Merge tag 'LA.UM.9.15.2.r1-10600-KAMORTA.QSSI14.0' of https://git.codelinaro.org/clo/la/platform/vendor/opensource/camera-kernel into android13-4.19-kona

"LA.UM.9.15.2.r1-10600-KAMORTA.QSSI14.0" * tag 'LA.UM.9.15.2.r1-10600-KAMORTA.QSSI14.0' of https://git.codelinaro.org/clo/la/platform/vendor/opensource/camera-kernel: msm: camera: memmgr: Remove the mutex lock for kref variable msm: camera: memmgr: Add refcount to track umd in use buffers msm: camera: sensor: Handling race condition in util api msm: camera: common: Fix possible OOB reads and writes operations Change-Id: Ic30b7c9d5683965ee182c28681387a9725a83b17
2024-10-10 14:16:48 +03:00
parent 92fb1a2d0c 3c1a45b455
commit 080219bb4f
14 changed files with 181 additions and 47 deletions
--- a/techpack/camera-bengal/drivers/cam_fd/fd_hw_mgr/cam_fd_hw_mgr.c
+++ b/techpack/camera-bengal/drivers/cam_fd/fd_hw_mgr/cam_fd_hw_mgr.c
@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
 * Copyright (c) 2017-2020, The Linux Foundation. All rights reserved.
- * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2023-2024, Qualcomm Innovation Center, Inc. All rights reserved.
 */
 #include <linux/module.h>
@@ -78,6 +78,10 @@ static int cam_fd_mgr_util_packet_validate(struct cam_packet *packet,
 		packet->cmd_buf_offset);
 	for (i = 0; i < packet->num_cmd_buf; i++) {
 		rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
 		if (rc)
 			return rc;
 		/*
 		 * We can allow 0 length cmd buffer. This can happen in case
 		 * umd gives an empty cmd buffer as kmd buffer
@@ -789,6 +793,10 @@ static int cam_fd_mgr_util_prepare_hw_update_entries(
 		&prepare->packet->payload + prepare->packet->cmd_buf_offset);
 	for (i = 0; i < prepare->packet->num_cmd_buf; i++) {
 		rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
 		if (rc)
 			return rc;
 		if (!cmd_desc[i].length)
 			continue;
--- a/techpack/camera-bengal/drivers/cam_icp/icp_hw/icp_hw_mgr/cam_icp_hw_mgr.c
+++ b/techpack/camera-bengal/drivers/cam_icp/icp_hw/icp_hw_mgr/cam_icp_hw_mgr.c
@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
 * Copyright (c) 2017-2020, The Linux Foundation. All rights reserved.
- * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2023-2024, Qualcomm Innovation Center, Inc. All rights reserved.
 */
 #include <linux/uaccess.h>
@@ -4596,6 +4596,10 @@ static int cam_icp_process_generic_cmd_buffer(
 	cmd_desc = (struct cam_cmd_buf_desc *)
 		((uint32_t *) &packet->payload + packet->cmd_buf_offset/4);
 	for (i = 0; i < packet->num_cmd_buf; i++) {
 		rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
 		if (rc)
 			return rc;
 		if (!cmd_desc[i].length)
 			continue;
@@ -4781,6 +4785,10 @@ static int cam_icp_mgr_config_stream_settings(
 	cmd_desc = (struct cam_cmd_buf_desc *)
 		((uint32_t *) &packet->payload + packet->cmd_buf_offset/4);
 	rc = cam_packet_util_validate_cmd_desc(cmd_desc);
 	if (rc)
 		return rc;
 	if (!cmd_desc[0].length ||
 		cmd_desc[0].meta_data != CAM_ICP_CMD_META_GENERIC_BLOB) {
 		CAM_ERR(CAM_ICP, "Invalid cmd buffer length/metadata");
--- a/techpack/camera-bengal/drivers/cam_isp/isp_hw_mgr/cam_ife_hw_mgr.c
+++ b/techpack/camera-bengal/drivers/cam_isp/isp_hw_mgr/cam_ife_hw_mgr.c
@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
 * Copyright (c) 2017-2020, The Linux Foundation. All rights reserved.
- * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2023-2024, Qualcomm Innovation Center, Inc. All rights reserved.
