[PATCH 0/3] Interface tightening patches

[PATCH 0/3] Interface tightening patches

[Omar Ramirez Luna]

Set of patches containing ioctl interface checks, null pointers
checks and imporvement on resource handling on error.

Ernesto Ramos (3):
  DSPBRIDGE: Interface tightening to check for invalid input
    parameters
  DSPBRIDGE: Undo allocation of resources in case of cp_to_usr fails
  DSPBRIDGE: NULL Pointer Dereference fix

 arch/arm/plat-omap/include/dspbridge/dbdefs.h |    4 +-
 drivers/dsp/bridge/pmgr/wcd.c                 |  126 ++++++++++++++++++++-----
 drivers/dsp/bridge/rmgr/nldr.c                |    3 +-
 drivers/dsp/bridge/rmgr/node.c                |    6 +-
 drivers/dsp/bridge/rmgr/proc.c                |    9 +-
 drivers/dsp/bridge/services/mem.c             |    4 -
 drivers/dsp/bridge/wmd/chnl_sm.c              |    2 +-
 7 files changed, 113 insertions(+), 41 deletions(-)

CC: Nishanth Menon <nm@ti.com>
CC: Hiroshi Doyu <Hiroshi.DOYU@nokia.com>
CC: Ameya Palande <ameya.palande@nokia.com>
CC: Fernando Guzman Lugo <x0095840@ti.com>

[PATCH 1/3] DSPBRIDGE: Interface tightening to check for invalid input parameters

[Omar Ramirez Luna]

From: Ernesto Ramos <ernesto@ti.com>

Add more error checking and range to address usecases
accessing kernel APIs directly.

Signed-off-by: Ernesto Ramos <ernesto@ti.com>
CC: Nishanth Menon <nm@ti.com>
CC: Hiroshi Doyu <Hiroshi.DOYU@nokia.com>
CC: Ameya Palande <ameya.palande@nokia.com>
---
 arch/arm/plat-omap/include/dspbridge/dbdefs.h |    4 +-
 drivers/dsp/bridge/pmgr/wcd.c                 |   91 +++++++++++++++++++-----
 drivers/dsp/bridge/services/mem.c             |    4 -
 3 files changed, 75 insertions(+), 24 deletions(-)

diff --git a/arch/arm/plat-omap/include/dspbridge/dbdefs.h b/arch/arm/plat-omap/include/dspbridge/dbdefs.h
index acd291f..f77de39 100644
--- a/arch/arm/plat-omap/include/dspbridge/dbdefs.h
+++ b/arch/arm/plat-omap/include/dspbridge/dbdefs.h
@@ -217,7 +217,9 @@
 		DSP_DCDLIBRARYTYPE,
 		DSP_DCDCREATELIBTYPE,
 		DSP_DCDEXECUTELIBTYPE,
-		DSP_DCDDELETELIBTYPE
+		DSP_DCDDELETELIBTYPE,
+		/* DSP_DCDMAXOBJTYPE is meant to be the last DCD object type */
+		DSP_DCDMAXOBJTYPE
 	} ;
 
 /* Processor states */
diff --git a/drivers/dsp/bridge/pmgr/wcd.c b/drivers/dsp/bridge/pmgr/wcd.c
index 39e3110..006ca63 100644
--- a/drivers/dsp/bridge/pmgr/wcd.c
+++ b/drivers/dsp/bridge/pmgr/wcd.c
@@ -539,6 +539,10 @@ u32 MGRWRAP_EnumNode_Info(union Trapped_Args *args, void *pr_ctxt)
 		 args->ARGS_MGR_ENUMNODE_INFO.pNDBProps,
 		 args->ARGS_MGR_ENUMNODE_INFO.uNDBPropsSize,
 		 args->ARGS_MGR_ENUMNODE_INFO.puNumNodes);
+
+	if (size < sizeof(struct DSP_NDBPROPS))
+		return DSP_ESIZE;
+
 	pNDBProps = MEM_Alloc(size, MEM_NONPAGED);
 	if (pNDBProps == NULL)
 		status = DSP_EMEMORY;
@@ -576,6 +580,10 @@ u32 MGRWRAP_EnumProc_Info(union Trapped_Args *args, void *pr_ctxt)
 		 args->ARGS_MGR_ENUMPROC_INFO.pProcessorInfo,
 		 args->ARGS_MGR_ENUMPROC_INFO.uProcessorInfoSize,
 		 args->ARGS_MGR_ENUMPROC_INFO.puNumProcs);
+
+	if (size < sizeof(struct DSP_PROCESSORINFO))
+		return DSP_ESIZE;
+
 	pProcessorInfo = MEM_Alloc(size, MEM_NONPAGED);
 	if (pProcessorInfo == NULL)
 		status = DSP_EMEMORY;
@@ -608,6 +616,11 @@ u32 MGRWRAP_RegisterObject(union Trapped_Args *args, void *pr_ctxt)
 	char *pszPathName = NULL;
 	DSP_STATUS status = DSP_SOK;
 
