diff --git a/drivers/media/platform/tegra/cam_fsync/cam_fsync.c b/drivers/media/platform/tegra/cam_fsync/cam_fsync.c
index ae757716..1fed3d65 100644
--- a/drivers/media/platform/tegra/cam_fsync/cam_fsync.c
+++ b/drivers/media/platform/tegra/cam_fsync/cam_fsync.c
@@ -1154,6 +1154,11 @@ static struct fsync_generator_group *cam_fsync_group_init(
 	if (IS_ERR(group))
 		return group;
 
+	if (group == NULL) {
+		dev_err(controller->dev, "Pointer to newly create group struct is NULL\n");
+		return NULL;
+	}
+
 	INIT_LIST_HEAD(&group->generators);
 	INIT_LIST_HEAD(&group->list);
 	group->id = group_id;
@@ -1178,6 +1183,11 @@ static int cam_fsync_create_default_group(struct cam_fsync_controller *controlle
 	struct fsync_generator_group *group = cam_fsync_group_init(controller,
 		TSC_DEFAULT_GROUP_ID);
 
+	if (group == NULL) {
+		dev_err(controller->dev, "Pointer to newly create group struct is NULL\n");
+		return -EINVAL;
+	}
+
 	if (IS_ERR(group))
 		return PTR_ERR(group);
 
diff --git a/drivers/media/platform/tegra/camera/fusa-capture/capture-isp.c b/drivers/media/platform/tegra/camera/fusa-capture/capture-isp.c
index ea4b1855..7db5e3fc 100644
--- a/drivers/media/platform/tegra/camera/fusa-capture/capture-isp.c
+++ b/drivers/media/platform/tegra/camera/fusa-capture/capture-isp.c
@@ -522,6 +522,12 @@ static int isp_capture_setup_prefences(
 		return -ENODEV;
 	}
 
+	if (req == NULL) {
+		dev_err(chan->isp_dev,
+			"%s: NULL isp capture received\n", __func__);
+		return -ENODEV;
+	}
+
 	/* It is valid not to have prefences for given frame capture */
 	if (!req->prefences_relocs.num_relocs)
 		return 0;
diff --git a/drivers/media/platform/tegra/camera/fusa-capture/capture-vi-channel.c b/drivers/media/platform/tegra/camera/fusa-capture/capture-vi-channel.c
index f3cefeeb..74313136 100644
--- a/drivers/media/platform/tegra/camera/fusa-capture/capture-vi-channel.c
+++ b/drivers/media/platform/tegra/camera/fusa-capture/capture-vi-channel.c
@@ -230,7 +230,7 @@ struct tegra_vi_channel *vi_channel_open_ex(
 		goto rcu_err;
 	}
 
-	rcu_assign_pointer(chan_drv->channels[channel], chan);
+	rcu_assign_pointer(chan_drv->channels[channel], (void *)chan);
 	mutex_unlock(&chan_drv->lock);
 
 	return chan;
diff --git a/drivers/media/platform/tegra/camera/fusa-capture/capture-vi.c b/drivers/media/platform/tegra/camera/fusa-capture/capture-vi.c
index dcedd8b6..2b912443 100644
--- a/drivers/media/platform/tegra/camera/fusa-capture/capture-vi.c
+++ b/drivers/media/platform/tegra/camera/fusa-capture/capture-vi.c
@@ -1252,6 +1252,11 @@ int vi_capture_control_message_from_user(
 		return -ENODEV;
 	}
 
+	if (msg == NULL) {
+		dev_err(NULL, "%s: NULL vi capture control message received\n", __func__);
+		return -EINVAL;
+	}
+
 	nv_camera_log(chan->ndev,
 		__arch_counter_get_cntvct(),
 		NVHOST_CAMERA_VI_CAPTURE_SET_CONFIG);
diff --git a/drivers/media/platform/tegra/camera/vi/vi5_fops.c b/drivers/media/platform/tegra/camera/vi/vi5_fops.c
index f7b9c6b8..f9d1906e 100644
--- a/drivers/media/platform/tegra/camera/vi/vi5_fops.c
+++ b/drivers/media/platform/tegra/camera/vi/vi5_fops.c
@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: GPL-2.0-only
-// SPDX-FileCopyrightText: Copyright (c) 2017-2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+// SPDX-FileCopyrightText: Copyright (c) 2016-2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
 // Tegra Video Input 5 device common APIs.
 
 #include <linux/errno.h>
@@ -749,6 +749,18 @@ static int tegra_channel_kthread_capture_enqueue(void *data)
 	return 0;
 }
 
+static enum channel_capture_state get_capture_state(
+		struct tegra_channel *chan)
+{
+	enum channel_capture_state capture_state;
+	unsigned long flags;
+
+	spin_lock_irqsave(&chan->capture_state_lock, flags);
+	capture_state = chan->capture_state;
+	spin_unlock_irqrestore(&chan->capture_state_lock, flags);
+	return capture_state;
+}
+
 static int tegra_channel_kthread_capture_dequeue(void *data)
 {
 	int err = 0;
@@ -765,7 +777,7 @@ static int tegra_channel_kthread_capture_dequeue(void *data)
 		wait_event_interruptible(chan->dequeue_wait,
 			(kthread_should_stop()
 				|| !list_empty(&chan->dequeue)
-				|| (chan->capture_state == CAPTURE_ERROR)));
+				|| (get_capture_state(chan) == CAPTURE_ERROR)));
 
 		while (!(kthread_should_stop() || list_empty(&chan->dequeue)
 				|| (chan->capture_state == CAPTURE_ERROR))) {
diff --git a/drivers/platform/tegra/rtcpu/tegra-rtcpu-trace.c b/drivers/platform/tegra/rtcpu/tegra-rtcpu-trace.c
index dc31555e..cec4e80b 100644
--- a/drivers/platform/tegra/rtcpu/tegra-rtcpu-trace.c
+++ b/drivers/platform/tegra/rtcpu/tegra-rtcpu-trace.c
@@ -257,7 +257,7 @@ static void rtcpu_trace_invalidate_entries(struct tegra_rtcpu_trace *tracer,
 	u64 add_value = 0;
 	u32 mul_value_u32 = 0;
 	u32 sub_value = 0;
-	u64 mul_value_u64 = old_next * entry_size;
+	u64 mul_value_u64 = (u64)old_next * (u64)entry_size;
 
 	if (unlikely(check_add_overflow(dma_handle, mul_value_u64, &add_value))) {
 		dev_err(tracer->dev,
@@ -1523,6 +1523,7 @@ rtcpu_raw_trace_read(struct file *file, char __user *user_buffer, size_t buffer_
 	u32 num_events_requested;
 	struct camrtc_trace_memory_header *header;
 	ssize_t events_copied = 0;
+	ssize_t events_amount = 0;
 
 	bool blocking_call = !(file->f_flags & O_NONBLOCK);
 
@@ -1602,7 +1603,13 @@ rtcpu_raw_trace_read(struct file *file, char __user *user_buffer, size_t buffer_
 	fd_context->raw_trace_last_read_event_idx = last_read_event_idx;
 	file->private_data = fd_context;
 
-	return events_copied * sizeof(struct camrtc_event_struct);
+	if (check_mul_overflow(events_copied,
+		(ssize_t)sizeof(struct camrtc_event_struct), &events_amount)) {
+		dev_err(tracer->dev, "Events copy failed due to an overflow\n");
+		return -EINVAL;
+	}
+
+	return events_amount;
 }
 
 static ssize_t rtcpu_raw_trace_write(