Public bug reported:
** CID 1438209: Memory - corruptions (OVERRUN)
/ubuntu/rsi/rsi_91x_core.c: 352 in rsi_core_qos_processor()
________________________________________________________________________________________________________
*** CID 1438209: Memory - corruptions (OVERRUN)
/ubuntu/rsi/rsi_91x_core.c: 352 in rsi_core_qos_processor()
346
347 if (status) {
348 mutex_unlock(&common->tx_lock);
349 break;
350 }
351
>>> CID 1438209: Memory - corruptions (OVERRUN)
>>> Overrunning array "common->tx_stats.total_tx_pkt_send" of 5 4-byte
>>> elements at element index 5 (byte offset 20) using index "q_num" (which
>>> evaluates to 5).
352 common->tx_stats.total_tx_pkt_send[q_num]++;
353
354 tstamp_2 = jiffies;
355 mutex_unlock(&common->tx_lock);
356
357 if (tstamp_2 > tstamp_1 + (300 * HZ / 1000))
** CID 1438210: Resource leaks (RESOURCE_LEAK)
/ubuntu/rsi/rsi_91x_hci.c: 274 in rsi_deregister_bt()
________________________________________________________________________________________________________
*** CID 1438210: Resource leaks (RESOURCE_LEAK)
/ubuntu/rsi/rsi_91x_hci.c: 274 in rsi_deregister_bt()
268 cmd_frame->q_no = RSI_BT_MGMT_Q;
269 cmd_frame->pkt_type = RSI_BT_PKT_TYPE_DEREGISTR;
270
271 skb_put(skb, sizeof(struct rsi_bt_cmd_frame));
272
273 //return rsi_coex_send_pkt(common, skb, RSI_BT_Q);
>>> CID 1438210: Resource leaks (RESOURCE_LEAK)
>>> Variable "skb" going out of scope leaks the storage it points to.
274 return common->priv->host_intf_ops->write_pkt(common->priv,
skb->data, skb->len);
275 }
276 EXPORT_SYMBOL_GPL(rsi_deregister_bt);
277
278 int rsi_hci_recv_pkt(struct rsi_common *common, u8 *pkt)
279 {
** CID 1438211: Resource leaks (RESOURCE_LEAK)
/ubuntu/rsi/rsi_91x_hci.c: 249 in rsi_send_rfmode_frame()
________________________________________________________________________________________________________
*** CID 1438211: Resource leaks (RESOURCE_LEAK)
/ubuntu/rsi/rsi_91x_hci.c: 249 in rsi_send_rfmode_frame()
243 cmd_frame->bt_rf_tx_power_mode = 0;
244 cmd_frame->bt_rf_tx_power_mode = 0;
245
246 skb_put(skb, sizeof(struct rsi_bt_rfmode_frame));
247
248 // return rsi_coex_send_pkt(common, skb, RSI_BT_Q);
>>> CID 1438211: Resource leaks (RESOURCE_LEAK)
>>> Variable "skb" going out of scope leaks the storage it points to.
249 return common->priv->host_intf_ops->write_pkt(common->priv,
skb->data, skb->len);
250 }
251 EXPORT_SYMBOL_GPL(rsi_send_rfmode_frame);
252
253 int rsi_deregister_bt(struct rsi_common *common)
254 {
** CID 1438212: Null pointer dereferences (REVERSE_INULL)
/ubuntu/rsi/rsi_91x_sdio.c: 1388 in rsi_freeze()
________________________________________________________________________________________________________
*** CID 1438212: Null pointer dereferences (REVERSE_INULL)
/ubuntu/rsi/rsi_91x_sdio.c: 1388 in rsi_freeze()
1382 struct rsi_91x_sdiodev *sdev =
1383 (struct rsi_91x_sdiodev *)adapter->rsi_dev;
1384 #endif
1385
1386 ven_rsi_dbg(INFO_ZONE, "SDIO Bus freeze ===>\n");
1387
>>> CID 1438212: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "adapter" suggests that it may be null, but it has
>>> already been dereferenced on all paths leading to the check.
1388 if (!adapter) {
1389 ven_rsi_dbg(ERR_ZONE, "Device is not ready\n");
1390 return -ENODEV;
1391 }
1392
1393 common->suspend_in_prog = true;
** CID 1438213: Control flow issues (UNREACHABLE)
/ubuntu/rsi/rsi_91x_usb.c: 497 in rsi_usb_check_queue_status()
________________________________________________________________________________________________________
*** CID 1438213: Control flow issues (UNREACHABLE)
/ubuntu/rsi/rsi_91x_usb.c: 497 in rsi_usb_check_queue_status()
491 struct rsi_91x_usbdev *dev = (struct rsi_91x_usbdev
*)adapter->rsi_dev;
492 int status;
493 u32 buf_status = 0;
494
495 return QUEUE_NOT_FULL;
496
>>> CID 1438213: Control flow issues (UNREACHABLE)
>>> This code cannot be reached: "if (adapter->priv->fsm_stat...".
