Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 24e9afb7 authored Aug 10, 2020 by Jia Ding Committed by snandini Aug 20, 2020

qcacmn: Fix static code analysis issues in DP

In dp_srng_init, max_buffer_length and prefetch_timer are used
while uninitialized.

In dp_bucket_index, overrunning array cdp_sw_enq_delay leads to
out-of-bounds access.

In dp_rx_defrag_fraglist_insert, cur is first NULL checked but
cur is again set to qdf_nbuf_next and is accessed without
NULL check. Thus do a NULL check again before dereferencing
cur to avoid potential NULL pointer dereference.

In htt_t2h_stats_handler, soc could be NULL while cmn_init_done
is dereferenced. Thus fix it by NULL check soc first and then
dereference cmn_init_done.

Change-Id: Ie6a33347d34862f30ba04a10096d3892af7571d3
CRs-Fixed: 2751573

parent fcd395b7

dp/wifi3.0/dp_htt.c

+9 −3

Original line number	Original line	Diff line number	Diff line
	@@ -1986,7 +1986,13 @@ void htt_t2h_stats_handler(void *context)
	uint8_t done;		uint8_t done;
	uint32_t rem_stats;		uint32_t rem_stats;

	if (!soc \|\| !qdf_atomic_read(&soc->cmn_init_done)) {		if (!soc) {
			QDF_TRACE(QDF_MODULE_ID_TXRX, QDF_TRACE_LEVEL_ERROR,
			"soc is NULL");
			return;
			}

			if (!qdf_atomic_read(&soc->cmn_init_done)) {
	QDF_TRACE(QDF_MODULE_ID_TXRX, QDF_TRACE_LEVEL_ERROR,		QDF_TRACE(QDF_MODULE_ID_TXRX, QDF_TRACE_LEVEL_ERROR,
	"soc: 0x%pK, init_done: %d", soc,		"soc: 0x%pK, init_done: %d", soc,
	qdf_atomic_read(&soc->cmn_init_done));		qdf_atomic_read(&soc->cmn_init_done));

dp/wifi3.0/dp_main.c

+2 −2

Original line number	Original line	Diff line number	Diff line
	@@ -1513,7 +1513,7 @@ static int dp_srng_setup(struct dp_soc soc, struct dp_srng srng,
	/* TODO: Currently hal layer takes care of endianness related settings.		/* TODO: Currently hal layer takes care of endianness related settings.
	* See if these settings need to passed from DP layer		* See if these settings need to passed from DP layer
	*/		*/
	ring_params.flags = 0;		qdf_mem_zero(&ring_params, sizeof(struct hal_srng_params));

	num_entries = (num_entries > max_entries) ? max_entries : num_entries;		num_entries = (num_entries > max_entries) ? max_entries : num_entries;
	srng->hal_srng = NULL;		srng->hal_srng = NULL;
	@@ -11837,7 +11837,7 @@ static uint8_t dp_bucket_index(uint32_t delay, uint16_t *array)
	{		{
	uint8_t i = CDP_DELAY_BUCKET_0;		uint8_t i = CDP_DELAY_BUCKET_0;

	for (; i < CDP_DELAY_BUCKET_MAX; i++) {		for (; i < CDP_DELAY_BUCKET_MAX - 1; i++) {
	if (delay >= array[i] && delay <= array[i + 1])		if (delay >= array[i] && delay <= array[i + 1])
	return i;		return i;
	}		}

dp/wifi3.0/dp_rx_defrag.c

+5 −3

Original line number	Original line	Diff line number	Diff line
	@@ -362,11 +362,13 @@ static QDF_STATUS dp_rx_defrag_fraglist_insert(struct dp_peer *peer, unsigned ti
	while ((cur_fragno > head_fragno) && cur) {		while ((cur_fragno > head_fragno) && cur) {
	prev = cur;		prev = cur;
	cur = qdf_nbuf_next(cur);		cur = qdf_nbuf_next(cur);
			if (cur) {
	rx_desc_info = qdf_nbuf_data(cur);		rx_desc_info = qdf_nbuf_data(cur);
	head_fragno =		head_fragno =
	dp_rx_frag_get_mpdu_frag_number(		dp_rx_frag_get_mpdu_frag_number(
	rx_desc_info);		rx_desc_info);
	}		}
			}

	if (cur_fragno == head_fragno) {		if (cur_fragno == head_fragno) {
	qdf_nbuf_free(frag);		qdf_nbuf_free(frag);