diff --git a/pt/pt_core.c b/pt/pt_core.c
index d4172804c8..02610bfbb8 100644
--- a/pt/pt_core.c
+++ b/pt/pt_core.c
@@ -570,6 +570,9 @@ static int pt_hid_exec_cmd_(struct pt_core_data *cd,
 		+ (hid_cmd->has_data_register ? 2 : 0)	/* Data register */
 		+ hid_cmd->write_length;                /* Data length */
 
+	if (cmd_length < 4 || cmd_length > PT_MAX_PIP1_MSG_SIZE)
+		return -EPROTO;
+
 	cmd = kzalloc(cmd_length, GFP_KERNEL);
 	if (!cmd)
 		return -ENOMEM;
@@ -2122,13 +2125,16 @@ static int _pt_request_pip2_send_cmd(struct device *dev,
 	struct pt_core_data *cd = dev_get_drvdata(dev);
 	struct pip2_cmd_structure pip2_cmd;
 	int rc = 0;
-	int i = 0;
-	int j = 0;
+	u16 i = 0;
+	u16 j = 0;
 	u16 write_len;
 	u8 *write_buf = NULL;
 	u16 read_len;
 	u8 extra_bytes;
 
+	if (report_body_len > 247)
+		return -EPROTO;
+
 	memset(&pip2_cmd, 0, sizeof(pip2_cmd));
 	/* Hard coded register for PIP2.x */
 	pip2_cmd.reg[0] = 0x01;
@@ -2255,8 +2261,8 @@ static int _pt_pip2_send_cmd_no_int(struct device *dev,
 	int max_retry = 0;
 	int retry = 0;
 	int rc = 0;
-	int i = 0;
-	int j = 0;
+	u16 i = 0;
+	u16 j = 0;
 	u16 write_len;
 	u8 *write_buf = NULL;
 	u16 read_len;
@@ -2270,6 +2276,9 @@ static int _pt_pip2_send_cmd_no_int(struct device *dev,
 	struct pt_core_data *cd = dev_get_drvdata(dev);
 	struct pip2_cmd_structure pip2_cmd;
 
+	if (report_body_len > 247)
+		return -EPROTO;
+
 	if (protect == PT_CORE_CMD_PROTECTED) {
 		rc = request_exclusive(cd,
 			cd->dev, PT_REQUEST_EXCLUSIVE_TIMEOUT);
@@ -3776,7 +3785,8 @@ static int pt_pip1_read_data_block_(struct pt_core_data *cd,
 	if (length == 0 || *actual_read_len == 0)
 		return 0;
 
-	if (read_buf_size >= *actual_read_len)
+	if (read_buf_size >= *actual_read_len &&
+	    *actual_read_len < PT_MAX_PIP2_MSG_SIZE)
 		memcpy(read_buf, &cd->response_buf[10], *actual_read_len);
 	else
 		return -EPROTO;
@@ -3848,7 +3858,7 @@ static int pt_pip1_write_data_block_(struct pt_core_data *cd,
 		u8 *security_key, u16 *actual_write_len)
 {
 	/* row_number + write_len + ebid + security_key + crc */
-	int full_write_length = 2 + 2 + 1 + write_length + 8 + 2;
+	u16 full_write_length = 2 + 2 + 1 + write_length + 8 + 2;
 	u8 *full_write_buf;
 	u8 cmd_offset = 0;
 	u16 crc;
@@ -3862,6 +3872,9 @@ static int pt_pip1_write_data_block_(struct pt_core_data *cd,
 		.timeout_ms = PT_PIP1_CMD_WRITE_CONF_BLOCK_TIMEOUT,
 	};
 
+	if (write_length > PT_CAL_DATA_ROW_SIZE)
+		return -EINVAL;
+
 	full_write_buf = kzalloc(full_write_length, GFP_KERNEL);
 	if (!full_write_buf)
 		return -ENOMEM;
@@ -4792,7 +4805,7 @@ static int pt_pip_calibrate_ext_(struct pt_core_data *cd,
 	 * When doing a calibration on a flashless DUT, save CAL data in
 	 * the TTDL cache on any successful calibration
 	 */
-	if (*status == 0 && cd->cal_cache_in_host) {
+	if (cd->response_buf[5] == 0 && cd->cal_cache_in_host) {
 		pt_debug(cd->dev, DL_INFO, "%s: Retrieve and Save CAL\n",
 			__func__);
 		rc = _pt_manage_local_cal_data(cd->dev, PT_CAL_DATA_SAVE,
@@ -6982,6 +6995,7 @@ static int _pt_request_hw_version(struct device *dev, char *hw_version)
 		goto exit_error;
 	}
 