 */
 #include <linux/slab.h>
@@ -154,6 +154,10 @@ static int cam_ife_mgr_handle_reg_dump(struct cam_ife_hw_mgr_ctx *ctx,
 			"Reg dump values might be from more than one request");
 	for (i = 0; i < num_reg_dump_buf; i++) {
 		rc = cam_packet_util_validate_cmd_desc(&reg_dump_buf_desc[i]);
 		if (rc)
 			return rc;
 		CAM_DBG(CAM_ISP, "Reg dump cmd meta data: %u req_type: %u",
 			reg_dump_buf_desc[i].meta_data, meta_type);
 		if (reg_dump_buf_desc[i].meta_data == meta_type) {
--- a/techpack/camera-bengal/drivers/cam_isp/isp_hw_mgr/hw_utils/cam_isp_packet_parser.c
+++ b/techpack/camera-bengal/drivers/cam_isp/isp_hw_mgr/hw_utils/cam_isp_packet_parser.c
@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
 * Copyright (c) 2017-2021, The Linux Foundation. All rights reserved.
- * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2023-2024, Qualcomm Innovation Center, Inc. All rights reserved.
 */
 #include <media/cam_defs.h>
@@ -283,6 +283,10 @@ int cam_isp_add_command_buffers(
 		split_id, prepare->packet->num_cmd_buf);
 	for (i = 0; i < prepare->packet->num_cmd_buf; i++) {
 		rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
 		if (rc)
 			return rc;
 		num_ent = prepare->num_hw_update_entries;
 		if (!cmd_desc[i].length)
 			continue;
--- a/techpack/camera-bengal/drivers/cam_lrme/lrme_hw_mgr/cam_lrme_hw_mgr.c
+++ b/techpack/camera-bengal/drivers/cam_lrme/lrme_hw_mgr/cam_lrme_hw_mgr.c
@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
 * Copyright (c) 2017-2020, The Linux Foundation. All rights reserved.
- * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2023-2024, Qualcomm Innovation Center, Inc. All rights reserved.
 */
 #include <linux/module.h>
@@ -117,6 +117,10 @@ static int cam_lrme_mgr_util_packet_validate(struct cam_packet *packet,
 		packet->cmd_buf_offset);
 	for (i = 0; i < packet->num_cmd_buf; i++) {
 		rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
 		if (rc)
 			return rc;
 		if (!cmd_desc[i].length)
 			continue;
@@ -317,6 +321,10 @@ static int cam_lrme_mgr_util_prepare_hw_update_entries(
 		&prepare->packet->payload + prepare->packet->cmd_buf_offset);
 	for (i = 0; i < prepare->packet->num_cmd_buf; i++) {
 		rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
 		if (rc)
 			return rc;
 		if (!cmd_desc[i].length)
 			continue;
--- a/techpack/camera-bengal/drivers/cam_ope/ope_hw_mgr/cam_ope_hw_mgr.c
+++ b/techpack/camera-bengal/drivers/cam_ope/ope_hw_mgr/cam_ope_hw_mgr.c
@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
 * Copyright (c) 2017-2021, The Linux Foundation. All rights reserved.
- * Copyright (c) 2022-2023 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2022-2024, Qualcomm Innovation Center, Inc. All rights reserved.
