From dad27a64e32c801a5a72f8d97144487aa1e2ae63 Mon Sep 17 00:00:00 2001
From: Wooyeon Kim <wooy88.kim@samsung.com>
Date: Thu, 25 Apr 2019 11:13:01 +0900
Subject: [PATCH] [COMMON] fimc-is2: fix prevent defect(cid: 270156, 270161,
 270162)

 270156: dereference after null check
 270161: Explicit null dereferenced
 270162: dereference after null check

 PR JIRA ID: CPR-995

Change-Id: I91717c7b9d2ed5d85b053f16e3adc73f55a01711
Signed-off-by: Wooyeon Kim <wooy88.kim@samsung.com>
---
 .../exynos/fimc-is2/fimc-is-groupmgr.c        |  3 ++-
 .../pafstat/fimc-is-pafstat.c                 | 26 ++++++++++++++++---
 2 files changed, 24 insertions(+), 5 deletions(-)

diff --git a/drivers/media/platform/exynos/fimc-is2/fimc-is-groupmgr.c b/drivers/media/platform/exynos/fimc-is2/fimc-is-groupmgr.c
index 3fe65817bef5..0409d4c16f0c 100644
--- a/drivers/media/platform/exynos/fimc-is2/fimc-is-groupmgr.c
+++ b/drivers/media/platform/exynos/fimc-is2/fimc-is-groupmgr.c
@@ -3401,7 +3401,8 @@ int fimc_is_group_done(struct fimc_is_groupmgr *groupmgr,
 				break;
 			}
 
-			if (device->sensor->subdev_eeprom || device->sensor->use_otp_cal) {
+			if (device->sensor &&
+				(device->sensor->subdev_eeprom || device->sensor->use_otp_cal)) {
 				/* Sensor EEPROM CAL data status update */
 				for (i = 0; i < CAMERA_CRC_INDEX_MAX; i++)
 					frame->shot_ext->user.crc_result[i] = device->sensor->cal_status[i];
diff --git a/drivers/media/platform/exynos/fimc-is2/sensor/module_framework/pafstat/fimc-is-pafstat.c b/drivers/media/platform/exynos/fimc-is2/sensor/module_framework/pafstat/fimc-is-pafstat.c
index 3f495dd30dda..963af5b7feeb 100644
--- a/drivers/media/platform/exynos/fimc-is2/sensor/module_framework/pafstat/fimc-is-pafstat.c
+++ b/drivers/media/platform/exynos/fimc-is2/sensor/module_framework/pafstat/fimc-is-pafstat.c
@@ -452,8 +452,10 @@ void __nocfi pafstat_notify(struct v4l2_subdev *subdev, unsigned int type, void
 	unsigned long flag;
 
 	pafstat = (struct fimc_is_pafstat *)v4l2_get_subdevdata(subdev);
-	if (!pafstat)
+	if (!pafstat) {
 		err("%s, failed to get PAFSTAT", __func__);
+		return;
+	}
 
 	switch (type) {
 	case CSIS_NOTIFY_DMA_END_VC_MIPISTAT:
@@ -722,8 +724,6 @@ int fimc_is_pafstat_reset_recovery(struct v4l2_subdev *subdev, u32 reset_mode, i
 {
 	int ret = 0;
 	struct fimc_is_pafstat *pafstat;
-	struct v4l2_subdev_pad_config *cfg = NULL;
-	struct v4l2_subdev_format *fmt = NULL;
 
 	pafstat = v4l2_get_subdevdata(subdev);
 	if (!pafstat) {
@@ -735,7 +735,25 @@ int fimc_is_pafstat_reset_recovery(struct v4l2_subdev *subdev, u32 reset_mode, i
 		pafstat_hw_com_s_output_mask(pafstat->regs_com, 1);
 		pafstat_hw_sw_reset(pafstat->regs);
 	} else {
-		pafstat_s_format(subdev, cfg, fmt);
+		struct fimc_is_module_enum *module;
+		struct v4l2_subdev_pad_config *cfg = NULL;
+		struct v4l2_subdev_format fmt;
+
+		module = (struct fimc_is_module_enum *)v4l2_get_subdev_hostdata(subdev);
+		if (!module) {
+			err("[PAFSTAT:%d] A host data of PAFSTAT is null", pafstat->id);
+			return -ENODEV;
+		}
+
+		if (!module->cfg) {
+			err("module->cfg is NULL");
+			return -EINVAL;
+		}
+
+		fmt.format.width = module->cfg->width;
+		fmt.format.height = module->cfg->height;
+
+		pafstat_s_format(subdev, cfg, &fmt);
 		pafstat_s_stream(subdev, 1);
 		pafstat_hw_com_s_output_mask(pafstat->regs_com, 0);
 	}
-- 
2.20.1