From e0a25b6e9ea5f53493da50d006ac008ed470f505 Mon Sep 17 00:00:00 2001
From: Biswajit Paul <biswajitpaul@codeaurora.org>
Date: Mon, 25 Jul 2016 11:53:19 +0530
Subject: [PATCH] msm: camera: sensor: Fix use after free condition

Add a check to return value before calling csid config which will
otherwise lead to use after free scenario.

Bug: 29513227
Change-Id: I230ae06474332bbb23c7169423447766f5e2cf0b
CRs-Fixed: 1040857
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
Signed-off-by: Biswajit Paul <biswajitpaul@codeaurora.org>
Signed-off-by: Yueyao (Nathan) Zhu <yueyao@google.com>
---
 .../media/platform/msm/camera_v2/sensor/csid/msm_csid.c   | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c b/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c
index dbef915ce001..877856b52d47 100644
--- a/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c
+++ b/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2011-2014, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2011-2016, The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -339,7 +339,7 @@ static int32_t msm_csid_cmd(struct csid_device *csid_dev, void *arg)
 			break;
 		}
 		if (csid_params.lut_params.num_cid < 1 ||
-			csid_params.lut_params.num_cid > 16) {
+			csid_params.lut_params.num_cid > MAX_CID) {
 			pr_err("%s: %d num_cid outside range\n",
 				 __func__, __LINE__);
 			rc = -EINVAL;
@@ -369,6 +369,10 @@ static int32_t msm_csid_cmd(struct csid_device *csid_dev, void *arg)
 			}
 			csid_params.lut_params.vc_cfg[i] = vc_cfg;
 		}
+		if (rc < 0) {
+			pr_err("%s:%d failed\n", __func__, __LINE__);
+			break;
+		}
 		rc = msm_csid_config(csid_dev, &csid_params);
 		for (i--; i >= 0; i--)
 			kfree(csid_params.lut_params.vc_cfg[i]);
-- 
GitLab