 */
 #include <linux/uaccess.h>
@@ -427,13 +427,17 @@ static void cam_ope_dump_dmi(struct cam_ope_hang_dump *dump, uint32_t addr,
 static int cam_ope_mgr_put_cmd_buf(struct cam_packet *packet)
 {
-	int i = 0;
+	int i = 0, rc = 0;
 	struct cam_cmd_buf_desc *cmd_desc = NULL;
 	cmd_desc = (struct cam_cmd_buf_desc *)
 		((uint32_t *) &packet->payload + packet->cmd_buf_offset/4);
 	for (i = 0; i < packet->num_cmd_buf; i++) {
 		rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
 		if (rc)
 			return rc;
 		if (cmd_desc[i].type != CAM_CMD_BUF_GENERIC ||
 			cmd_desc[i].meta_data == OPE_CMD_META_GENERIC_BLOB)
 			continue;
@@ -441,7 +445,7 @@ static int cam_ope_mgr_put_cmd_buf(struct cam_packet *packet)
 		cam_mem_put_cpu_buf(cmd_desc[i].mem_handle);
 	}
-	return 0;
+	return rc;
 }
 static int cam_ope_dump_indirect(struct ope_cmd_buf_info *cmd_buf_info,
@@ -555,6 +559,10 @@ static int cam_ope_dump_frame_process(struct cam_packet *packet,
 	cmd_desc = (struct cam_cmd_buf_desc *)
 		((uint32_t *) &packet->payload + packet->cmd_buf_offset/4);
 	for (i = 0; i < packet->num_cmd_buf; i++) {
 		rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
 		if (rc)
 			return rc;
 		if (cmd_desc[i].type != CAM_CMD_BUF_GENERIC ||
 			cmd_desc[i].meta_data == OPE_CMD_META_GENERIC_BLOB)
 			continue;
@@ -2277,6 +2285,10 @@ static int cam_ope_mgr_process_cmd_desc(struct cam_ope_hw_mgr *hw_mgr,
 	*ope_cmd_buf_addr = 0;
 	for (i = 0; i < packet->num_cmd_buf; i++, num_cmd_buf++) {
 		rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
 		if (rc)
 			return rc;
 		if (cmd_desc[i].type != CAM_CMD_BUF_GENERIC ||
 			cmd_desc[i].meta_data == OPE_CMD_META_GENERIC_BLOB)
 			continue;
@@ -3168,6 +3180,10 @@ static int cam_ope_process_generic_cmd_buffer(
 		((uint32_t *) &packet->payload + packet->cmd_buf_offset/4);
 	for (i = 0; i < packet->num_cmd_buf; i++) {
 		rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
 		if (rc)
 			return rc;
 		if (!cmd_desc[i].length)
 			continue;
--- a/techpack/camera-bengal/drivers/cam_req_mgr/cam_mem_mgr.c
+++ b/techpack/camera-bengal/drivers/cam_req_mgr/cam_mem_mgr.c
@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
 * Copyright (c) 2016-2020 The Linux Foundation. All rights reserved.
- * Copyright (c) 2022-2023 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2022-2024 Qualcomm Innovation Center, Inc. All rights reserved.
 */
 #include <linux/module.h>
@@ -197,6 +197,8 @@ static void cam_mem_put_slot(int32_t idx)
 	mutex_lock(&tbl.m_lock);
 	mutex_lock(&tbl.bufq[idx].q_lock);
 	tbl.bufq[idx].active = false;
 	kref_init(&tbl.bufq[idx].krefcount);
 	kref_init(&tbl.bufq[idx].urefcount);
 	mutex_unlock(&tbl.bufq[idx].q_lock);
 	mutex_destroy(&tbl.bufq[idx].q_lock);
 	clear_bit(idx, tbl.bitmap);
@@ -718,7 +720,12 @@ int cam_mem_mgr_alloc_and_map(struct cam_mem_mgr_alloc_cmd *cmd)
 	memcpy(tbl.bufq[idx].hdls, cmd->mmu_hdls,
 		sizeof(int32_t) * cmd->num_hdl);
 	tbl.bufq[idx].is_imported = false;
 	if (cmd->flags & CAM_MEM_FLAG_KMD_ACCESS)
 		kref_init(&tbl.bufq[idx].krefcount);
 	kref_init(&tbl.bufq[idx].urefcount);
 	tbl.bufq[idx].smmu_mapping_client = CAM_SMMU_MAPPING_USER;
 	mutex_unlock(&tbl.bufq[idx].q_lock);
@@ -822,7 +829,9 @@ int cam_mem_mgr_map(struct cam_mem_mgr_map_cmd *cmd)
