diff options
| author | Vidyakumar Athota <vathota@codeaurora.org> | 2016-03-03 10:05:09 -0800 |
|---|---|---|
| committer | Jeevan Shriram <jshriram@codeaurora.org> | 2016-05-06 12:06:20 -0700 |
| commit | d886b3428934bc7cbc404082a6f7885e7f4a2218 (patch) | |
| tree | 4453efcfc90fa4f018d1a518c3a980b7570f983b /drivers/misc | |
| parent | af35f6d738d6e1358e758ea35f6f0a15cde57de8 (diff) | |
msm: ultrasound: Various static analysis fixes
Remove potential null dereference.
Remove dead code from impossible error check.
Set upper bound for user-provided buffer size.
Change-Id: I212f3edfa31e9168d11e0782da7f3fd8c2b98c5d
Signed-off-by: Vidyakumar Athota <vathota@codeaurora.org>
Diffstat (limited to 'drivers/misc')
| -rw-r--r-- | drivers/misc/qcom/qdsp6v2/ultrasound/q6usm.c | 10 | ||||
| -rw-r--r-- | drivers/misc/qcom/qdsp6v2/ultrasound/usf.c | 44 |
2 files changed, 42 insertions, 12 deletions
diff --git a/drivers/misc/qcom/qdsp6v2/ultrasound/q6usm.c b/drivers/misc/qcom/qdsp6v2/ultrasound/q6usm.c index b7ee8a82a049..30274fd4b725 100644 --- a/drivers/misc/qcom/qdsp6v2/ultrasound/q6usm.c +++ b/drivers/misc/qcom/qdsp6v2/ultrasound/q6usm.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved. +/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -793,13 +793,13 @@ int q6usm_open_read(struct us_client *usc, int rc = 0x00; struct usm_stream_cmd_open_read open; - pr_debug("%s: session[%d]", __func__, usc->session); - if ((usc == NULL) || (usc->apr == NULL)) { pr_err("%s: client or its apr is NULL\n", __func__); return -EINVAL; } + pr_debug("%s: session[%d]", __func__, usc->session); + q6usm_add_hdr(usc, &open.hdr, sizeof(open), true); open.hdr.opcode = USM_STREAM_CMD_OPEN_READ; open.src_endpoint = 0; /* AFE */ @@ -1040,13 +1040,13 @@ int q6usm_open_write(struct us_client *usc, uint32_t int_format = INVALID_FORMAT; struct usm_stream_cmd_open_write open; - pr_debug("%s: session[%d]", __func__, usc->session); - if ((usc == NULL) || (usc->apr == NULL)) { pr_err("%s: APR handle NULL\n", __func__); return -EINVAL; } + pr_debug("%s: session[%d]", __func__, usc->session); + q6usm_add_hdr(usc, &open.hdr, sizeof(open), true); open.hdr.opcode = USM_STREAM_CMD_OPEN_WRITE; diff --git a/drivers/misc/qcom/qdsp6v2/ultrasound/usf.c b/drivers/misc/qcom/qdsp6v2/ultrasound/usf.c index e0323ec70a19..7572374cc524 100644 --- a/drivers/misc/qcom/qdsp6v2/ultrasound/usf.c +++ b/drivers/misc/qcom/qdsp6v2/ultrasound/usf.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2011-2015, The Linux Foundation. All rights reserved. +/* Copyright (c) 2011-2016, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -60,6 +60,9 @@ #define USF_MAX_BUF_SIZE 3145680 #define USF_MAX_BUF_NUM 32 +/* max size for buffer set from user space */ +#define USF_MAX_USER_BUF_SIZE 100000 + /* Place for opreation result, received from QDSP6 */ #define APR_RESULT_IND 1 @@ -572,11 +575,6 @@ static int config_xx(struct usf_xx_type *usf_xx, struct us_xx_info_type *config) (void *)config->port_id, min_map_size); - if (rc) { - pr_err("%s: ports offsets copy failure\n", __func__); - return -EINVAL; - } - usf_xx->encdec_cfg.format_id = config->stream_format; usf_xx->encdec_cfg.params_size = config->params_data_size; usf_xx->user_upd_info_na = 1; /* it's used in US_GET_TX_UPDATE */ @@ -936,6 +934,12 @@ static int usf_set_us_detection(struct usf_type *usf, unsigned long arg) return -EFAULT; } + if (detect_info.params_data_size > USF_MAX_USER_BUF_SIZE) { + pr_err("%s: user buffer size exceeds maximum\n", + __func__); + return -EFAULT; + } + rc = __usf_set_us_detection(usf, &detect_info); if (rc < 0) { pr_err("%s: set us detection failed; rc=%d\n", @@ -1033,6 +1037,12 @@ static int usf_set_tx_info(struct usf_type *usf, unsigned long arg) return -EFAULT; } + if (config_tx.us_xx_info.params_data_size > USF_MAX_USER_BUF_SIZE) { + pr_err("%s: user buffer size exceeds maximum\n", + __func__); + return -EFAULT; + } + return __usf_set_tx_info(usf, &config_tx); } /* usf_set_tx_info */ @@ -1099,6 +1109,12 @@ static int usf_set_rx_info(struct usf_type *usf, unsigned long arg) return -EFAULT; } + if (config_rx.us_xx_info.params_data_size > USF_MAX_USER_BUF_SIZE) { + pr_err("%s: user buffer size exceeds maximum\n", + __func__); + return -EFAULT; + } + return __usf_set_rx_info(usf, &config_rx); } /* usf_set_rx_info */ @@ -1453,9 +1469,17 @@ static int __usf_get_stream_param(struct usf_xx_type *usf_xx, int dir) { struct us_client *usc = usf_xx->usc; - struct us_port_data *port = &usc->port[dir]; + struct us_port_data *port; int rc = 0; + if (usc == NULL) { + pr_err("%s: us_client is null\n", + __func__); + return -EFAULT; + } + + port = &usc->port[dir]; + if (port->param_buf == NULL) { pr_err("%s: parameter buffer is null\n", __func__); @@ -1994,6 +2018,12 @@ static int usf_set_us_detection32(struct usf_type *usf, unsigned long arg) return -EFAULT; } + if (detect_info32.params_data_size > USF_MAX_USER_BUF_SIZE) { + pr_err("%s: user buffer size exceeds maximum\n", + __func__); + return -EFAULT; + } + memset(&detect_info, 0, sizeof(detect_info)); detect_info.us_detector = detect_info32.us_detector; detect_info.us_detect_mode = detect_info32.us_detect_mode; |