+
+	GT_1trace(WCD_debugMask, GT_ENTER,
+		 "MGRWRAP_RegisterObject: entered "
+		 "0x%x\n", args->ARGS_MGR_REGISTEROBJECT.pUuid);
+
 	cp_fm_usr(&pUuid, args->ARGS_MGR_REGISTEROBJECT.pUuid, status, 1);
 	if (DSP_FAILED(status))
 		goto func_end;
@@ -625,9 +638,9 @@ u32 MGRWRAP_RegisterObject(union Trapped_Args *args, void *pr_ctxt)
 		goto func_end;
 	}
 
-	GT_1trace(WCD_debugMask, GT_ENTER,
-		 "MGRWRAP_RegisterObject: entered pg2hMsg "
-		 "0x%x\n", args->ARGS_MGR_REGISTEROBJECT.pUuid);
+	if (args->ARGS_MGR_REGISTEROBJECT.objType >= DSP_DCDMAXOBJTYPE)
+		return DSP_EINVALIDARG;
+
 	status = DCD_RegisterObject(&pUuid,
 				args->ARGS_MGR_REGISTEROBJECT.objType,
 				(char *)pszPathName);
@@ -814,7 +827,10 @@ u32 PROCWRAP_EnumNode_Info(union Trapped_Args *args, void *pr_ctxt)
 		 args->ARGS_PROC_ENUMNODE_INFO.uNodeTabSize,
 		 args->ARGS_PROC_ENUMNODE_INFO.puNumNodes,
 		 args->ARGS_PROC_ENUMNODE_INFO.puAllocated);
-	DBC_Require(args->ARGS_PROC_ENUMNODE_INFO.uNodeTabSize <= MAX_NODES);
+
+	if (!args->ARGS_PROC_ENUMNODE_INFO.uNodeTabSize)
+		return DSP_ESIZE;
+
 	status = PROC_EnumNodes(args->ARGS_PROC_ENUMNODE_INFO.hProcessor,
 				aNodeTab,
 				args->ARGS_PROC_ENUMNODE_INFO.uNodeTabSize,
@@ -837,6 +853,10 @@ u32 PROCWRAP_FlushMemory(union Trapped_Args *args, void *pr_ctxt)
 
 	GT_0trace(WCD_debugMask, GT_ENTER, "PROCWRAP_FlushMemory: entered\n");
 
+	if (args->ARGS_PROC_FLUSHMEMORY.ulFlags >
+					 PROC_WRITEBACK_INVALIDATE_MEM)
+		return DSP_EINVALIDARG;
+
 	status = PROC_FlushMemory(args->ARGS_PROC_FLUSHMEMORY.hProcessor,
 				 args->ARGS_PROC_FLUSHMEMORY.pMpuAddr,
 				 args->ARGS_PROC_FLUSHMEMORY.ulSize,
@@ -871,9 +891,6 @@ u32 PROCWRAP_EnumResources(union Trapped_Args *args, void *pr_ctxt)
 	DSP_STATUS status = DSP_SOK;
 	struct DSP_RESOURCEINFO pResourceInfo;
 