 	memcpy(tbl.bufq[idx].hdls, cmd->mmu_hdls,
 		sizeof(int32_t) * cmd->num_hdl);
 	tbl.bufq[idx].is_imported = true;
 	if (cmd->flags & CAM_MEM_FLAG_KMD_ACCESS)
 		kref_init(&tbl.bufq[idx].krefcount);
 	kref_init(&tbl.bufq[idx].urefcount);
 	tbl.bufq[idx].smmu_mapping_client = CAM_SMMU_MAPPING_USER;
 	mutex_unlock(&tbl.bufq[idx].q_lock);
@@ -950,6 +959,8 @@ static int cam_mem_mgr_cleanup_table(void)
 		tbl.bufq[i].num_hdl = 0;
 		tbl.bufq[i].dma_buf = NULL;
 		tbl.bufq[i].active = false;
 		kref_init(&tbl.bufq[i].krefcount);
 		kref_init(&tbl.bufq[i].urefcount);
 		mutex_unlock(&tbl.bufq[i].q_lock);
 		mutex_destroy(&tbl.bufq[i].q_lock);
 	}
@@ -975,16 +986,17 @@ void cam_mem_mgr_deinit(void)
 	mutex_destroy(&tbl.m_lock);
 }
-static void cam_mem_util_unmap(struct kref *kref)
+static void cam_mem_util_unmap_dummy(struct kref *kref)
 {
 	CAM_DBG(CAM_MEM, "Cam mem util unmap dummy");
 }
 static void cam_mem_util_unmap(int32_t idx)
 {
 	int rc = 0;
 	int32_t idx;
 	enum cam_smmu_region_id region = CAM_SMMU_REGION_SHARED;
 	enum cam_smmu_mapping_client client;
 	struct cam_mem_buf_queue *bufq =
 		container_of(kref, typeof(*bufq), krefcount);
 	idx = CAM_MEM_MGR_GET_HDL_IDX(bufq->buf_handle);
 	if (idx >= CAM_MEM_BUFQ_MAX || idx <= 0) {
 		CAM_ERR(CAM_MEM, "Incorrect index");
 		return;
@@ -1055,6 +1067,8 @@ static void cam_mem_util_unmap(struct kref *kref)
 	tbl.bufq[idx].len = 0;
 	tbl.bufq[idx].num_hdl = 0;
 	tbl.bufq[idx].active = false;
 	memset(&tbl.bufq[idx].krefcount, 0, sizeof(struct kref));
 	memset(&tbl.bufq[idx].urefcount, 0, sizeof(struct kref));
 	mutex_unlock(&tbl.bufq[idx].q_lock);
 	mutex_destroy(&tbl.bufq[idx].q_lock);
 	clear_bit(idx, tbl.bitmap);
@@ -1062,10 +1076,26 @@ static void cam_mem_util_unmap(struct kref *kref)
 }
 static void cam_mem_util_unmap_wrapper(struct kref *kref)
 {
 	int32_t idx;
 	struct cam_mem_buf_queue *bufq = container_of(kref, typeof(*bufq), krefcount);
 	idx = CAM_MEM_MGR_GET_HDL_IDX(bufq->buf_handle);
 	if (idx >= CAM_MEM_BUFQ_MAX || idx <= 0) {
 		CAM_ERR(CAM_MEM, "idx: %d not valid", idx);
 		return;
 	}
 	cam_mem_util_unmap(idx);
 }
 void cam_mem_put_cpu_buf(int32_t buf_handle)
 {
 	int rc = 0;
 	int idx;
 	uint32_t krefcount = 0, urefcount = 0;
 	bool unmap = false;
 	if (!buf_handle) {
 		CAM_ERR(CAM_MEM, "Invalid buf_handle");
@@ -1091,11 +1121,23 @@ void cam_mem_put_cpu_buf(int32_t buf_handle)
 		return;
 	}
-	if (kref_put(&tbl.bufq[idx].krefcount, cam_mem_util_unmap))
+	kref_put(&tbl.bufq[idx].krefcount, cam_mem_util_unmap_dummy);
 		CAM_DBG(CAM_MEM,
 			"Called unmap from here, buf_handle: %u, idx: %d",
 			buf_handle, idx);
 	krefcount = kref_read(&tbl.bufq[idx].krefcount);
 	urefcount = kref_read(&tbl.bufq[idx].urefcount);
 	if ((krefcount == 1) && (urefcount == 0))
 		unmap = true;
 	if (unmap) {
 		cam_mem_util_unmap(idx);
 		CAM_DBG(CAM_MEM,
 			"Called unmap from here, buf_handle: %u, idx: %d", buf_handle, idx);
 	} else if (krefcount == 0) {
 		CAM_ERR(CAM_MEM,
 			"Unbalanced release Called buf_handle: %u, idx: %d",
 			tbl.bufq[idx].buf_handle, idx);
 	}
 }
 EXPORT_SYMBOL(cam_mem_put_cpu_buf);
@@ -1104,6 +1146,8 @@ int cam_mem_mgr_release(struct cam_mem_mgr_release_cmd *cmd)
 {
 	int idx;
 	int rc = 0;
 	uint32_t krefcount = 0, urefcount = 0;
