msm: sensor: Fix for variable being de-referenced without proper check

Pointer from userspace is de-referenced before the command is checked.
This might cause a crash if the command being sent is not a valid command.
Hence changing the de-reference such that the pointer is accessed after
checking if a valid command is sent from the userspace.

Change-Id: I731a015c952d131187a47a8d346fb6478fddeeb1
Signed-off-by: Samyukta Mogily <smogily@codeaurora.org>

diff --git a/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c b/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c
index 5376e1e..491b8d3 100644 (file)
--- a/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c
+++ b/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2009-2016, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2009-2017, The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -1144,13 +1144,13 @@ static long msm_flash_subdev_do_ioctl(
        sd = vdev_to_v4l2_subdev(vdev);
        u32 = (struct msm_flash_cfg_data_t32 *)arg;
 
-       flash_data.cfg_type = u32->cfg_type;
-       for (i = 0; i < MAX_LED_TRIGGERS; i++) {
-               flash_data.flash_current[i] = u32->flash_current[i];
-               flash_data.flash_duration[i] = u32->flash_duration[i];
-       }
        switch (cmd) {
        case VIDIOC_MSM_FLASH_CFG32:
+               flash_data.cfg_type = u32->cfg_type;
+               for (i = 0; i < MAX_LED_TRIGGERS; i++) {
+                       flash_data.flash_current[i] = u32->flash_current[i];
+                       flash_data.flash_duration[i] = u32->flash_duration[i];
+               }
                cmd = VIDIOC_MSM_FLASH_CFG;
                switch (flash_data.cfg_type) {
                case CFG_FLASH_OFF:

diff --git a/drivers/media/platform/msm/camera_v2/sensor/ois/msm_ois.c b/drivers/media/platform/msm/camera_v2/sensor/ois/msm_ois.c
index c94ee50..bfb1584 100644 (file)
--- a/drivers/media/platform/msm/camera_v2/sensor/ois/msm_ois.c
+++ b/drivers/media/platform/msm/camera_v2/sensor/ois/msm_ois.c
@@ -774,11 +774,10 @@ static long msm_ois_subdev_do_ioctl(
        u32 = (struct msm_ois_cfg_data32 *)arg;
        parg = arg;
 
-       ois_data.cfgtype = u32->cfgtype;
-
        switch (cmd) {
        case VIDIOC_MSM_OIS_CFG32:
                cmd = VIDIOC_MSM_OIS_CFG;
+               ois_data.cfgtype = u32->cfgtype;
 
                switch (u32->cfgtype) {
                case CFG_OIS_CONTROL:
@@ -812,7 +811,6 @@ static long msm_ois_subdev_do_ioctl(
                        settings.reg_setting =
                                compat_ptr(settings32.reg_setting);
 
-                       ois_data.cfgtype = u32->cfgtype;
                        ois_data.cfg.settings = &settings;
                        parg = &ois_data;
                        break;