[Bug 1694733] [NEW] ubuntu/rsi driver has several issues as picked up by static analysis

Wed, 31 May 2017 08:21:44 -0700 

Public bug reported:


** CID 1438209:  Memory - corruptions  (OVERRUN)
/ubuntu/rsi/rsi_91x_core.c: 352 in rsi_core_qos_processor()


________________________________________________________________________________________________________
*** CID 1438209:  Memory - corruptions  (OVERRUN)
/ubuntu/rsi/rsi_91x_core.c: 352 in rsi_core_qos_processor()
346     
347                     if (status) {
348                             mutex_unlock(&common->tx_lock);
349                             break;
350                     }
351     
>>>     CID 1438209:  Memory - corruptions  (OVERRUN)
>>>     Overrunning array "common->tx_stats.total_tx_pkt_send" of 5 4-byte 
>>> elements at element index 5 (byte offset 20) using index "q_num" (which 
>>> evaluates to 5).
352                     common->tx_stats.total_tx_pkt_send[q_num]++;
353     
354                     tstamp_2 = jiffies;
355                     mutex_unlock(&common->tx_lock);
356     
357                     if (tstamp_2 > tstamp_1 + (300 * HZ / 1000))

** CID 1438210:  Resource leaks  (RESOURCE_LEAK)
/ubuntu/rsi/rsi_91x_hci.c: 274 in rsi_deregister_bt()


________________________________________________________________________________________________________
*** CID 1438210:  Resource leaks  (RESOURCE_LEAK)
/ubuntu/rsi/rsi_91x_hci.c: 274 in rsi_deregister_bt()
268             cmd_frame->q_no = RSI_BT_MGMT_Q;
269             cmd_frame->pkt_type = RSI_BT_PKT_TYPE_DEREGISTR;
270     
271             skb_put(skb, sizeof(struct rsi_bt_cmd_frame));
272     
273             //return rsi_coex_send_pkt(common, skb, RSI_BT_Q);
>>>     CID 1438210:  Resource leaks  (RESOURCE_LEAK)
>>>     Variable "skb" going out of scope leaks the storage it points to.
274             return common->priv->host_intf_ops->write_pkt(common->priv, 
skb->data, skb->len);
275     }
276     EXPORT_SYMBOL_GPL(rsi_deregister_bt);
277     
278     int rsi_hci_recv_pkt(struct rsi_common *common, u8 *pkt)
279     {

** CID 1438211:  Resource leaks  (RESOURCE_LEAK)
/ubuntu/rsi/rsi_91x_hci.c: 249 in rsi_send_rfmode_frame()


________________________________________________________________________________________________________
*** CID 1438211:  Resource leaks  (RESOURCE_LEAK)
/ubuntu/rsi/rsi_91x_hci.c: 249 in rsi_send_rfmode_frame()
243             cmd_frame->bt_rf_tx_power_mode = 0;
244             cmd_frame->bt_rf_tx_power_mode = 0;
245     
246             skb_put(skb, sizeof(struct rsi_bt_rfmode_frame));
247     
248     //      return rsi_coex_send_pkt(common, skb, RSI_BT_Q);
>>>     CID 1438211:  Resource leaks  (RESOURCE_LEAK)
>>>     Variable "skb" going out of scope leaks the storage it points to.
249             return common->priv->host_intf_ops->write_pkt(common->priv, 
skb->data, skb->len);
250     }
251     EXPORT_SYMBOL_GPL(rsi_send_rfmode_frame);
252     
253     int rsi_deregister_bt(struct rsi_common *common)
254     {

** CID 1438212:  Null pointer dereferences  (REVERSE_INULL)
/ubuntu/rsi/rsi_91x_sdio.c: 1388 in rsi_freeze()


________________________________________________________________________________________________________
*** CID 1438212:  Null pointer dereferences  (REVERSE_INULL)
/ubuntu/rsi/rsi_91x_sdio.c: 1388 in rsi_freeze()
1382            struct rsi_91x_sdiodev *sdev =
1383                    (struct rsi_91x_sdiodev *)adapter->rsi_dev;
1384     #endif
1385     
1386            ven_rsi_dbg(INFO_ZONE, "SDIO Bus freeze ===>\n");
1387     
>>>     CID 1438212:  Null pointer dereferences  (REVERSE_INULL)
>>>     Null-checking "adapter" suggests that it may be null, but it has 
>>> already been dereferenced on all paths leading to the check.
1388            if (!adapter) {
1389                    ven_rsi_dbg(ERR_ZONE, "Device is not ready\n");
1390                    return -ENODEV;
1391            }
1392     
1393            common->suspend_in_prog = true;

** CID 1438213:  Control flow issues  (UNREACHABLE)
/ubuntu/rsi/rsi_91x_usb.c: 497 in rsi_usb_check_queue_status()


________________________________________________________________________________________________________
*** CID 1438213:  Control flow issues  (UNREACHABLE)
/ubuntu/rsi/rsi_91x_usb.c: 497 in rsi_usb_check_queue_status()
491             struct rsi_91x_usbdev *dev = (struct rsi_91x_usbdev 
*)adapter->rsi_dev;
492             int status;
493             u32 buf_status = 0;
494     
495             return QUEUE_NOT_FULL;
496     
>>>     CID 1438213:  Control flow issues  (UNREACHABLE)
>>>     This code cannot be reached: "if (adapter->priv->fsm_stat...".
497             if (adapter->priv->fsm_state != FSM_MAC_INIT_DONE)
498                     return QUEUE_NOT_FULL;
499     
500             status = rsi_usb_reg_read(dev->usbdev, 
adapter->usb_buffer_status_reg,
501                                       &buf_status, 2);
502             if (status < 0)

** Affects: linux (Ubuntu)
     Importance: Medium
         Status: Confirmed

** Changed in: linux (Ubuntu)
       Status: New => In Progress

** Changed in: linux (Ubuntu)
   Importance: Undecided => Medium

** Changed in: linux (Ubuntu)
       Status: In Progress => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1694733

Title:
  ubuntu/rsi driver has several issues as picked up by static analysis

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1694733/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to