insertions(+), 4 deletions(-) diff --git a/drivers/cam_isp/isp_hw_mgr/hw_utils/irq_controller/cam_irq_controller.c b/drivers/cam_isp/isp_hw_mgr/hw_utils/irq_controller/cam_irq_controller.c index ec162f20ec..b3cdece149 100644 --- a/drivers/cam_isp/isp_hw_mgr/hw_utils/irq_controller/cam_irq_controller.c +++ b/drivers/cam_isp/isp_hw_mgr/hw_utils/irq_controller/cam_irq_controller.c @@ -111,6 +111,11 @@ int cam_irq_controller_deinit(void **irq_controller) struct cam_irq_controller *controller = *irq_controller; struct cam_irq_evt_handler *evt_handler = NULL; + if (!controller) { + CAM_ERR(CAM_IRQ_CTRL, "Null Pointer"); + return -EINVAL; + } + while (!list_empty(&controller->evt_handler_list_head)) { evt_handler = list_first_entry( &controller->evt_handler_list_head, diff --git a/drivers/cam_req_mgr/cam_req_mgr_debug.c b/drivers/cam_req_mgr/cam_req_mgr_debug.c index aa58d52d1e..67a2bd2665 100644 --- a/drivers/cam_req_mgr/cam_req_mgr_debug.c +++ b/drivers/cam_req_mgr/cam_req_mgr_debug.c @@ -1,6 +1,6 @@ // SPDX-License-Identifier: GPL-2.0-only /* - * Copyright (c) 2016-2020, The Linux Foundation. All rights reserved. + * Copyright (c) 2016-2021, The Linux Foundation. All rights reserved. */ #include "cam_req_mgr_debug.h" @@ -147,6 +147,7 @@ end: int cam_req_mgr_debug_unregister(void) { debugfs_remove_recursive(debugfs_root); + debugfs_root = NULL; return 0; } diff --git a/drivers/cam_sensor_module/cam_cci/cam_cci_dev.c b/drivers/cam_sensor_module/cam_cci/cam_cci_dev.c index 1750fa1681..4a1ea9f93a 100644 --- a/drivers/cam_sensor_module/cam_cci/cam_cci_dev.c +++ b/drivers/cam_sensor_module/cam_cci/cam_cci_dev.c @@ -1,6 +1,6 @@ // SPDX-License-Identifier: GPL-2.0-only /* - * Copyright (c) 2017-2020, The Linux Foundation. All rights reserved. + * Copyright (c) 2017-2021, The Linux Foundation. All rights reserved. */ #include "cam_cci_dev.h" @@ -548,6 +548,7 @@ static void cam_cci_component_unbind(struct device *dev, cam_cpas_unregister_client(cci_dev->cpas_handle); debugfs_remove_recursive(debugfs_root); + debugfs_root = NULL; cam_cci_soc_remove(pdev, cci_dev); rc = cam_unregister_subdev(&(cci_dev->v4l2_dev_str)); if (rc < 0) diff --git a/drivers/cam_sensor_module/cam_res_mgr/cam_res_mgr.c b/drivers/cam_sensor_module/cam_res_mgr/cam_res_mgr.c index 5165f6b2d1..69d4de9f10 100644 --- a/drivers/cam_sensor_module/cam_res_mgr/cam_res_mgr.c +++ b/drivers/cam_sensor_module/cam_res_mgr/cam_res_mgr.c @@ -1,6 +1,6 @@ // SPDX-License-Identifier: GPL-2.0-only /* - * Copyright (c) 2017-2020, The Linux Foundation. All rights reserved. + * Copyright (c) 2017-2021, The Linux Foundation. All rights reserved. */ #include @@ -932,7 +932,8 @@ static void cam_res_mgr_component_unbind(struct device *dev, { if (cam_res) { cam_res_mgr_free_res(); - devm_pinctrl_put(cam_res->pinctrl); + if (cam_res->pinctrl) + devm_pinctrl_put(cam_res->pinctrl); cam_res->pinctrl = NULL; cam_res->pstatus = PINCTRL_STATUS_PUT; kfree(cam_res);