497 if (adapter->priv->fsm_state != FSM_MAC_INIT_DONE)
498 return QUEUE_NOT_FULL;
499
500 status = rsi_usb_reg_read(dev->usbdev,
adapter->usb_buffer_status_reg,
501 &buf_status, 2);
502 if (status < 0)
** Affects: linux (Ubuntu)
Importance: Medium
Status: Confirmed
** Changed in: linux (Ubuntu)
Status: New => In Progress
** Changed in: linux (Ubuntu)
Importance: Undecided => Medium
** Changed in: linux (Ubuntu)
Status: In Progress => Confirmed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1694733
Title:
ubuntu/rsi driver has several issues as picked up by static analysis
Status in linux package in Ubuntu:
Confirmed
Bug description:
** CID 1438209: Memory - corruptions (OVERRUN)
/ubuntu/rsi/rsi_91x_core.c: 352 in rsi_core_qos_processor()
________________________________________________________________________________________________________
*** CID 1438209: Memory - corruptions (OVERRUN)
/ubuntu/rsi/rsi_91x_core.c: 352 in rsi_core_qos_processor()
346
347 if (status) {
348 mutex_unlock(&common->tx_lock);
349 break;
350 }
351
>>> CID 1438209: Memory - corruptions (OVERRUN)
>>> Overrunning array "common->tx_stats.total_tx_pkt_send" of 5 4-byte
elements at element index 5 (byte offset 20) using index "q_num" (which
evaluates to 5).
352 common->tx_stats.total_tx_pkt_send[q_num]++;
353
354 tstamp_2 = jiffies;
355 mutex_unlock(&common->tx_lock);
356
357 if (tstamp_2 > tstamp_1 + (300 * HZ / 1000))
** CID 1438210: Resource leaks (RESOURCE_LEAK)
/ubuntu/rsi/rsi_91x_hci.c: 274 in rsi_deregister_bt()
________________________________________________________________________________________________________
*** CID 1438210: Resource leaks (RESOURCE_LEAK)
/ubuntu/rsi/rsi_91x_hci.c: 274 in rsi_deregister_bt()
268 cmd_frame->q_no = RSI_BT_MGMT_Q;
269 cmd_frame->pkt_type = RSI_BT_PKT_TYPE_DEREGISTR;
270
271 skb_put(skb, sizeof(struct rsi_bt_cmd_frame));
272
273 //return rsi_coex_send_pkt(common, skb, RSI_BT_Q);
>>> CID 1438210: Resource leaks (RESOURCE_LEAK)
>>> Variable "skb" going out of scope leaks the storage it points to.
274 return common->priv->host_intf_ops->write_pkt(common->priv,
skb->data, skb->len);
275 }
276 EXPORT_SYMBOL_GPL(rsi_deregister_bt);
277
278 int rsi_hci_recv_pkt(struct rsi_common *common, u8 *pkt)
279 {
** CID 1438211: Resource leaks (RESOURCE_LEAK)
/ubuntu/rsi/rsi_91x_hci.c: 249 in rsi_send_rfmode_frame()
________________________________________________________________________________________________________
*** CID 1438211: Resource leaks (RESOURCE_LEAK)
/ubuntu/rsi/rsi_91x_hci.c: 249 in rsi_send_rfmode_frame()
243 cmd_frame->bt_rf_tx_power_mode = 0;
244 cmd_frame->bt_rf_tx_power_mode = 0;
245
246 skb_put(skb, sizeof(struct rsi_bt_rfmode_frame));
247
248 // return rsi_coex_send_pkt(common, skb, RSI_BT_Q);
>>> CID 1438211: Resource leaks (RESOURCE_LEAK)
>>> Variable "skb" going out of scope leaks the storage it points to.
249 return common->priv->host_intf_ops->write_pkt(common->priv,
skb->data, skb->len);
250 }
251 EXPORT_SYMBOL_GPL(rsi_send_rfmode_frame);
252
253 int rsi_deregister_bt(struct rsi_common *common)
254 {
** CID 1438212: Null pointer dereferences (REVERSE_INULL)
/ubuntu/rsi/rsi_91x_sdio.c: 1388 in rsi_freeze()
________________________________________________________________________________________________________
*** CID 1438212: Null pointer dereferences (REVERSE_INULL)
/ubuntu/rsi/rsi_91x_sdio.c: 1388 in rsi_freeze()
1382 struct rsi_91x_sdiodev *sdev =
1383 (struct rsi_91x_sdiodev *)adapter->rsi_dev;
1384 #endif
1385
1386 ven_rsi_dbg(INFO_ZONE, "SDIO Bus freeze ===>\n");
1387
>>> CID 1438212: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "adapter" suggests that it may be null, but it has
already been dereferenced on all paths leading to the check.
1388 if (!adapter) {
1389 ven_rsi_dbg(ERR_ZONE, "Device is not ready\n");
1390 return -ENODEV;
1391 }
1392
1393 common->suspend_in_prog = true;
** CID 1438213: Control flow issues (UNREACHABLE)
/ubuntu/rsi/rsi_91x_usb.c: 497 in rsi_usb_check_queue_status()
________________________________________________________________________________________________________
*** CID 1438213: Control flow issues (UNREACHABLE)
/ubuntu/rsi/rsi_91x_usb.c: 497 in rsi_usb_check_queue_status()
491 struct rsi_91x_usbdev *dev = (struct rsi_91x_usbdev
*)adapter->rsi_dev;
492 int status;
493 u32 buf_status = 0;
494
495 return QUEUE_NOT_FULL;
496
>>> CID 1438213: Control flow issues (UNREACHABLE)
>>> This code cannot be reached: "if (adapter->priv->fsm_stat...".
497 if (adapter->priv->fsm_state != FSM_MAC_INIT_DONE)
498 return QUEUE_NOT_FULL;
499
500 status = rsi_usb_reg_read(dev->usbdev,
adapter->usb_buffer_status_reg,
501 &buf_status, 2);
502 if (status < 0)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1694733/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