+	memset(return_data, 0, ARRAY_SIZE(return_data));
 	/* For Parade TC or TT parts */
 	if (cd->active_dut_generation == DUT_PIP2_CAPABLE) {
 		rc = _pt_request_pip2_send_cmd(dev,
@@ -8410,7 +8424,7 @@ static int pt_parse_input(struct pt_core_data *cd)
 		pt_debug(cd->dev, DL_WARN,
 			"%s: DUT - Empty buffer detected\n", __func__);
 		return 0;
-	} else if (size > PT_MAX_INPUT) {
+	} else if (size > PT_MAX_INPUT || size < 0) {
 		pt_debug(cd->dev, DL_ERROR,
 			"%s: DUT - Unexpected len field in active bus data!\n",
 			__func__);
@@ -13613,7 +13627,7 @@ static ssize_t pt_pip2_cmd_rsp_store(struct device *dev,
 
 	length = _pt_ic_parse_input_hex(dev, buf, size,
 			input_data, PT_MAX_PIP2_MSG_SIZE);
-	if (length <= 0 || length > PT_MAX_PIP2_MSG_SIZE) {
+	if (length <= 0 || length > (PT_MAX_PIP2_MSG_SIZE - 2)) {
 		pt_debug(dev, DL_ERROR, "%s: Invalid number of arguments\n",
 			__func__);
 		rc = -EINVAL;
@@ -16273,11 +16287,12 @@ exit:
 	if (boot_err)
 		*boot_err = last_err;
 
-	pt_debug(cd->dev, DL_INFO, "%s: %s=0x%02X, %s=0x%02X, %s=0x%02X\n",
-			__func__,
-			"Detected", detected,
-			"slave_irq_toggled", *slave_irq_toggled,
-			"slave_bus_toggled", *slave_bus_toggled);
+	if (slave_irq_toggled && slave_bus_toggled)
+		pt_debug(cd->dev, DL_INFO, "%s: %s=0x%02X, %s=0x%02X, %s=0x%02X\n",
+				__func__,
+				"Detected", detected,
+				"slave_irq_toggled", *slave_irq_toggled,
+				"slave_bus_toggled", *slave_bus_toggled);
 	return rc;
 }
 
diff --git a/pt/pt_device_access.c b/pt/pt_device_access.c
index 80da0c98d8..8cb915231e 100644
--- a/pt/pt_device_access.c
+++ b/pt/pt_device_access.c
@@ -1238,27 +1238,27 @@ static int  pt_get_cmcp_info(struct pt_device_access_data *dad,
 		}
 		cm_ave_data_panel /= (tx_num * rx_num);
 		cmcp_info->cm_ave_data_panel = cm_ave_data_panel;
-	}
 
-	/* Calculate gradient panel sensor column/row here */
-	calculate_gd_info(gd_sensor_col, gd_sensor_row, tx_num, rx_num,
-		cm_data_panel, 1, 1);
-	for (i = 0; i < tx_num; i++) {
-		pt_debug(dev, DL_DEBUG,
-			"i=%d max=%d,min=%d,ave=%d, gradient=%d", i,
-			gd_sensor_col[i].cm_max,
-			gd_sensor_col[i].cm_min,
-			gd_sensor_col[i].cm_ave,
-			gd_sensor_col[i].gradient_val);
-	}
+		/* Calculate gradient panel sensor column/row here */
+		calculate_gd_info(gd_sensor_col, gd_sensor_row, tx_num, rx_num,
+			cm_data_panel, 1, 1);
+		for (i = 0; i < tx_num; i++) {
+			pt_debug(dev, DL_DEBUG,
+				"i=%d max=%d,min=%d,ave=%d, gradient=%d", i,
+				gd_sensor_col[i].cm_max,
+				gd_sensor_col[i].cm_min,
+				gd_sensor_col[i].cm_ave,
+				gd_sensor_col[i].gradient_val);
+		}
 
-	for (i = 0; i < rx_num; i++) {
-		pt_debug(dev, DL_DEBUG,
-			"i=%d max=%d,min=%d,ave=%d, gradient=%d", i,
-			gd_sensor_row[i].cm_max,
-			gd_sensor_row[i].cm_min,
-			gd_sensor_row[i].cm_ave,
-			gd_sensor_row[i].gradient_val);
+		for (i = 0; i < rx_num; i++) {
+			pt_debug(dev, DL_DEBUG,
+				"i=%d max=%d,min=%d,ave=%d, gradient=%d", i,
+				gd_sensor_row[i].cm_max,
+				gd_sensor_row[i].cm_min,
+				gd_sensor_row[i].cm_ave,
+				gd_sensor_row[i].gradient_val);
+		}
 	}
 
 	/*Get cp data*/
@@ -1294,12 +1294,12 @@ static int  pt_get_cmcp_info(struct pt_device_access_data *dad,
 			pt_debug(dev, DL_DEBUG, "cp_tx_cal_data_panel[%d]=%d\n",
 				i, cp_tx_cal_data_panel[i]);
 		}
-	}
 
