group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1694733] Re: ubuntu/rsi driver has several issues as picked up by static analysis

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Stefan Bader <stefan.bader@xxxxxxxxxxxxx>
Date: Thu, 20 Jul 2017 08:26:50 -0000
Reply-to: Bug 1694733 <1694733@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** Also affects: linux (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Changed in: linux (Ubuntu Xenial)
       Status: New => Fix Committed

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1694733

Title:
  ubuntu/rsi driver has several issues as picked up by static analysis

Status in linux package in Ubuntu:
  Confirmed
Status in linux source package in Xenial:
  Fix Committed

Bug description:
  
  ** CID 1438209:  Memory - corruptions  (OVERRUN)
  /ubuntu/rsi/rsi_91x_core.c: 352 in rsi_core_qos_processor()

  
  ________________________________________________________________________________________________________
  *** CID 1438209:  Memory - corruptions  (OVERRUN)
  /ubuntu/rsi/rsi_91x_core.c: 352 in rsi_core_qos_processor()
  346     
  347     		if (status) {
  348     			mutex_unlock(&common->tx_lock);
  349     			break;
  350     		}
  351     
  >>>     CID 1438209:  Memory - corruptions  (OVERRUN)
  >>>     Overrunning array "common->tx_stats.total_tx_pkt_send" of 5 4-byte elements at element index 5 (byte offset 20) using index "q_num" (which evaluates to 5).
  352     		common->tx_stats.total_tx_pkt_send[q_num]++;
  353     
  354     		tstamp_2 = jiffies;
  355     		mutex_unlock(&common->tx_lock);
  356     
  357     		if (tstamp_2 > tstamp_1 + (300 * HZ / 1000))

  ** CID 1438210:  Resource leaks  (RESOURCE_LEAK)
  /ubuntu/rsi/rsi_91x_hci.c: 274 in rsi_deregister_bt()

  
  ________________________________________________________________________________________________________
  *** CID 1438210:  Resource leaks  (RESOURCE_LEAK)
  /ubuntu/rsi/rsi_91x_hci.c: 274 in rsi_deregister_bt()
  268     	cmd_frame->q_no = RSI_BT_MGMT_Q;
  269     	cmd_frame->pkt_type = RSI_BT_PKT_TYPE_DEREGISTR;
  270     
  271     	skb_put(skb, sizeof(struct rsi_bt_cmd_frame));
  272     
  273     	//return rsi_coex_send_pkt(common, skb, RSI_BT_Q);
  >>>     CID 1438210:  Resource leaks  (RESOURCE_LEAK)
  >>>     Variable "skb" going out of scope leaks the storage it points to.
  274     	return common->priv->host_intf_ops->write_pkt(common->priv, skb->data, skb->len);
  275     }
  276     EXPORT_SYMBOL_GPL(rsi_deregister_bt);
  277     
  278     int rsi_hci_recv_pkt(struct rsi_common *common, u8 *pkt)
  279     {

  ** CID 1438211:  Resource leaks  (RESOURCE_LEAK)
  /ubuntu/rsi/rsi_91x_hci.c: 249 in rsi_send_rfmode_frame()

  
  ________________________________________________________________________________________________________
  *** CID 1438211:  Resource leaks  (RESOURCE_LEAK)
  /ubuntu/rsi/rsi_91x_hci.c: 249 in rsi_send_rfmode_frame()
  243     	cmd_frame->bt_rf_tx_power_mode = 0;
  244     	cmd_frame->bt_rf_tx_power_mode = 0;
  245     
  246     	skb_put(skb, sizeof(struct rsi_bt_rfmode_frame));
  247     
  248     //	return rsi_coex_send_pkt(common, skb, RSI_BT_Q);
  >>>     CID 1438211:  Resource leaks  (RESOURCE_LEAK)
  >>>     Variable "skb" going out of scope leaks the storage it points to.
  249     	return common->priv->host_intf_ops->write_pkt(common->priv, skb->data, skb->len);
  250     }
  251     EXPORT_SYMBOL_GPL(rsi_send_rfmode_frame);
  252     
  253     int rsi_deregister_bt(struct rsi_common *common)
  254     {

  ** CID 1438212:  Null pointer dereferences  (REVERSE_INULL)
  /ubuntu/rsi/rsi_91x_sdio.c: 1388 in rsi_freeze()

  
  ________________________________________________________________________________________________________
  *** CID 1438212:  Null pointer dereferences  (REVERSE_INULL)
  /ubuntu/rsi/rsi_91x_sdio.c: 1388 in rsi_freeze()
  1382     	struct rsi_91x_sdiodev *sdev =
  1383     		(struct rsi_91x_sdiodev *)adapter->rsi_dev;
  1384     #endif
  1385     
  1386     	ven_rsi_dbg(INFO_ZONE, "SDIO Bus freeze ===>\n");
  1387     
  >>>     CID 1438212:  Null pointer dereferences  (REVERSE_INULL)
  >>>     Null-checking "adapter" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
  1388     	if (!adapter) {
  1389     		ven_rsi_dbg(ERR_ZONE, "Device is not ready\n");
  1390     		return -ENODEV;
  1391     	}
  1392     
  1393     	common->suspend_in_prog = true;

  ** CID 1438213:  Control flow issues  (UNREACHABLE)
  /ubuntu/rsi/rsi_91x_usb.c: 497 in rsi_usb_check_queue_status()

  
  ________________________________________________________________________________________________________
  *** CID 1438213:  Control flow issues  (UNREACHABLE)
  /ubuntu/rsi/rsi_91x_usb.c: 497 in rsi_usb_check_queue_status()
  491     	struct rsi_91x_usbdev *dev = (struct rsi_91x_usbdev *)adapter->rsi_dev;
  492     	int status;
  493     	u32 buf_status = 0;
  494     
  495     	return QUEUE_NOT_FULL;
  496     
  >>>     CID 1438213:  Control flow issues  (UNREACHABLE)
  >>>     This code cannot be reached: "if (adapter->priv->fsm_stat...".
  497     	if (adapter->priv->fsm_state != FSM_MAC_INIT_DONE)
  498     		return QUEUE_NOT_FULL;
  499     
  500     	status = rsi_usb_reg_read(dev->usbdev, adapter->usb_buffer_status_reg,
  501     				  &buf_status, 2);
  502     	if (status < 0)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1694733/+subscriptions