-	if (DSP_FAILED(status))
-		goto func_end;
-
 	GT_4trace(WCD_debugMask, GT_ENTER,
 		 "PROCWRAP_EnumResources: entered args:\n"
 		 "0x%x hProcessor: 0x%x\tuResourceMask: 0x%x\tpResourceInfo"
@@ -882,15 +899,19 @@ u32 PROCWRAP_EnumResources(union Trapped_Args *args, void *pr_ctxt)
 		 args->ARGS_PROC_ENUMRESOURCES.uResourceType,
 		 args->ARGS_PROC_ENUMRESOURCES.pResourceInfo,
 		 args->ARGS_PROC_ENUMRESOURCES.uResourceInfoSize);
+
+	if (args->ARGS_PROC_ENUMRESOURCES.uResourceInfoSize <
+		sizeof(struct DSP_RESOURCEINFO))
+		return DSP_ESIZE;
+
 	status = PROC_GetResourceInfo(args->ARGS_PROC_ENUMRESOURCES.hProcessor,
 			args->ARGS_PROC_ENUMRESOURCES.uResourceType,
 			&pResourceInfo,
 			args->ARGS_PROC_ENUMRESOURCES.uResourceInfoSize);
-	if (DSP_FAILED(status))
-		goto func_end;
+
 	cp_to_usr(args->ARGS_PROC_ENUMRESOURCES.pResourceInfo, &pResourceInfo,
 						status, 1);
-func_end:
+
 	return status;
 
 }
@@ -903,6 +924,11 @@ u32 PROCWRAP_GetState(union Trapped_Args *args, void *pr_ctxt)
 	DSP_STATUS status;
 	struct DSP_PROCESSORSTATE procStatus;
 	GT_0trace(WCD_debugMask, GT_ENTER, "PROCWRAP_GetState: entered\n");
+
+	if (args->ARGS_PROC_GETSTATE.uStateInfoSize <
+		sizeof(struct DSP_PROCESSORSTATE))
+		return DSP_ESIZE;
+
 	status = PROC_GetState(args->ARGS_PROC_GETSTATE.hProcessor, &procStatus,
 			      args->ARGS_PROC_GETSTATE.uStateInfoSize);
 	cp_to_usr(args->ARGS_PROC_GETSTATE.pProcStatus, &procStatus, status, 1);
@@ -920,7 +946,8 @@ u32 PROCWRAP_GetTrace(union Trapped_Args *args, void *pr_ctxt)
 
 	GT_0trace(WCD_debugMask, GT_ENTER, "PROCWRAP_GetTrace: entered\n");
 
-	DBC_Require(args->ARGS_PROC_GETTRACE.uMaxSize <= MAX_TRACEBUFLEN);
+	if (args->ARGS_PROC_GETTRACE.uMaxSize > MAX_TRACEBUFLEN)
+		return DSP_ESIZE;
 
 	pBuf = MEM_Calloc(args->ARGS_PROC_GETTRACE.uMaxSize, MEM_NONPAGED);
 	if (pBuf != NULL) {
@@ -946,10 +973,12 @@ u32 PROCWRAP_Load(union Trapped_Args *args, void *pr_ctxt)
 	DSP_STATUS status = DSP_SOK;
 	char *temp;
 	s32 count = args->ARGS_PROC_LOAD.iArgc;
-	u8 **argv, **envp = NULL;
+	u8 **argv = NULL, **envp = NULL;
 
-	DBC_Require(count > 0);
-	DBC_Require(count <= MAX_LOADARGS);
+	if (count <= 0 || count > MAX_LOADARGS) {
+		status = DSP_EINVALIDARG;
+		goto func_cont;
+	}
 
 	argv = MEM_Alloc(count * sizeof(u8 *), MEM_NONPAGED);
 	if (!argv) {
@@ -1065,6 +1094,10 @@ u32 PROCWRAP_Map(union Trapped_Args *args, void *pr_ctxt)
 	void *pMapAddr;
 
