From 050b1cce5d1d9c1eddaa5518f9748cab3eddf0fc Mon Sep 17 00:00:00 2001 From: Jianxiong Pan Date: Thu, 5 Jul 2018 17:17:02 +0800 Subject: [PATCH] defect: fix code defects in public parts PD#166793: code defects in public parts crypto: exclude the of_match_device function return value is NULL ddr_tool: solve problems of bad_shift and use_after_free debug: prevent the number of cpus from exceeding the total efuse: solve the problem of buffer_size_warning memory_ext: solve the problems of divide_by_zero and overrun unifykey: solve the problem of buffer_size_warning,and add a variable for useless_call wifi: exclude the of_match_node function return value is NULL,and avoid the problem of string_overflow Change-Id: I099ce7c60ddd0266d067215108f0e2baeb31c234 Signed-off-by: Jianxiong Pan --- drivers/amlogic/bluetooth/bt_device.c | 6 +++++- drivers/amlogic/crypto/aml-dma.c | 2 ++ drivers/amlogic/ddr_tool/ddr_band_op_gxl.c | 10 ++++++++-- drivers/amlogic/ddr_tool/ddr_bandwidth.c | 2 +- drivers/amlogic/efuse/efuse64.c | 5 +++-- drivers/amlogic/memory_ext/page_trace.c | 3 +-- drivers/amlogic/unifykey/storagekey.c | 4 +++- drivers/amlogic/unifykey/unifykey.c | 9 ++++++--- drivers/amlogic/wifi/wifi_dt.c | 9 ++++++++- 9 files changed, 37 insertions(+), 13 deletions(-) diff --git a/drivers/amlogic/bluetooth/bt_device.c b/drivers/amlogic/bluetooth/bt_device.c index 82745e757bdb..594a14b99598 100644 --- a/drivers/amlogic/bluetooth/bt_device.c +++ b/drivers/amlogic/bluetooth/bt_device.c @@ -272,8 +272,11 @@ static int bt_probe(struct platform_device *pdev) if (ret) pdata->power_down_disable = 0; pr_info("dis power down = %d;\n", pdata->power_down_disable); - } else { + } else if (pdev) { pdata = (struct bt_dev_data *)(pdev->dev.platform_data); + } else { + ret = -ENOENT; + goto err_res; } #else pdata = (struct bt_dev_data *)(pdev->dev.platform_data); @@ -324,6 +327,7 @@ err_rfkill: rfkill_destroy(bt_rfk); err_rfk_alloc: bt_device_deinit(pdata); +err_res: return ret; } diff --git a/drivers/amlogic/crypto/aml-dma.c b/drivers/amlogic/crypto/aml-dma.c index 12f5b3ea43a5..9e74d0f24594 100644 --- a/drivers/amlogic/crypto/aml-dma.c +++ b/drivers/amlogic/crypto/aml-dma.c @@ -96,6 +96,8 @@ static int aml_dma_probe(struct platform_device *pdev) } match = of_match_device(aml_dma_dt_match, &pdev->dev); + if (!match) + goto dma_err; priv_data = match->data; dma_dd->thread = priv_data->thread; dma_dd->status = priv_data->status; diff --git a/drivers/amlogic/ddr_tool/ddr_band_op_gxl.c b/drivers/amlogic/ddr_tool/ddr_band_op_gxl.c index 6796f05897bb..c03b7b544205 100644 --- a/drivers/amlogic/ddr_tool/ddr_band_op_gxl.c +++ b/drivers/amlogic/ddr_tool/ddr_band_op_gxl.c @@ -31,6 +31,9 @@ #include #include +#undef pr_fmt +#define pr_fmt(fmt) "ddr_tool: " fmt + static void gxl_dmc_port_config(struct ddr_bandwidth *db, int channel, int port) { unsigned int val; @@ -42,12 +45,15 @@ static void gxl_dmc_port_config(struct ddr_bandwidth *db, int channel, int port) subport = port - PORT_MAJOR; val = readl(db->ddr_reg + port_reg[channel]); - if (subport < 0) { + if (port < 16) { val &= ~(0xffff << 16); val |= ((1 << (16 + port)) | 0xffff); - } else { + } else if (subport > 0) { val &= ~(0xffffffff); val |= (1 << 23) | (1 << subport); + } else { + pr_err("port config fail, %s: %d\n", __func__, __LINE__); + return; } writel(val, db->ddr_reg + port_reg[channel]); } diff --git a/drivers/amlogic/ddr_tool/ddr_bandwidth.c b/drivers/amlogic/ddr_tool/ddr_bandwidth.c index 002c6fa92cb1..b161f376b7e2 100644 --- a/drivers/amlogic/ddr_tool/ddr_bandwidth.c +++ b/drivers/amlogic/ddr_tool/ddr_bandwidth.c @@ -357,9 +357,9 @@ static int ddr_bandwidth_remove(struct platform_device *pdev) class_destroy(&aml_ddr_class); free_irq(aml_db->irq_num, aml_db); kfree(aml_db->port_desc); - kfree(aml_db); iounmap(aml_db->ddr_reg); iounmap(aml_db->pll_reg); + kfree(aml_db); aml_db = NULL; } diff --git a/drivers/amlogic/efuse/efuse64.c b/drivers/amlogic/efuse/efuse64.c index f1a5c7a4cd30..2aa02ff65141 100644 --- a/drivers/amlogic/efuse/efuse64.c +++ b/drivers/amlogic/efuse/efuse64.c @@ -610,6 +610,7 @@ int get_efusekey_info(struct device_node *np) char *propname; const char *uname; int ret; + int size; phandle = of_get_property(np, "key", NULL); if (!phandle) { @@ -658,9 +659,9 @@ int get_efusekey_info(struct device_node *np) pr_err("please config keyname item\n"); goto err; } + size = sizeof(efusekey_infos[index].keyname) - 1; strncpy(efusekey_infos[index].keyname, uname, - strlen(uname) > sizeof(efusekey_infos[index].keyname) ? - sizeof(efusekey_infos[index].keyname):strlen(uname)); + strlen(uname) > size ? size:strlen(uname)); ret = of_property_read_u32(np_key, "offset", &(efusekey_infos[index].offset)); if (ret) { diff --git a/drivers/amlogic/memory_ext/page_trace.c b/drivers/amlogic/memory_ext/page_trace.c index 2f4e2bc060af..1b873e557998 100644 --- a/drivers/amlogic/memory_ext/page_trace.c +++ b/drivers/amlogic/memory_ext/page_trace.c @@ -381,7 +381,7 @@ static void __init find_static_common_symbol(void) for (i = 0; i < COMMON_CALLER_SIZE; i++) { s = &common_func[i]; if (!s->name) - break; /* end */ + break; /* end */ if (s->full_match) { addr = kallsyms_contain_name(s->name, 1, NULL); if (addr) @@ -557,7 +557,6 @@ unsigned int pack_ip(unsigned long ip, int order, gfp_t flag) } trace.ret_ip = (ip - text) >> 2; - WARN_ON(trace.ret_ip > IP_RANGE_MASK); #ifdef CONFIG_AMLOGIC_CMA if (flag == __GFP_BDEV) trace.migrate_type = MIGRATE_CMA; diff --git a/drivers/amlogic/unifykey/storagekey.c b/drivers/amlogic/unifykey/storagekey.c index 831485f91ce1..7827b0ca055f 100644 --- a/drivers/amlogic/unifykey/storagekey.c +++ b/drivers/amlogic/unifykey/storagekey.c @@ -402,7 +402,9 @@ ssize_t amlkey_write(const uint8_t *name, retval = (ssize_t)len; /* write down! */ if (storagekey_info.buffer != NULL) { - buf = kzalloc(storagekey_info.size, GFP_KERNEL); + buf = kmalloc(storagekey_info.size, GFP_KERNEL); + if (!buf) + return -ENOMEM; memcpy(buf, storagekey_info.buffer, storagekey_info.size); if (store_key_write) diff --git a/drivers/amlogic/unifykey/unifykey.c b/drivers/amlogic/unifykey/unifykey.c index 0f602b2edf8f..f98ccc9d5a1b 100644 --- a/drivers/amlogic/unifykey/unifykey.c +++ b/drivers/amlogic/unifykey/unifykey.c @@ -275,7 +275,9 @@ static int key_storage_query(char *keyname, unsigned int *keystate) static int key_efuse_init(struct key_info_t *uk_info, char *buf, unsigned int len) { - unifykey_get_efuse_version(uk_info); + char var = 0; + + var = unifykey_get_efuse_version(uk_info); return 0; } @@ -812,7 +814,6 @@ static long unifykey_unlocked_ioctl(struct file *file, char *keyname; int ret; - key_item_info = kmalloc(sizeof(struct key_item_info_t), GFP_KERNEL); if (!key_item_info) @@ -825,6 +826,7 @@ static long unifykey_unlocked_ioctl(struct file *file, kfree(key_item_info); return ret; } + key_item_info->name[KEY_UNIFY_NAME_LEN - 1] = '\0'; index = key_item_info->id; keyname = key_item_info->name; if (strlen(keyname) > KEY_UNIFY_NAME_LEN - 1) { @@ -860,7 +862,8 @@ static long unifykey_unlocked_ioctl(struct file *file, key_item_info->flag = keystate; key_item_info->id = kkey->id; strncpy(key_item_info->name, - kkey->name, KEY_UNIFY_NAME_LEN); + kkey->name, (KEY_UNIFY_NAME_LEN - 1)); + key_item_info->name[KEY_UNIFY_NAME_LEN - 1] = '\0'; ret = key_unify_size(ukdev, kkey->name, &reallen); if (ret < 0) { pr_err("%s() %d, get size fail\n", diff --git a/drivers/amlogic/wifi/wifi_dt.c b/drivers/amlogic/wifi/wifi_dt.c index 304f491db272..8a3219bb6e75 100644 --- a/drivers/amlogic/wifi/wifi_dt.c +++ b/drivers/amlogic/wifi/wifi_dt.c @@ -125,6 +125,8 @@ static struct wifi_plat_info *wifi_get_driver_data const struct of_device_id *match; match = of_match_node(wifi_match, pdev->dev.of_node); + if (!match) + return NULL; return (struct wifi_plat_info *)match->data; } #else @@ -338,7 +340,12 @@ static long wifi_power_ioctl(struct file *filp, WIFI_INFO("ioctl Set sdio wifi power down!\n"); break; case SDIO_GET_DEV_TYPE: - memcpy(dev_type, get_wifi_inf(), strlen(get_wifi_inf())); + if (strlen(get_wifi_inf()) >= sizeof(dev_type)) + memcpy(dev_type, get_wifi_inf(), + (sizeof(dev_type) - 1)); + else + memcpy(dev_type, get_wifi_inf(), + strlen(get_wifi_inf())); WIFI_INFO("wifi interface dev type: %s, length = %d\n", dev_type, (int)strlen(dev_type)); if (copy_to_user((char __user *)arg, -- 2.20.1