 	bool unmap = false;
 	if (!atomic_read(&cam_mem_mgr_state)) {
 		CAM_ERR(CAM_MEM, "failed. mem_mgr not initialized");
@@ -1136,10 +1180,24 @@ int cam_mem_mgr_release(struct cam_mem_mgr_release_cmd *cmd)
 	CAM_DBG(CAM_MEM, "Releasing hdl = %x, idx = %d", cmd->buf_handle, idx);
-	if (kref_put(&tbl.bufq[idx].krefcount, cam_mem_util_unmap))
+	kref_put(&tbl.bufq[idx].urefcount, cam_mem_util_unmap_dummy);
 	urefcount = kref_read(&tbl.bufq[idx].urefcount);
 	if (tbl.bufq[idx].flags & CAM_MEM_FLAG_KMD_ACCESS) {
 		krefcount = kref_read(&tbl.bufq[idx].krefcount);
 		if ((krefcount == 1) && (urefcount == 0))
 			unmap = true;
 	} else {
 		if (urefcount == 0)
 			unmap = true;
 	}
 	if (unmap) {
 		cam_mem_util_unmap(idx);
 		CAM_DBG(CAM_MEM,
-			"Called unmap from here, buf_handle: %u, idx: %d",
+			"Called unmap from here, buf_handle: %u, idx: %d", cmd->buf_handle, idx);
-			cmd->buf_handle, idx);
+	}
 	return rc;
 }
@@ -1321,7 +1379,7 @@ int cam_mem_mgr_release_mem(struct cam_mem_mgr_memory_desc *inp)
 	}
 	CAM_DBG(CAM_MEM, "Releasing hdl = %X", inp->mem_handle);
-	if (kref_put(&tbl.bufq[idx].krefcount, cam_mem_util_unmap))
+	if (kref_put(&tbl.bufq[idx].krefcount, cam_mem_util_unmap_wrapper))
 		CAM_DBG(CAM_MEM,
 			"Called unmap from here, buf_handle: %u, idx: %d",
 			tbl.bufq[idx].buf_handle, idx);
@@ -1501,7 +1559,7 @@ int cam_mem_mgr_free_memory_region(struct cam_mem_mgr_memory_desc *inp)
 	}
 	CAM_DBG(CAM_MEM, "Releasing hdl = %X", inp->mem_handle);
-	if (kref_put(&tbl.bufq[idx].krefcount, cam_mem_util_unmap))
+	if (kref_put(&tbl.bufq[idx].krefcount, cam_mem_util_unmap_wrapper))
 		CAM_DBG(CAM_MEM,
 			"Called unmap from here, buf_handle: %u, idx: %d",
 			inp->mem_handle, idx);
--- a/techpack/camera-bengal/drivers/cam_req_mgr/cam_mem_mgr.h
+++ b/techpack/camera-bengal/drivers/cam_req_mgr/cam_mem_mgr.h
@@ -1,7 +1,7 @@
 /* SPDX-License-Identifier: GPL-2.0-only */
 /*
 * Copyright (c) 2016-2020, The Linux Foundation. All rights reserved.
- * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2023-2024 Qualcomm Innovation Center, Inc. All rights reserved.
 */
 #ifndef _CAM_MEM_MGR_H_
@@ -44,8 +44,10 @@ enum cam_smmu_mapping_client {
 * @is_imported:    Flag indicating if buffer is imported from an FD
 *                  in user space
 * @krefcount:      Reference counter to track whether the buffer is
- *                  mapped and in use
+ *                  mapped and in use by kmd
 * @smmu_mapping_client: Client buffer (User or kernel)
 * @urefcount:      Reference counter to track whether the buffer is
 *                  mapped and in use by umd
 */
 struct cam_mem_buf_queue {
 	struct dma_buf *dma_buf;
@@ -63,6 +65,7 @@ struct cam_mem_buf_queue {
 	bool is_imported;
 	struct kref krefcount;
 	enum cam_smmu_mapping_client smmu_mapping_client;
 	struct kref urefcount;
 };
 /**
--- a/techpack/camera-bengal/drivers/cam_sensor_module/cam_actuator/cam_actuator_core.c
+++ b/techpack/camera-bengal/drivers/cam_sensor_module/cam_actuator/cam_actuator_core.c
@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
 * Copyright (c) 2017-2020, The Linux Foundation. All rights reserved.
- * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2023-2024, Qualcomm Innovation Center, Inc. All rights reserved.
