qcacmn: Fix static code analysis issues in DP
In dp_srng_init, max_buffer_length and prefetch_timer are used while uninitialized. In dp_bucket_index, overrunning array cdp_sw_enq_delay leads to out-of-bounds access. In dp_rx_defrag_fraglist_insert, cur is first NULL checked but cur is again set to qdf_nbuf_next and is accessed without NULL check. Thus do a NULL check again before dereferencing cur to avoid potential NULL pointer dereference. In htt_t2h_stats_handler, soc could be NULL while cmn_init_done is dereferenced. Thus fix it by NULL check soc first and then dereference cmn_init_done. Change-Id: Ie6a33347d34862f30ba04a10096d3892af7571d3 CRs-Fixed: 2751573
Dieser Commit ist enthalten in:
Jia Ding
@@ -2103,10 +2103,16 @@ void htt_t2h_stats_handler(void *context)
|
||||
uint8_t done;
|
||||
uint32_t rem_stats;
|
||||
|
||||
if (!soc || !qdf_atomic_read(&soc->cmn_init_done)) {
|
||||
if (!soc) {
|
||||
QDF_TRACE(QDF_MODULE_ID_TXRX, QDF_TRACE_LEVEL_ERROR,
|
||||
"soc: 0x%pK, init_done: %d", soc,
|
||||
qdf_atomic_read(&soc->cmn_init_done));
|
||||
"soc is NULL");
|
||||
return;
|
||||
}
|
||||
|
||||
if (!qdf_atomic_read(&soc->cmn_init_done)) {
|
||||
QDF_TRACE(QDF_MODULE_ID_TXRX, QDF_TRACE_LEVEL_ERROR,
|
||||
"soc: 0x%pK, init_done: %d", soc,
|
||||
qdf_atomic_read(&soc->cmn_init_done));
|
||||
return;
|
||||
}
|
||||
|
||||
|
||||
@@ -1460,7 +1460,7 @@ static QDF_STATUS dp_srng_init(struct dp_soc *soc, struct dp_srng *srng,
|
||||
/* memset the srng ring to zero */
|
||||
qdf_mem_zero(srng->base_vaddr_unaligned, srng->alloc_size);
|
||||
|
||||
ring_params.flags = 0;
|
||||
qdf_mem_zero(&ring_params, sizeof(struct hal_srng_params));
|
||||
ring_params.ring_base_paddr = srng->base_paddr_aligned;
|
||||
ring_params.ring_base_vaddr = srng->base_vaddr_aligned;
|
||||
|
||||
@@ -11700,7 +11700,7 @@ static uint8_t dp_bucket_index(uint32_t delay, uint16_t *array)
|
||||
{
|
||||
uint8_t i = CDP_DELAY_BUCKET_0;
|
||||
|
||||
for (; i < CDP_DELAY_BUCKET_MAX; i++) {
|
||||
for (; i < CDP_DELAY_BUCKET_MAX - 1; i++) {
|
||||
if (delay >= array[i] && delay <= array[i + 1])
|
||||
return i;
|
||||
}
|
||||
|
||||
@@ -363,10 +363,12 @@ static QDF_STATUS dp_rx_defrag_fraglist_insert(struct dp_peer *peer, unsigned ti
|
||||
while ((cur_fragno > head_fragno) && cur) {
|
||||
prev = cur;
|
||||
cur = qdf_nbuf_next(cur);
|
||||
rx_desc_info = qdf_nbuf_data(cur);
|
||||
head_fragno =
|
||||
dp_rx_frag_get_mpdu_frag_number(
|
||||
if (cur) {
|
||||
rx_desc_info = qdf_nbuf_data(cur);
|
||||
head_fragno =
|
||||
dp_rx_frag_get_mpdu_frag_number(
|
||||
rx_desc_info);
|
||||
}
|
||||
}
|
||||
|
||||
if (cur_fragno == head_fragno) {
|
||||
|
||||
In neuem Issue referenzieren
Einen Benutzer sperren