From c71ca8521ceb27fefa51e8e96d8221976a8e70ab Mon Sep 17 00:00:00 2001
From: zyi <zyi@nvidia.com>
Date: Tue, 13 May 2025 08:38:25 +0000
Subject: [PATCH] kernel: nvidia-oot: fix TAINTED_SCALAR

Fix TAINTED_SCALAR static analysis:
- camera/fusa-capture/capture-isp-channel.c

New violations are in
fusa_kmd: delta per rule
=======================================================
New :
=======================================================
Total new violations : 0
=======================================================
Fixed:
 -       TAINTED_SCALAR:  -3 defects
 - MISRA C-2012 Directive 4.14:  -3 defects
=======================================================
Total fixed violations : -6
=======================================================

Jira CAMERASW-33480

Change-Id: I428982ba33a26dcd5bb66e7b9a13ea689d7a8d1f
Signed-off-by: Yi Zhang <zyi@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/c/linux-nv-oot/+/3363100
Tested-by: Mike Jia <mijia@nvidia.com>
Reviewed-by: Frank Chen <frankc@nvidia.com>
Reviewed-by: Yang Xu <yangxu@nvidia.com>
Reviewed-by: Ankur Pawar <ankurp@nvidia.com>
Reviewed-by: Sumeet Gupta <sumeetg@nvidia.com>
Reviewed-by: Divyash Kumar <divyashk@nvidia.com>
GVS: buildbot_gerritrpt <buildbot_gerritrpt@nvidia.com>
Reviewed-by: Mike Jia <mijia@nvidia.com>
---
 .../camera/fusa-capture/capture-isp-channel.c |  8 --------
 .../tegra/camera/fusa-capture/capture-isp.c   | 20 +++++++++++++++++++
 2 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/drivers/media/platform/tegra/camera/fusa-capture/capture-isp-channel.c b/drivers/media/platform/tegra/camera/fusa-capture/capture-isp-channel.c
index 3a694d4e..d8cc72b6 100644
--- a/drivers/media/platform/tegra/camera/fusa-capture/capture-isp-channel.c
+++ b/drivers/media/platform/tegra/camera/fusa-capture/capture-isp-channel.c
@@ -507,14 +507,6 @@ static long isp_channel_ioctl(
 
 		if (copy_from_user(&req, ptr, sizeof(req)))
 			break;
-		if (!req.inputfences_relocs.num_relocs) {
-			dev_err(chan->isp_dev, "req.inputfences_relocs.num_relocs invalid");
-			break;
-		}
-		if (!req.prefences_relocs.num_relocs) {
-			dev_err(chan->isp_dev, "req.prefences_relocs.num_relocs invalid");
-			break;
-		}
 		err = isp_capture_request(chan, &req);
 		if (err)
 			dev_err(chan->isp_dev,
diff --git a/drivers/media/platform/tegra/camera/fusa-capture/capture-isp.c b/drivers/media/platform/tegra/camera/fusa-capture/capture-isp.c
index 652ef365..27264b9f 100644
--- a/drivers/media/platform/tegra/camera/fusa-capture/capture-isp.c
+++ b/drivers/media/platform/tegra/camera/fusa-capture/capture-isp.c
@@ -70,6 +70,16 @@
  */
 #define MAX_ISP_UNITS	U32_C(0x2)
 
+/**
+ * @brief Maximum surfaces ISP can read on its input port.
+ */
+#define MAX_ISP_INPUT_SURFACES	U32_C(3)
+
+/**
+ * @brief Maximum number of ISP input prefences.
+ */
+#define MAX_ISP_INPUT_PREFENCES	U32_C(14)
+
 /**
  * @brief The Capture-ISP standalone driver context.
  */
@@ -584,6 +594,11 @@ static int isp_capture_setup_inputfences(
 	if (!req->inputfences_relocs.num_relocs)
 		return 0;
 
+	if (req->inputfences_relocs.num_relocs > MAX_ISP_INPUT_SURFACES) {
+		dev_err(chan->isp_dev, "inputfences num exceeds max allowed\n");
+		return -EINVAL;
+	}
+
 	inpfences_reloc_user = (uint32_t __user *)
 			(uintptr_t)req->inputfences_relocs.reloc_relatives;
 
@@ -709,6 +724,11 @@ static int isp_capture_setup_prefences(
 	if (!req->prefences_relocs.num_relocs)
 		return 0;
 
+	if (req->prefences_relocs.num_relocs > MAX_ISP_INPUT_PREFENCES) {
+		dev_err(chan->isp_dev, "prefences num exceeds max allowed\n");
+		return -EINVAL;
+	}
+
 	prefence_reloc_user = (uint32_t __user *)
 			(uintptr_t)req->prefences_relocs.reloc_relatives;