 	GT_0trace(WCD_debugMask, GT_ENTER, "PROCWRAP_Map: entered\n");
+
+	if (!args->ARGS_PROC_MAPMEM.ulSize)
+		return DSP_ESIZE;
+
 	status = PROC_Map(args->ARGS_PROC_MAPMEM.hProcessor,
 			 args->ARGS_PROC_MAPMEM.pMpuAddr,
 			 args->ARGS_PROC_MAPMEM.ulSize,
@@ -1110,6 +1143,10 @@ u32 PROCWRAP_ReserveMemory(union Trapped_Args *args, void *pr_ctxt)
 	DSP_STATUS status;
 	void *pRsvAddr;
 
+	if ((args->ARGS_PROC_RSVMEM.ulSize <= 0) ||
+		(args->ARGS_PROC_RSVMEM.ulSize & (PG_SIZE_4K - 1)) != 0)
+		return DSP_ESIZE;
+
 	GT_0trace(WCD_debugMask, GT_ENTER, "PROCWRAP_ReserveMemory: entered\n");
 	status = PROC_ReserveMemory(args->ARGS_PROC_RSVMEM.hProcessor,
 				   args->ARGS_PROC_RSVMEM.ulSize, &pRsvAddr);
@@ -1236,6 +1273,9 @@ u32 NODEWRAP_AllocMsgBuf(union Trapped_Args *args, void *pr_ctxt)
 	struct DSP_BUFFERATTR attr;
 	u8 *pBuffer = NULL;
 
+	if (!args->ARGS_NODE_ALLOCMSGBUF.uSize)
+		return DSP_ESIZE;
+
 	if (args->ARGS_NODE_ALLOCMSGBUF.pAttr) {	/* Optional argument */
 		cp_fm_usr(&attr, args->ARGS_NODE_ALLOCMSGBUF.pAttr, status, 1);
 		if (DSP_SUCCEEDED(status))
@@ -1361,6 +1401,10 @@ u32 NODEWRAP_FreeMsgBuf(union Trapped_Args *args, void *pr_ctxt)
 			pAttr = &attr;
 
 	}
+
+	if (!args->ARGS_NODE_FREEMSGBUF.pBuffer)
+		return DSP_EPOINTER;
+
 	if (DSP_SUCCEEDED(status)) {
 		status = NODE_FreeMsgBuf(args->ARGS_NODE_FREEMSGBUF.hNode,
 					args->ARGS_NODE_FREEMSGBUF.pBuffer,
@@ -1510,7 +1554,6 @@ u32 NODEWRAP_GetUUIDProps(union Trapped_Args *args, void *pr_ctxt)
 	GT_0trace(WCD_debugMask, GT_ENTER,
 		 "NODEWRAP_GetUUIDPropste: entered\n");
 
-
 	cp_fm_usr(&nodeId, args->ARGS_NODE_GETUUIDPROPS.pNodeID, status, 1);
 	if (DSP_FAILED(status))
 		goto func_cont;
@@ -1538,7 +1581,8 @@ u32 STRMWRAP_AllocateBuffer(union Trapped_Args *args, void *pr_ctxt)
 	u8 **apBuffer = NULL;
 	u32 uNumBufs = args->ARGS_STRM_ALLOCATEBUFFER.uNumBufs;
 
-	DBC_Require(uNumBufs <= MAX_BUFS);
+	if (uNumBufs > MAX_BUFS)
+		return DSP_EINVALIDARG;
 
 	apBuffer = MEM_Alloc((uNumBufs * sizeof(u8 *)), MEM_NONPAGED);
 
@@ -1570,7 +1614,8 @@ u32 STRMWRAP_FreeBuffer(union Trapped_Args *args, void *pr_ctxt)
 	u8 **apBuffer = NULL;
 	u32 uNumBufs = args->ARGS_STRM_FREEBUFFER.uNumBufs;
 
-	DBC_Require(uNumBufs <= MAX_BUFS);
+	if (uNumBufs > MAX_BUFS)
+		return DSP_EINVALIDARG;
 
 	apBuffer = MEM_Alloc((uNumBufs * sizeof(u8 *)), MEM_NONPAGED);
 
