samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Código Incidencias Pull Requests Acciones Paquetes Proyectos Lanzamientos Wiki Actividad

qcacmn: Check pointer tbuffer always before access it

Explorar el Código 
Pointer tbuffer is allocated from heap or get from other module, it
is checked in some if branch but not every possible NULL branch.

Adding NULL check of tbuffer in every possible branch.

Change-Id: Id3c9f941623995ff73a993e29c53f3b9ce66f10e
CRs-Fixed: 2064350
Este commit está contenido en:
Will Huang
2017-06-26 10:55:16 +08:00
cometido por snandini
padre 0efe289db5
commit 82e91e0541
Se han modificado 1 ficheros con 19 adiciones y 6 borrados
Descargar archivo de parche Descargar archivo de diferencias Expandir todos los archivos Contraer todos los archivos

25
hif/src/sdio/native_sdio/src/hif.c
Ver fichero

@@ -339,7 +339,7 @@ __hif_read_write(struct hif_sdio_dev *device,
{
uint8_t opcode;
QDF_STATUS status = QDF_STATUS_SUCCESS;
int ret;
int ret = A_OK;
uint8_t *tbuffer;
bool bounced = false;
@@ -484,7 +484,7 @@ __hif_read_write(struct hif_sdio_dev *device,
("%s: writesb ret=%d address: 0x%X, len: %d, 0x%X\n",
__func__, ret, address, length,
*(int *)tbuffer));
} else {
} else if (tbuffer) {
ret =
sdio_memcpy_toio(device->func, address,
tbuffer, length);
@@ -522,7 +522,7 @@ __hif_read_write(struct hif_sdio_dev *device,
("%s: readsb ret=%d address: 0x%X, len: %d, 0x%X\n",
__func__, ret, address, length,
*(int *)tbuffer));
} else {
} else if (tbuffer) {
ret =
sdio_memcpy_fromio(device->func,
tbuffer,
@@ -533,7 +533,7 @@ __hif_read_write(struct hif_sdio_dev *device,
*(int *)tbuffer));
}
#if HIF_USE_DMA_BOUNCE_BUFFER
if (bounced)
if (bounced && tbuffer)
memcpy(buffer, tbuffer, length);
#endif
} else {
@@ -541,7 +541,7 @@ __hif_read_write(struct hif_sdio_dev *device,
("%s: Invalid direction: 0x%08x\n",
__func__, request));
status = QDF_STATUS_E_INVAL;
break;
return status;
}
if (ret) {
@@ -2388,6 +2388,10 @@ int hif_device_resume(struct device *dev)
struct hif_sdio_dev *device;
device = get_hif_device(func);
if (!device) {
AR_DEBUG_PRINTF(ATH_DEBUG_ERROR, ("get hif device failed\n"));
return QDF_STATUS_E_FAILURE;
}
if (device->device_state == HIF_DEVICE_STATE_CUTPOWER) {
config = HIF_DEVICE_POWER_UP;
@@ -2419,7 +2423,7 @@ int hif_device_resume(struct device *dev)
AR_DEBUG_PRINTF(ATH_DEBUG_TRACE,
("%s: +hif_device_resume\n",
__func__));
if (device && device->claimed_ctx
if (device->claimed_ctx
&& osdrv_callbacks.device_suspend_handler) {
status =
osdrv_callbacks.device_resume_handler(device->claimed_ctx);
@@ -2543,9 +2547,18 @@ static struct hif_sdio_dev *add_hif_device(struct sdio_func *func)
hifdevice = (struct hif_sdio_dev *) qdf_mem_malloc(sizeof(
struct hif_sdio_dev));
AR_DEBUG_ASSERT(hifdevice != NULL);
if (hifdevice == NULL) {
AR_DEBUG_PRINTF(ATH_DEBUG_ERROR, ("Alloc hif device fail\n"));
return NULL;
}
#if HIF_USE_DMA_BOUNCE_BUFFER
hifdevice->dma_buffer = qdf_mem_malloc(HIF_DMA_BUFFER_SIZE);
AR_DEBUG_ASSERT(hifdevice->dma_buffer != NULL);
if (hifdevice->dma_buffer == NULL) {
qdf_mem_free(hifdevice);
AR_DEBUG_PRINTF(ATH_DEBUG_ERROR, ("Alloc dma buffer fail\n"));
return NULL;
}
#endif
hifdevice->func = func;
hifdevice->power_config = HIF_DEVICE_POWER_UP;