 */
 #include <linux/module.h>
@@ -489,6 +489,10 @@ int32_t cam_actuator_i2c_pkt_parse(struct cam_actuator_ctrl_t *a_ctrl,
 		/* Loop through multiple command buffers */
 		for (i = 0; i < csl_packet->num_cmd_buf; i++) {
 			rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
 			if (rc)
 				return rc;
 			total_cmd_buf_in_bytes = cmd_desc[i].length;
 			if (!total_cmd_buf_in_bytes)
 				continue;
--- a/techpack/camera-bengal/drivers/cam_sensor_module/cam_eeprom/cam_eeprom_core.c
+++ b/techpack/camera-bengal/drivers/cam_sensor_module/cam_eeprom/cam_eeprom_core.c
@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
 * Copyright (c) 2017-2020, The Linux Foundation. All rights reserved.
- * Copyright (c) 2022-2023 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2022-2024 Qualcomm Innovation Center, Inc. All rights reserved.
 */
 #include <linux/module.h>
@@ -729,6 +729,10 @@ static int32_t cam_eeprom_parse_write_memory_packet(
 		int                            master;
 		struct cam_sensor_cci_client   *cci;
 		rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
 		if (rc)
 			return rc;
 		total_cmd_buf_in_bytes = cmd_desc[i].length;
 		processed_cmd_buf_in_bytes = 0;
@@ -946,6 +950,10 @@ static int32_t cam_eeprom_init_pkt_parser(struct cam_eeprom_ctrl_t *e_ctrl,
 	/* Loop through multiple command buffers */
 	for (i = 0; i < csl_packet->num_cmd_buf; i++) {
 		rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
 		if (rc)
 			return rc;
 		total_cmd_buf_in_bytes = cmd_desc[i].length;
 		processed_cmd_buf_in_bytes = 0;
 		if (!total_cmd_buf_in_bytes)
--- a/techpack/camera-bengal/drivers/cam_sensor_module/cam_flash/cam_flash_core.c
+++ b/techpack/camera-bengal/drivers/cam_sensor_module/cam_flash/cam_flash_core.c
@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
 * Copyright (c) 2017-2021, The Linux Foundation. All rights reserved.
- * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2023-2024, Qualcomm Innovation Center, Inc. All rights reserved.
 */
 #include <linux/module.h>
@@ -1076,6 +1076,10 @@ int cam_flash_i2c_pkt_parser(struct cam_flash_ctrl *fctrl, void *arg)
 		/* Loop through multiple command buffers */
 		for (i = 1; i < csl_packet->num_cmd_buf; i++) {
 			rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
 			if (rc)
 				return rc;
 			total_cmd_buf_in_bytes = cmd_desc[i].length;
 			processed_cmd_buf_in_bytes = 0;
 			if (!total_cmd_buf_in_bytes)
--- a/techpack/camera-bengal/drivers/cam_sensor_module/cam_ois/cam_ois_core.c
+++ b/techpack/camera-bengal/drivers/cam_sensor_module/cam_ois/cam_ois_core.c
@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
 * Copyright (c) 2017-2020, The Linux Foundation. All rights reserved.
- * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2023-2024, Qualcomm Innovation Center, Inc. All rights reserved.
 */
 #include <linux/module.h>
@@ -483,6 +483,10 @@ static int cam_ois_pkt_parse(struct cam_ois_ctrl_t *o_ctrl, void *arg)
 		/* Loop through multiple command buffers */
 		for (i = 0; i < csl_packet->num_cmd_buf; i++) {
 			rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
 			if (rc)
 				return rc;
 			total_cmd_buf_in_bytes = cmd_desc[i].length;
 			if (!total_cmd_buf_in_bytes)
 				continue;
--- a/techpack/camera-bengal/drivers/cam_sensor_module/cam_sensor/cam_sensor_core.c
+++ b/techpack/camera-bengal/drivers/cam_sensor_module/cam_sensor/cam_sensor_core.c
@@ -2,6 +2,7 @@
 /*
 * Copyright (c) 2017-2020, The Linux Foundation. All rights reserved.
 * Copyright (c) 2023, The Linux Foundation. All rights reserved.
 * Copyright (c) 2024 Qualcomm Innovation Center, Inc. All rights reserved.