@@ -1643,6 +1688,10 @@ u32 STRMWRAP_Idle(union Trapped_Args *args, void *pr_ctxt)
 u32 STRMWRAP_Issue(union Trapped_Args *args, void *pr_ctxt)
 {
 	DSP_STATUS status = DSP_SOK;
+
+	if (!args->ARGS_STRM_ISSUE.pBuffer)
+		return DSP_EPOINTER;
+
 	/* No need of doing cp_fm_usr for the user buffer (pBuffer)
 	as this is done in Bridge internal function WMD_CHNL_AddIOReq
 	in chnl_sm.c */
@@ -1669,8 +1718,11 @@ u32 STRMWRAP_Open(union Trapped_Args *args, void *pr_ctxt)
 
 	if (attr.pStreamAttrIn != NULL) {	/* Optional argument */
 		cp_fm_usr(&strmAttrIn, attr.pStreamAttrIn, status, 1);
-		if (DSP_SUCCEEDED(status))
+		if (DSP_SUCCEEDED(status)) {
 			attr.pStreamAttrIn = &strmAttrIn;
+			if (attr.pStreamAttrIn->lMode == STRMMODE_LDMA)
+				return DSP_ENOTIMPL;
+		}
 
 	}
 	status = STRM_Open(args->ARGS_STRM_OPEN.hNode,
@@ -1740,7 +1792,8 @@ u32 STRMWRAP_Select(union Trapped_Args *args, void *pr_ctxt)
 	struct STRM_OBJECT *aStrmTab[MAX_STREAMS];
 	DSP_STATUS status = DSP_SOK;
 
-	DBC_Require(args->ARGS_STRM_SELECT.nStreams <= MAX_STREAMS);
+	if (args->ARGS_STRM_SELECT.nStreams > MAX_STREAMS)
+		return DSP_EINVALIDARG;
 
 	cp_fm_usr(aStrmTab, args->ARGS_STRM_SELECT.aStreamTab, status,
 		 args->ARGS_STRM_SELECT.nStreams);
diff --git a/drivers/dsp/bridge/services/mem.c b/drivers/dsp/bridge/services/mem.c
index 85eb477..cdda1e8 100644
--- a/drivers/dsp/bridge/services/mem.c
+++ b/drivers/dsp/bridge/services/mem.c
@@ -493,10 +493,6 @@ void MEM_FlushCache(void *pMemBuf, u32 cBytes, s32 FlushType)
 		outer_flush_range(__pa((u32)pMemBuf), __pa((u32)pMemBuf +
 				  cBytes));
 	break;
-	default:
-		GT_1trace(MEM_debugMask, GT_6CLASS, "MEM_FlushCache: invalid "
-			  "FlushMemType 0x%x\n", FlushType);
-	break;
 	}
 
 }
-- 
1.6.2.4

[PATCH 2/3] DSPBRIDGE: Undo allocation of resources in case of cp_to_usr fails

[Omar Ramirez Luna]

From: Ernesto Ramos <ernesto@ti.com>

Release resources allocated during MAP, Node Allocation,
STRM Buf Allocation in the case of cp_to_usr fails.

Signed-off-by: Ernesto Ramos <ernesto@ti.com>
CC: Nishanth Menon <nm@ti.com>
CC: Hiroshi Doyu <Hiroshi.DOYU@nokia.com>
CC: Ameya Palande <ameya.palande@nokia.com>
---
 drivers/dsp/bridge/pmgr/wcd.c |   35 ++++++++++++++++++++++++++++-------
 1 files changed, 28 insertions(+), 7 deletions(-)

diff --git a/drivers/dsp/bridge/pmgr/wcd.c b/drivers/dsp/bridge/pmgr/wcd.c
index 006ca63..5062053 100644
--- a/drivers/dsp/bridge/pmgr/wcd.c
+++ b/drivers/dsp/bridge/pmgr/wcd.c
@@ -1104,8 +1104,11 @@ u32 PROCWRAP_Map(union Trapped_Args *args, void *pr_ctxt)
 			 args->ARGS_PROC_MAPMEM.pReqAddr, &pMapAddr,
 			 args->ARGS_PROC_MAPMEM.ulMapAttr, pr_ctxt);
 	if (DSP_SUCCEEDED(status)) {
-		if (put_user(pMapAddr, args->ARGS_PROC_MAPMEM.ppMapAddr))
+		if (put_user(pMapAddr, args->ARGS_PROC_MAPMEM.ppMapAddr)) {
 			status = DSP_EINVALIDARG;
+			PROC_UnMap(args->ARGS_PROC_MAPMEM.hProcessor,
+				pMapAddr, pr_ctxt);
+		}
 
