Home Explore Help
Sign In
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

qcacmn: Check pointer tbuffer always before access it

Pointer tbuffer is allocated from heap or get from other module, it
is checked in some if branch but not every possible NULL branch.

Adding NULL check of tbuffer in every possible branch.

Change-Id: Id3c9f941623995ff73a993e29c53f3b9ce66f10e
CRs-Fixed: 2064350
Will Huang 7 years ago
parent
0efe289db5
commit
82e91e0541
1 changed files with 19 additions and 6 deletions
Split View Show Diff Stats
  1. 19 6
      hif/src/sdio/native_sdio/src/hif.c

+ 19 - 6
hif/src/sdio/native_sdio/src/hif.c
View File 

@@ -339,7 +339,7 @@ __hif_read_write(struct hif_sdio_dev *device,
 
 {
 
 	uint8_t opcode;
 
 	QDF_STATUS status = QDF_STATUS_SUCCESS;
 
-	int ret;
 
+	int ret = A_OK;
 
 	uint8_t *tbuffer;
 
 	bool bounced = false;
 
 
@@ -484,7 +484,7 @@ __hif_read_write(struct hif_sdio_dev *device,
 
 					("%s: writesb ret=%d address: 0x%X, len: %d, 0x%X\n",
 
 					 __func__, ret, address, length,
 
 					 *(int *)tbuffer));
 
-			} else {
 
+			} else if (tbuffer) {
 
 				ret =
 
 					sdio_memcpy_toio(device->func, address,
 
 							 tbuffer, length);
 
@@ -522,7 +522,7 @@ __hif_read_write(struct hif_sdio_dev *device,
 
 					("%s: readsb ret=%d address: 0x%X, len: %d, 0x%X\n",
 
 					 __func__, ret, address, length,
 
 					 *(int *)tbuffer));
 
-			} else {
 
+			} else if (tbuffer) {
 
 				ret =
 
 					sdio_memcpy_fromio(device->func,
 
 							   tbuffer,
 
@@ -533,7 +533,7 @@ __hif_read_write(struct hif_sdio_dev *device,
 
 					 *(int *)tbuffer));
 
 			}
 
 #if HIF_USE_DMA_BOUNCE_BUFFER
 
-			if (bounced)
 
+			if (bounced && tbuffer)
 
 				memcpy(buffer, tbuffer, length);
 
 #endif
 
 		} else {
 
@@ -541,7 +541,7 @@ __hif_read_write(struct hif_sdio_dev *device,
 
 					("%s: Invalid direction: 0x%08x\n",
 
 					 __func__, request));
 
 			status = QDF_STATUS_E_INVAL;
 
-			break;
 
+			return status;
 
 		}
 
 
 		if (ret) {
 
@@ -2388,6 +2388,10 @@ int hif_device_resume(struct device *dev)
 
 	struct hif_sdio_dev *device;
 
 
 	device = get_hif_device(func);
 
+	if (!device) {
 
+		AR_DEBUG_PRINTF(ATH_DEBUG_ERROR, ("get hif device failed\n"));
 
+		return QDF_STATUS_E_FAILURE;
 
+	}
 
 
 	if (device->device_state == HIF_DEVICE_STATE_CUTPOWER) {
 
 		config = HIF_DEVICE_POWER_UP;
 
@@ -2419,7 +2423,7 @@ int hif_device_resume(struct device *dev)
 
 	AR_DEBUG_PRINTF(ATH_DEBUG_TRACE,
 
 			("%s: +hif_device_resume\n",
 
 			 __func__));
 
-	if (device && device->claimed_ctx
 
+	if (device->claimed_ctx
 
 	    && osdrv_callbacks.device_suspend_handler) {
 
 		status =
 
 		osdrv_callbacks.device_resume_handler(device->claimed_ctx);
 
@@ -2543,9 +2547,18 @@ static struct hif_sdio_dev *add_hif_device(struct sdio_func *func)
 
 	hifdevice = (struct hif_sdio_dev *) qdf_mem_malloc(sizeof(
 
 							struct hif_sdio_dev));
 
 	AR_DEBUG_ASSERT(hifdevice != NULL);
 
+	if (hifdevice == NULL) {
 
+		AR_DEBUG_PRINTF(ATH_DEBUG_ERROR, ("Alloc hif device fail\n"));
 
+		return NULL;
 
+	}
 
 #if HIF_USE_DMA_BOUNCE_BUFFER
 
 	hifdevice->dma_buffer = qdf_mem_malloc(HIF_DMA_BUFFER_SIZE);
 
 	AR_DEBUG_ASSERT(hifdevice->dma_buffer != NULL);
 
+	if (hifdevice->dma_buffer == NULL) {
 
+		qdf_mem_free(hifdevice);
 
+		AR_DEBUG_PRINTF(ATH_DEBUG_ERROR, ("Alloc dma buffer fail\n"));
 
+		return NULL;
 
+	}
 
 #endif
 
 	hifdevice->func = func;
 
 	hifdevice->power_config = HIF_DEVICE_POWER_UP;