[COMMON] fimc-is2: fix prevent defect(cid: 270156, 270161, 270162)

 270156: dereference after null check
 270161: Explicit null dereferenced
 270162: dereference after null check

 PR JIRA ID: CPR-995

Change-Id: I91717c7b9d2ed5d85b053f16e3adc73f55a01711
Signed-off-by: Wooyeon Kim <wooy88.kim@samsung.com>

diff --git a/drivers/media/platform/exynos/fimc-is2/fimc-is-groupmgr.c b/drivers/media/platform/exynos/fimc-is2/fimc-is-groupmgr.c
index 3fe65817bef55a8fd67019a855256ce837efc916..0409d4c16f0ca44723d07287f61098338a02bbe0 100644 (file)
--- a/drivers/media/platform/exynos/fimc-is2/fimc-is-groupmgr.c
+++ b/drivers/media/platform/exynos/fimc-is2/fimc-is-groupmgr.c
@@ -3401,7 +3401,8 @@ int fimc_is_group_done(struct fimc_is_groupmgr *groupmgr,
                                break;
                        }
 
-                       if (device->sensor->subdev_eeprom || device->sensor->use_otp_cal) {
+                       if (device->sensor &&
+                               (device->sensor->subdev_eeprom || device->sensor->use_otp_cal)) {
                                /* Sensor EEPROM CAL data status update */
                                for (i = 0; i < CAMERA_CRC_INDEX_MAX; i++)
                                        frame->shot_ext->user.crc_result[i] = device->sensor->cal_status[i];

diff --git a/drivers/media/platform/exynos/fimc-is2/sensor/module_framework/pafstat/fimc-is-pafstat.c b/drivers/media/platform/exynos/fimc-is2/sensor/module_framework/pafstat/fimc-is-pafstat.c
index 3f495dd30ddacd7c6c710702fcf70197ed3b0dfb..963af5b7feeb00785cab7ba3bde6cfca87a0d671 100644 (file)
--- a/drivers/media/platform/exynos/fimc-is2/sensor/module_framework/pafstat/fimc-is-pafstat.c
+++ b/drivers/media/platform/exynos/fimc-is2/sensor/module_framework/pafstat/fimc-is-pafstat.c
@@ -452,8 +452,10 @@ void __nocfi pafstat_notify(struct v4l2_subdev *subdev, unsigned int type, void
        unsigned long flag;
 
        pafstat = (struct fimc_is_pafstat *)v4l2_get_subdevdata(subdev);
-       if (!pafstat)
+       if (!pafstat) {
                err("%s, failed to get PAFSTAT", __func__);
+               return;
+       }
 
        switch (type) {
        case CSIS_NOTIFY_DMA_END_VC_MIPISTAT:
@@ -722,8 +724,6 @@ int fimc_is_pafstat_reset_recovery(struct v4l2_subdev *subdev, u32 reset_mode, i
 {
        int ret = 0;
        struct fimc_is_pafstat *pafstat;
-       struct v4l2_subdev_pad_config *cfg = NULL;
-       struct v4l2_subdev_format *fmt = NULL;
 
        pafstat = v4l2_get_subdevdata(subdev);
        if (!pafstat) {
@@ -735,7 +735,25 @@ int fimc_is_pafstat_reset_recovery(struct v4l2_subdev *subdev, u32 reset_mode, i
                pafstat_hw_com_s_output_mask(pafstat->regs_com, 1);
                pafstat_hw_sw_reset(pafstat->regs);
        } else {
-               pafstat_s_format(subdev, cfg, fmt);
+               struct fimc_is_module_enum *module;
+               struct v4l2_subdev_pad_config *cfg = NULL;
+               struct v4l2_subdev_format fmt;
+
+               module = (struct fimc_is_module_enum *)v4l2_get_subdev_hostdata(subdev);
+               if (!module) {
+                       err("[PAFSTAT:%d] A host data of PAFSTAT is null", pafstat->id);
+                       return -ENODEV;
+               }
+
+               if (!module->cfg) {
+                       err("module->cfg is NULL");
+                       return -EINVAL;
+               }
+
+               fmt.format.width = module->cfg->width;
+               fmt.format.height = module->cfg->height;
+
+               pafstat_s_format(subdev, cfg, &fmt);
                pafstat_s_stream(subdev, 1);
                pafstat_hw_com_s_output_mask(pafstat->regs_com, 0);
        }