 	}
 	return status;
@@ -1150,9 +1153,13 @@ u32 PROCWRAP_ReserveMemory(union Trapped_Args *args, void *pr_ctxt)
 	GT_0trace(WCD_debugMask, GT_ENTER, "PROCWRAP_ReserveMemory: entered\n");
 	status = PROC_ReserveMemory(args->ARGS_PROC_RSVMEM.hProcessor,
 				   args->ARGS_PROC_RSVMEM.ulSize, &pRsvAddr);
-	if (put_user(pRsvAddr, args->ARGS_PROC_RSVMEM.ppRsvAddr))
-		status = DSP_EINVALIDARG;
-
+	if (DSP_SUCCEEDED(status)) {
+		if (put_user(pRsvAddr, args->ARGS_PROC_RSVMEM.ppRsvAddr)) {
+			status = DSP_EINVALIDARG;
+			PROC_UnReserveMemory(args->ARGS_PROC_RSVMEM.hProcessor,
+				pRsvAddr);
+		}
+	}
 	return status;
 }
 
@@ -1255,7 +1262,13 @@ u32 NODEWRAP_Allocate(union Trapped_Args *args, void *pr_ctxt)
 				      &nodeId, (struct DSP_CBDATA *)pArgs,
 				      pAttrIn, &hNode, pr_ctxt);
 	}
-	cp_to_usr(args->ARGS_NODE_ALLOCATE.phNode, &hNode, status, 1);
+	if (DSP_SUCCEEDED(status)) {
+		cp_to_usr(args->ARGS_NODE_ALLOCATE.phNode, &hNode, status, 1);
+		if (DSP_FAILED(status)) {
+			status = DSP_EPOINTER;
+			NODE_Delete(hNode, pr_ctxt);
+		}
+	}
 func_cont:
 	if (pArgs)
 		MEM_Free(pArgs);
@@ -1589,8 +1602,16 @@ u32 STRMWRAP_AllocateBuffer(union Trapped_Args *args, void *pr_ctxt)
 	status = STRM_AllocateBuffer(args->ARGS_STRM_ALLOCATEBUFFER.hStream,
 				     args->ARGS_STRM_ALLOCATEBUFFER.uSize,
 				     apBuffer, uNumBufs, pr_ctxt);
-	cp_to_usr(args->ARGS_STRM_ALLOCATEBUFFER.apBuffer, apBuffer, status,
-		 uNumBufs);
+	if (DSP_SUCCEEDED(status)) {
+		cp_to_usr(args->ARGS_STRM_ALLOCATEBUFFER.apBuffer, apBuffer,
+			status, uNumBufs);
+		if (DSP_FAILED(status)) {
+			status = DSP_EPOINTER;
+			STRM_FreeBuffer(
+				args->ARGS_STRM_ALLOCATEBUFFER.hStream,
+				apBuffer, uNumBufs, pr_ctxt);
+		}
+	}
 	if (apBuffer)
 		MEM_Free(apBuffer);
 
-- 
1.6.2.4

[PATCH 3/3] DSPBRIDGE: NULL Pointer Dereference fix

[Omar Ramirez Luna]

From: Ernesto Ramos <ernesto@ti.com>

This patch takes care of the possible null pointers
dereferenced within dsp bridge driver.

