首页 发现 帮助
登录
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
派生 0
文件 工单管理 0 合并请求 0 Wiki
浏览代码

qcacmn: Fix static code analysis issues in DP

In dp_srng_init, max_buffer_length and prefetch_timer are used
while uninitialized.

In dp_bucket_index, overrunning array cdp_sw_enq_delay leads to
out-of-bounds access.

In dp_rx_defrag_fraglist_insert, cur is first NULL checked but
cur is again set to qdf_nbuf_next and is accessed without
NULL check. Thus do a NULL check again before dereferencing
cur to avoid potential NULL pointer dereference.

In htt_t2h_stats_handler, soc could be NULL while cmn_init_done
is dereferenced. Thus fix it by NULL check soc first and then
dereference cmn_init_done.

Change-Id: Ie6a33347d34862f30ba04a10096d3892af7571d3
CRs-Fixed: 2751573
Jia Ding 4 年之前
父节点
2f48b53345
当前提交
c07761e4cc
共有 3 个文件被更改,包括 16 次插入8 次删除
分列视图 显示文件统计
  1. 9 3
      dp/wifi3.0/dp_htt.c
  2. 2 2
      dp/wifi3.0/dp_main.c
  3. 5 3
      dp/wifi3.0/dp_rx_defrag.c

+ 9 - 3
dp/wifi3.0/dp_htt.c
查看文件 

@@ -2103,10 +2103,16 @@ void htt_t2h_stats_handler(void *context)
 
 	uint8_t done;
 
 	uint32_t rem_stats;
 
 
-	if (!soc || !qdf_atomic_read(&soc->cmn_init_done)) {
 
+	if (!soc) {
 
 		QDF_TRACE(QDF_MODULE_ID_TXRX, QDF_TRACE_LEVEL_ERROR,
 
-			"soc: 0x%pK, init_done: %d", soc,
 
-			qdf_atomic_read(&soc->cmn_init_done));
 
+			  "soc is NULL");
 
+		return;
 
+	}
 
+
 
+	if (!qdf_atomic_read(&soc->cmn_init_done)) {
 
+		QDF_TRACE(QDF_MODULE_ID_TXRX, QDF_TRACE_LEVEL_ERROR,
 
+			  "soc: 0x%pK, init_done: %d", soc,
 
+			  qdf_atomic_read(&soc->cmn_init_done));
 
 		return;
 
 	}

+ 2 - 2
dp/wifi3.0/dp_main.c
查看文件 

@@ -1460,7 +1460,7 @@ static QDF_STATUS dp_srng_init(struct dp_soc *soc, struct dp_srng *srng,
 
 	/* memset the srng ring to zero */
 
 	qdf_mem_zero(srng->base_vaddr_unaligned, srng->alloc_size);
 
 
-	ring_params.flags = 0;
 
+	qdf_mem_zero(&ring_params, sizeof(struct hal_srng_params));
 
 	ring_params.ring_base_paddr = srng->base_paddr_aligned;
 
 	ring_params.ring_base_vaddr = srng->base_vaddr_aligned;
 
 
@@ -11700,7 +11700,7 @@ static uint8_t dp_bucket_index(uint32_t delay, uint16_t *array)
 
 {
 
 	uint8_t i = CDP_DELAY_BUCKET_0;
 
 
-	for (; i < CDP_DELAY_BUCKET_MAX; i++) {
 
+	for (; i < CDP_DELAY_BUCKET_MAX - 1; i++) {
 
 		if (delay >= array[i] && delay <= array[i + 1])
 
 			return i;
 
 	}

+ 5 - 3
dp/wifi3.0/dp_rx_defrag.c
查看文件 

@@ -363,10 +363,12 @@ static QDF_STATUS dp_rx_defrag_fraglist_insert(struct dp_peer *peer, unsigned ti
 
 			while ((cur_fragno > head_fragno) && cur) {
 
 				prev = cur;
 
 				cur = qdf_nbuf_next(cur);
 
-				rx_desc_info = qdf_nbuf_data(cur);
 
-				head_fragno =
 
-					dp_rx_frag_get_mpdu_frag_number(
 
+				if (cur) {
 
+					rx_desc_info = qdf_nbuf_data(cur);
 
+					head_fragno =
 
+						dp_rx_frag_get_mpdu_frag_number(
 
 								rx_desc_info);
 
+				}
 
 			}
 
 
 			if (cur_fragno == head_fragno) {