From 7ca6a56b118fef2d3716586ad8124be7c830f6d5 Mon Sep 17 00:00:00 2001
From: Sourabh Soni <quic_soursoni@quicinc.com>
Date: Tue, 30 Jan 2024 14:37:56 +0530
Subject: [PATCH] msm: camera: common: Prevent NULL access in ISP & Sensor
 driver

Null arguments in ISP and Sensor drivers during init
and deinit calls can result in invalid dereferences
impacting the stability.
This commit adds checks to
handle such invalid arguments.

CRs-Fixed: 3711570
Change-Id: I08727201f787af0d5bc5dbe85acea03bb4db247c
Signed-off-by: Sourabh Soni <quic_soursoni@quicinc.com>
---
 drivers/cam_isp/isp_hw_mgr/cam_ife_hw_mgr.c     |  6 +++---
 .../vfe_hw/vfe_top/cam_vfe_camif_lite_ver3.c    | 12 ++++++------
 drivers/cam_sensor_module/cam_cci/cam_cci_soc.c | 17 +++++++++++++----
 3 files changed, 22 insertions(+), 13 deletions(-)

diff --git a/drivers/cam_isp/isp_hw_mgr/cam_ife_hw_mgr.c b/drivers/cam_isp/isp_hw_mgr/cam_ife_hw_mgr.c
index 4f0d951a6b..483640cf76 100644
--- a/drivers/cam_isp/isp_hw_mgr/cam_ife_hw_mgr.c
+++ b/drivers/cam_isp/isp_hw_mgr/cam_ife_hw_mgr.c
@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
  * Copyright (c) 2017-2021, The Linux Foundation. All rights reserved.
- * Copyright (c) 2022-2024 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2022-2024, Qualcomm Innovation Center, Inc. All rights reserved.
  */
 
 #include <linux/slab.h>
@@ -14188,8 +14188,7 @@ static int cam_ife_mgr_cmd(void *hw_mgr_priv, void *cmd_args)
 	int rc = 0;
 	struct cam_hw_cmd_args *hw_cmd_args = cmd_args;
 	struct cam_ife_hw_mgr  *hw_mgr = hw_mgr_priv;
-	struct cam_ife_hw_mgr_ctx *ctx = (struct cam_ife_hw_mgr_ctx *)
-		hw_cmd_args->ctxt_to_hw_map;
+	struct cam_ife_hw_mgr_ctx *ctx = NULL;
 	struct cam_isp_hw_cmd_args *isp_hw_cmd_args = NULL;
 	struct cam_packet          *packet;
 	unsigned long rem_jiffies = 0;
@@ -14200,6 +14199,7 @@ static int cam_ife_mgr_cmd(void *hw_mgr_priv, void *cmd_args)
 		return -EINVAL;
 	}
 
+	ctx = (struct cam_ife_hw_mgr_ctx *)hw_cmd_args->ctxt_to_hw_map;
 	if (!ctx || !ctx->flags.ctx_in_use) {
 		CAM_ERR(CAM_ISP, "Fatal: Invalid context is used");
 		return -EPERM;
diff --git a/drivers/cam_isp/isp_hw_mgr/isp_hw/vfe_hw/vfe_top/cam_vfe_camif_lite_ver3.c b/drivers/cam_isp/isp_hw_mgr/isp_hw/vfe_hw/vfe_top/cam_vfe_camif_lite_ver3.c
index 7562eb0e5c..a1e55aee68 100644
--- a/drivers/cam_isp/isp_hw_mgr/isp_hw/vfe_hw/vfe_top/cam_vfe_camif_lite_ver3.c
+++ b/drivers/cam_isp/isp_hw_mgr/isp_hw/vfe_hw/vfe_top/cam_vfe_camif_lite_ver3.c
@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
  * Copyright (c) 2019-2021, The Linux Foundation. All rights reserved.
- * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2022-2024, Qualcomm Innovation Center, Inc. All rights reserved.
  */
 
 #include <linux/slab.h>
@@ -1304,6 +1304,11 @@ int cam_vfe_camif_lite_ver3_deinit(
 		camif_lite_node->res_priv;
 	int                                 i = 0;
 
+	if (!camif_lite_priv) {
+		CAM_ERR(CAM_ISP, "Error! camif_priv is NULL");
+		return -ENODEV;
+	}
+
 	CAM_DBG(CAM_ISP, "VFE:%d CAMIF LITE:%d %s Deinit",
 		camif_lite_node->hw_intf->hw_idx, camif_lite_node->res_id,
 		camif_lite_node->res_name);
@@ -1320,11 +1325,6 @@ int cam_vfe_camif_lite_ver3_deinit(
 
 	camif_lite_node->res_priv = NULL;
 
-	if (!camif_lite_priv) {
-		CAM_ERR(CAM_ISP, "Error. camif_priv is NULL");
-		return -ENODEV;
-	}
-
 	kfree(camif_lite_priv);
 
 	return 0;
diff --git a/drivers/cam_sensor_module/cam_cci/cam_cci_soc.c b/drivers/cam_sensor_module/cam_cci/cam_cci_soc.c
index 25a718fe8b..e670980c65 100644
--- a/drivers/cam_sensor_module/cam_cci/cam_cci_soc.c
+++ b/drivers/cam_sensor_module/cam_cci/cam_cci_soc.c
@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
  * Copyright (c) 2017-2021, The Linux Foundation. All rights reserved.
- * Copyright (c) 2022-2023 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2022-2024, Qualcomm Innovation Center, Inc. All rights reserved.
  */
 
 #include "cam_cci_dev.h"
@@ -125,12 +125,21 @@ int cam_cci_init(struct v4l2_subdev *sd,
 
 	master = c_ctrl->cci_info->cci_i2c_master;
 	soc_info = &cci_dev->soc_info;
+
+	if (!soc_info) {
+		CAM_ERR(CAM_CCI,
+			"CCI%d_I2C_M%d failed: invalid params soc_info:%pK",
+			cci_dev->soc_info.index, master, soc_info);
+		rc = -EINVAL;
+		return rc;
+	}
+
 	base = soc_info->reg_map[0].mem_base;
 
-	if (!soc_info || !base) {
+	if (!base) {
 		CAM_ERR(CAM_CCI,
-			"CCI%d_I2C_M%d failed: invalid params soc_info:%pK, base:%pK",
-			cci_dev->soc_info.index, master, soc_info, base);
+			"CCI%d_I2C_M%d failed: invalid params base:%pK",
+			cci_dev->soc_info.index, master, base);
 		rc = -EINVAL;
 		return rc;
 	}