Signed-off-by: Ernesto Ramos <ernesto@ti.com>
CC: Nishanth Menon <nm@ti.com>
CC: Hiroshi Doyu <Hiroshi.DOYU@nokia.com>
CC: Ameya Palande <ameya.palande@nokia.com>
---
 drivers/dsp/bridge/rmgr/nldr.c   |    3 ++-
 drivers/dsp/bridge/rmgr/node.c   |    6 +++---
 drivers/dsp/bridge/rmgr/proc.c   |    9 ++++-----
 drivers/dsp/bridge/wmd/chnl_sm.c |    2 +-
 4 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/drivers/dsp/bridge/rmgr/nldr.c b/drivers/dsp/bridge/rmgr/nldr.c
index 24eb9c6..e977a94 100644
--- a/drivers/dsp/bridge/rmgr/nldr.c
+++ b/drivers/dsp/bridge/rmgr/nldr.c
@@ -1007,7 +1007,8 @@ DSP_STATUS NLDR_Unload(struct NLDR_NODEOBJECT *hNldrNode, enum NLDR_PHASE phase)
 				/* Unload main library */
 				pRootLib = &hNldrNode->root;
 			}
-			UnloadLib(hNldrNode, pRootLib);
+			if (pRootLib)
+				UnloadLib(hNldrNode, pRootLib);
 		} else {
 			if (hNldrNode->fOverlay)
 				UnloadOvly(hNldrNode, phase);
diff --git a/drivers/dsp/bridge/rmgr/node.c b/drivers/dsp/bridge/rmgr/node.c
index 9127751..fd9e7cf 100644
--- a/drivers/dsp/bridge/rmgr/node.c
+++ b/drivers/dsp/bridge/rmgr/node.c
@@ -906,7 +906,7 @@ DSP_STATUS NODE_ChangePriority(struct NODE_OBJECT *hNode, s32 nPriority)
 	GT_2trace(NODE_debugMask, GT_ENTER, "NODE_ChangePriority: "
 		 "hNode: 0x%x\tnPriority: %d\n", hNode, nPriority);
 
-	if (!MEM_IsValidHandle(hNode, NODE_SIGNATURE)) {
+	if (!MEM_IsValidHandle(hNode, NODE_SIGNATURE) || !hNode->hNodeMgr) {
 		GT_1trace(NODE_debugMask, GT_7CLASS,
 			 "Invalid NODE Handle: 0x%x\n", hNode);
 		status = DSP_EHANDLE;
@@ -2612,7 +2612,7 @@ DSP_STATUS NODE_Terminate(struct NODE_OBJECT *hNode, OUT DSP_STATUS *pStatus)
 
 	GT_1trace(NODE_debugMask, GT_ENTER,
 		 "NODE_Terminate: hNode: 0x%x\n", hNode);
-	if (!MEM_IsValidHandle(hNode, NODE_SIGNATURE)) {
+	if (!MEM_IsValidHandle(hNode, NODE_SIGNATURE) || !hNode->hNodeMgr) {
 		status = DSP_EHANDLE;
 		goto func_end;
 	}
@@ -3329,7 +3329,7 @@ DSP_STATUS NODE_GetUUIDProps(DSP_HPROCESSOR hProcessor,
 		 pNodeId, pNodeProps);
 
 	status = PROC_GetDevObject(hProcessor, &hDevObject);
-	if (DSP_SUCCEEDED(status) && hDevObject != NULL) {
+	if (!hDevObject) {
 		status = DEV_GetNodeManager(hDevObject, &hNodeMgr);
 		if (hNodeMgr == NULL) {
 			status = DSP_EHANDLE;
diff --git a/drivers/dsp/bridge/rmgr/proc.c b/drivers/dsp/bridge/rmgr/proc.c
index f88128e..6693651 100644
--- a/drivers/dsp/bridge/rmgr/proc.c
+++ b/drivers/dsp/bridge/rmgr/proc.c
@@ -573,12 +573,11 @@ DSP_STATUS PROC_Detach(struct PROCESS_CONTEXT *pr_ctxt)
 	DSP_STATUS status = DSP_SOK;
 	struct PROC_OBJECT *pProcObject = NULL;
 
