From 4c71b3d40d8583f0e4329652ed8a6f9878aecaf1 Mon Sep 17 00:00:00 2001
From: Aki Niemi <aniemi@nvidia.com>
Date: Sun, 11 Aug 2024 09:35:14 +0000
Subject: [PATCH] camera/capture: Fix NULL checks on channel release

Make cure the channel is non-NULL when releasing and unpinning
the VI channel and capture descriptor buffers, respectively.

Bug 4623451

Change-Id: Ieb7f48b2d69a08fb00f7dd8f57fba376d66f9dcd
Signed-off-by: Aki Niemi <aniemi@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/c/linux-nv-oot/+/3192587
(cherry picked from commit 99b3c9be9c85b2fb2f06aa1551d893fe11134afe)
Reviewed-on: https://git-master.nvidia.com/r/c/linux-nv-oot/+/3219712
Reviewed-by: Mohit Ingale <mohiti@nvidia.com>
Reviewed-by: Vincent Chung <vincentc@nvidia.com>
GVS: buildbot_gerritrpt <buildbot_gerritrpt@nvidia.com>
Tested-by: Mohit Ingale <mohiti@nvidia.com>
Reviewed-by: Frank Chen <frankc@nvidia.com>
Reviewed-by: Ganesh Ram Savithri Sreenivas Murthy <ganeshrams@nvidia.com>
---
 .../camera/fusa-capture/capture-vi-channel.c  | 26 +++++++++++++--
 .../tegra/camera/fusa-capture/capture-vi.c    | 33 ++++++++++++++-----
 2 files changed, 49 insertions(+), 10 deletions(-)

diff --git a/drivers/media/platform/tegra/camera/fusa-capture/capture-vi-channel.c b/drivers/media/platform/tegra/camera/fusa-capture/capture-vi-channel.c
index 8eb82211..4d0f8e85 100644
--- a/drivers/media/platform/tegra/camera/fusa-capture/capture-vi-channel.c
+++ b/drivers/media/platform/tegra/camera/fusa-capture/capture-vi-channel.c
@@ -159,10 +159,21 @@ void vi_capture_request_unpin(
 	struct tegra_vi_channel *chan,
 	uint32_t buffer_index)
 {
-	struct vi_capture *capture = chan->capture_data;
+	struct vi_capture *capture;
 	struct capture_common_unpins *unpins;
 	int i = 0;
 
+	if (unlikely(chan == NULL)) {
+		pr_err("%s: vi channel pointer is NULL\n", __func__);
+		return;
+	}
+
+	capture = chan->capture_data;
+	if (unlikely(capture == NULL)) {
+		dev_err(chan->dev, "%s: vi capture uninitialized\n", __func__);
+		return;
+	}
+
 	mutex_lock(&capture->unpins_list_lock);
 	unpins = &capture->unpins_list[buffer_index];
 
@@ -375,10 +386,21 @@ static long vi_channel_ioctl(
 	unsigned long arg)
 {
 	struct tegra_vi_channel *chan = file->private_data;
-	struct vi_capture *capture = chan->capture_data;
+	struct vi_capture *capture;
 	void __user *ptr = (void __user *)arg;
 	int err = -EFAULT;
 
+	if (unlikely(chan == NULL)) {
+		pr_err("%s: invalid channel\n", __func__);
+		return -EINVAL;
+	}
+
+	capture = chan->capture_data;
+	if (unlikely(capture == NULL)) {
+		dev_err(chan->dev, "%s: invalid context", __func__);
+		return -EINVAL;
+	}
+
 	switch (_IOC_NR(cmd)) {
 	case _IOC_NR(VI_CAPTURE_SETUP): {
 		struct vi_capture_setup setup;
diff --git a/drivers/media/platform/tegra/camera/fusa-capture/capture-vi.c b/drivers/media/platform/tegra/camera/fusa-capture/capture-vi.c
index 509e9001..3dbddfc9 100644
--- a/drivers/media/platform/tegra/camera/fusa-capture/capture-vi.c
+++ b/drivers/media/platform/tegra/camera/fusa-capture/capture-vi.c
@@ -497,11 +497,20 @@ EXPORT_SYMBOL_GPL(vi_capture_init);
 void vi_capture_shutdown(
 	struct tegra_vi_channel *chan)
 {
-	struct vi_capture *capture = chan->capture_data;
+	struct vi_capture *capture;
+
+	if (unlikely(chan == NULL)) {
+		pr_err("%s: vi channel pointer is NULL\n", __func__);
+		return;
+	}
 
 	dev_dbg(chan->dev, "%s--\n", __func__);
-	if (capture == NULL)
+
+	capture = chan->capture_data;
+	if (unlikely(capture == NULL)) {
+		dev_err(chan->dev, "%s: invalid context", __func__);
 		return;
+	}
 
 	if (capture->channel_id != CAPTURE_CHANNEL_INVALID_ID)
 		vi_capture_reset(chan,
@@ -907,23 +916,30 @@ int vi_capture_release(
 	struct tegra_vi_channel *chan,
 	uint32_t reset_flags)
 {
-	struct vi_capture *capture = chan->capture_data;
+	struct vi_capture *capture;
 	struct CAPTURE_CONTROL_MSG control_desc;
-	struct CAPTURE_CONTROL_MSG *resp_msg = &capture->control_resp_msg;
+	struct CAPTURE_CONTROL_MSG *resp_msg;
 	int err = 0;
 	int ret = 0;
 	int i = 0;
 
+	if (unlikely(chan == NULL)) {
+		pr_err("%s: vi channel pointer is NULL\n", __func__);
+		return -ENODEV;
+	}
+
 	nv_camera_log(chan->ndev,
 		__arch_counter_get_cntvct(),
 		NVHOST_CAMERA_VI_CAPTURE_RELEASE);
 
-	if (capture == NULL) {
-		dev_err(chan->dev,
-			 "%s: vi capture uninitialized\n", __func__);
+	capture = chan->capture_data;
+	if (unlikely(capture == NULL)) {
+		dev_err(chan->dev, "%s: vi capture uninitialized\n", __func__);
 		return -ENODEV;
 	}
 
+	resp_msg = &capture->control_resp_msg;
+
 	if (capture->channel_id == CAPTURE_CHANNEL_INVALID_ID) {
 		dev_err(chan->dev,
 			"%s: setup channel first\n", __func__);
@@ -989,9 +1005,10 @@ int vi_capture_release(
 	capture->csi_port = NVCSI_PORT_UNSPECIFIED;
 	capture->virtual_channel_id = NVCSI_STREAM_INVALID_TPG_VC_ID;
 
-	if (capture->is_progress_status_notifier_set)
+	if (capture->is_progress_status_notifier_set) {
 		capture_common_release_progress_status_notifier(
 			&capture->progress_status_notifier);
+	}
 
 	return err;
 }