 */
 #include <linux/module.h>
@@ -494,6 +495,10 @@ int32_t cam_handle_mem_ptr(uint64_t handle, struct cam_sensor_ctrl_t *s_ctrl)
 	}
 	for (i = 0; i < pkt->num_cmd_buf; i++) {
 		rc = cam_packet_util_validate_cmd_desc(&cmd_desc[i]);
 		if (rc)
 			return rc;
 		if (!(cmd_desc[i].length))
 			continue;
 		rc = cam_mem_get_cpu_buf(cmd_desc[i].mem_handle,
--- a/techpack/camera-bengal/drivers/cam_sensor_module/cam_sensor_utils/cam_sensor_util.c
+++ b/techpack/camera-bengal/drivers/cam_sensor_module/cam_sensor_utils/cam_sensor_util.c
@@ -150,10 +150,11 @@ int32_t cam_sensor_handle_random_write(
 	struct list_head **list)
 {
 	struct i2c_settings_list  *i2c_list;
-	int32_t rc = 0, cnt;
+	int32_t rc = 0, cnt, payload_count;
 	payload_count = cam_cmd_i2c_random_wr->header.count;
 	i2c_list = cam_sensor_get_i2c_ptr(i2c_reg_settings,
-		cam_cmd_i2c_random_wr->header.count);
+						payload_count);
 	if (i2c_list == NULL ||
 		i2c_list->i2c_settings.reg_setting == NULL) {
 		CAM_ERR(CAM_SENSOR, "Failed in allocating i2c_list");
@@ -162,15 +163,14 @@ int32_t cam_sensor_handle_random_write(
 	*cmd_length_in_bytes = (sizeof(struct i2c_rdwr_header) +
 		sizeof(struct i2c_random_wr_payload) *
-		(cam_cmd_i2c_random_wr->header.count));
+		payload_count);
 	i2c_list->op_code = CAM_SENSOR_I2C_WRITE_RANDOM;
 	i2c_list->i2c_settings.addr_type =
 		cam_cmd_i2c_random_wr->header.addr_type;
 	i2c_list->i2c_settings.data_type =
 		cam_cmd_i2c_random_wr->header.data_type;
-	for (cnt = 0; cnt < (cam_cmd_i2c_random_wr->header.count);
+	for (cnt = 0; cnt < payload_count; cnt++) {
 		cnt++) {
 		i2c_list->i2c_settings.reg_setting[cnt].reg_addr =
 			cam_cmd_i2c_random_wr->random_wr_payload[cnt].reg_addr;
 		i2c_list->i2c_settings.reg_setting[cnt].reg_data =
@@ -190,10 +190,11 @@ static int32_t cam_sensor_handle_continuous_write(
 	struct list_head **list)
 {
 	struct i2c_settings_list *i2c_list;
-	int32_t rc = 0, cnt;
+	int32_t rc = 0, cnt, payload_count;
 	payload_count = cam_cmd_i2c_continuous_wr->header.count;
 	i2c_list = cam_sensor_get_i2c_ptr(i2c_reg_settings,
-		cam_cmd_i2c_continuous_wr->header.count);
+						payload_count);
 	if (i2c_list == NULL ||
 		i2c_list->i2c_settings.reg_setting == NULL) {
 		CAM_ERR(CAM_SENSOR, "Failed in allocating i2c_list");
@@ -203,7 +204,7 @@ static int32_t cam_sensor_handle_continuous_write(
 	*cmd_length_in_bytes = (sizeof(struct i2c_rdwr_header) +
 		sizeof(cam_cmd_i2c_continuous_wr->reg_addr) +
 		sizeof(struct cam_cmd_read) *
-		(cam_cmd_i2c_continuous_wr->header.count));
+		(payload_count));
 	if (cam_cmd_i2c_continuous_wr->header.op_code ==
 		CAMERA_SENSOR_I2C_OP_CONT_WR_BRST)
 		i2c_list->op_code = CAM_SENSOR_I2C_WRITE_BURST;
@@ -220,8 +221,7 @@ static int32_t cam_sensor_handle_continuous_write(
 	i2c_list->i2c_settings.size =
 		cam_cmd_i2c_continuous_wr->header.count;
-	for (cnt = 0; cnt < (cam_cmd_i2c_continuous_wr->header.count);
+	for (cnt = 0; cnt < payload_count; cnt++) {
 		cnt++) {
 		i2c_list->i2c_settings.reg_setting[cnt].reg_addr =
 			cam_cmd_i2c_continuous_wr->reg_addr;
 		i2c_list->i2c_settings.reg_setting[cnt].reg_data =