-	/*get cp_sensor_tx_delta,using the first sensor cal value for temp */
-	/*multiple 1000 to increase accuracy*/
-	cmcp_info->cp_sensor_tx_delta = ABS((cp_tx_cal_data_panel[0]
-		- cp_tx_ave_data_panel) * 1000 / cp_tx_ave_data_panel);
+		/*get cp_sensor_tx_delta,using the first sensor cal value for temp */
+		/*multiple 1000 to increase accuracy*/
+		cmcp_info->cp_sensor_tx_delta = ABS((cp_tx_cal_data_panel[0]
+			- cp_tx_ave_data_panel) * 1000 / cp_tx_ave_data_panel);
+	}
 
 	/*Get cp_rx_data_panel*/
 	if (cp_rx_data_panel != NULL) {
@@ -1327,12 +1327,12 @@ static int  pt_get_cmcp_info(struct pt_device_access_data *dad,
 				"cp_rx_cal_data_panel[%d]=%d\n", i,
 				cp_rx_cal_data_panel[i]);
 		}
-	}
 
-	/*get cp_sensor_rx_delta,using the first sensor cal value for temp */
-	/*multiple 1000 to increase accuracy*/
-	cmcp_info->cp_sensor_rx_delta = ABS((cp_rx_cal_data_panel[0]
-		- cp_rx_ave_data_panel) * 1000 / cp_rx_ave_data_panel);
+		/*get cp_sensor_rx_delta,using the first sensor cal value for temp */
+		/*multiple 1000 to increase accuracy*/
+		cmcp_info->cp_sensor_rx_delta = ABS((cp_rx_cal_data_panel[0]
+			- cp_rx_ave_data_panel) * 1000 / cp_rx_ave_data_panel);
+	}
 
 	if (btn_num == 0) {
 		pt_debug(dev, DL_INFO, "%s: Skip Button Test\n", __func__);
@@ -2101,9 +2101,9 @@ int save_engineering_data(struct device *dev, char *out_buf, int index,
 {
 	int i;
 	int j;
-	int tx_num = cmcp_info->tx_num;
-	int rx_num = cmcp_info->rx_num;
-	int btn_num = cmcp_info->btn_num;
+	int tx_num = 0;
+	int rx_num = 0;
+	int btn_num = 0;
 	int tmp = 0;
 	uint32_t fw_revision_control;
 	uint32_t fw_config_ver;
@@ -2111,6 +2111,13 @@ int save_engineering_data(struct device *dev, char *out_buf, int index,
 	struct pt_device_access_data *dad
 		= pt_get_device_access_data(dev);
 
+	if ((result == NULL) || (cmcp_info == NULL))
+		return -EINVAL;
+
+	tx_num = cmcp_info->tx_num;
+	rx_num = cmcp_info->rx_num;
+	btn_num = cmcp_info->btn_num;
+
 	fw_revision_control = dad->si->ttdata.revctrl;
 	fw_config_ver = dad->si->ttdata.fw_ver_conf;
 	/*calculate silicon id*/
@@ -2950,12 +2957,18 @@ int result_save(struct device *dev, char *buf,
 	int byte_left;
 
 	out_buf = kzalloc(MAX_BUF_LEN, GFP_KERNEL);
-	if (configuration == NULL)
+	if (configuration == NULL) {
 		pt_debug(dev, DL_WARN, "config is NULL");
-	if (result == NULL)
+		return -ENOMEM;
+	}
+	if (result == NULL) {
 		pt_debug(dev, DL_WARN, "result is NULL");
-	if (cmcp_info == NULL)
+		return -ENOMEM;
+	}
+	if (cmcp_info == NULL) {
 		pt_debug(dev, DL_WARN, "cmcp_info is NULL");
+		return -ENOMEM;
+	}
 
 	index = save_header(out_buf, index, result);
 	index = save_engineering_data(dev, out_buf, index,
@@ -3292,7 +3305,8 @@ int cmcp_return_one_value(struct device *dev, const char *buf, u32 *offset,
 		}
 	} else {
 		/* Multiple line: line count */
-		*line_num = line_count;
+		if (line_num)
+			*line_num = line_count;
 		/* Reset for next case */
 		line_count = 1;
 	}
diff --git a/pt/pt_devtree.c b/pt/pt_devtree.c
index 9b6261a0cf..aa54f65510 100644
--- a/pt/pt_devtree.c
+++ b/pt/pt_devtree.c
@@ -1106,8 +1106,8 @@ int pt_devtree_clean_pdata(struct device *adap_dev)
 
 	pdata = dev_get_platdata(adap_dev);
 	set_pdata_ptr(pdata);
+	free_core_pdata(pdata->core_pdata);
 	for_each_child_of_node(adap_dev->of_node, core_node) {
-		free_core_pdata(pdata->core_pdata);
 		of_node_put(core_node);
 		for_each_child_of_node(core_node, dev_node) {
 			rc = get_device_type(dev_node, &type);