-	if (pr_ctxt && pr_ctxt->hProcessor)
-		pProcObject = (struct PROC_OBJECT *)pr_ctxt->hProcessor;
-
 	DBC_Require(cRefs > 0);
-	GT_1trace(PROC_DebugMask, GT_ENTER, "Entered PROC_Detach, args:\n\t"
-		"pr_ctxt->phProcessor:  0x%x\n", *pProcObject);
+	GT_0trace(PROC_DebugMask, GT_ENTER, "Entered PROC_Detach\n");
+
+	if (pr_ctxt)
+		pProcObject = (struct PROC_OBJECT *)pr_ctxt->hProcessor;
 
 	if (MEM_IsValidHandle(pProcObject, PROC_SIGNATURE)) {
 		/* Notify the Client */
diff --git a/drivers/dsp/bridge/wmd/chnl_sm.c b/drivers/dsp/bridge/wmd/chnl_sm.c
index f0bd986..7c1d7f7 100644
--- a/drivers/dsp/bridge/wmd/chnl_sm.c
+++ b/drivers/dsp/bridge/wmd/chnl_sm.c
@@ -326,7 +326,7 @@ DSP_STATUS WMD_CHNL_CancelIO(struct CHNL_OBJECT *hChnl)
 	struct CHNL_MGR *pChnlMgr = NULL;
 
 	/* Check args: */
-	if (MEM_IsValidHandle(pChnl, CHNL_SIGNATURE)) {
+	if (MEM_IsValidHandle(pChnl, CHNL_SIGNATURE) && pChnl->pChnlMgr) {
 		iChnl = pChnl->uId;
 		uMode = pChnl->uMode;
 		pChnlMgr = pChnl->pChnlMgr;
-- 
1.6.2.4

RE: [PATCH 2/3] DSPBRIDGE: Undo allocation of resources in case of cp_to_usr fails

[Ramirez Luna, Omar]

>From: Ramirez Luna, Omar on Wednesday, January 13, 2010 7:11 PM
>
>From: Ernesto Ramos <ernesto@ti.com>
>
>Release resources allocated during MAP, Node Allocation,
>STRM Buf Allocation in the case of cp_to_usr fails.
>
>Signed-off-by: Ernesto Ramos <ernesto@ti.com>
>CC: Nishanth Menon <nm@ti.com>
>CC: Hiroshi Doyu <Hiroshi.DOYU@nokia.com>
>CC: Ameya Palande <ameya.palande@nokia.com>
>---
> drivers/dsp/bridge/pmgr/wcd.c |   35 ++++++++++++++++++++++++++++-------
> 1 files changed, 28 insertions(+), 7 deletions(-)
>

Pushed to dspbridge

- omar

RE: [PATCH 1/3] DSPBRIDGE: Interface tightening to check for invalid input parameters

[Ramirez Luna, Omar]

>From: Ramirez Luna, Omar on Wednesday, January 13, 2010 7:11 PM
>
>From: Ernesto Ramos <ernesto@ti.com>
>
>Add more error checking and range to address usecases
>accessing kernel APIs directly.
>
>Signed-off-by: Ernesto Ramos <ernesto@ti.com>
>CC: Nishanth Menon <nm@ti.com>
>CC: Hiroshi Doyu <Hiroshi.DOYU@nokia.com>
>CC: Ameya Palande <ameya.palande@nokia.com>
>---
> arch/arm/plat-omap/include/dspbridge/dbdefs.h |    4 +-
> drivers/dsp/bridge/pmgr/wcd.c                 |   91 +++++++++++++++++++-----
> drivers/dsp/bridge/services/mem.c             |    4 -
> 3 files changed, 75 insertions(+), 24 deletions(-)
>

Pushed to dspbridge

- omar

RE: [PATCH 3/3] DSPBRIDGE: NULL Pointer Dereference fix

[Ramirez Luna, Omar]

>From: Omar Ramirez Luna on Wednesday, January 13, 2010 7:11 PM
>
>From: Ernesto Ramos <ernesto@ti.com>
>
>This patch takes care of the possible null pointers
>dereferenced within dsp bridge driver.
>
>Signed-off-by: Ernesto Ramos <ernesto@ti.com>
>CC: Nishanth Menon <nm@ti.com>
>CC: Hiroshi Doyu <Hiroshi.DOYU@nokia.com>
>CC: Ameya Palande <ameya.palande@nokia.com>
>---
> drivers/dsp/bridge/rmgr/nldr.c   |    3 ++-
> drivers/dsp/bridge/rmgr/node.c   |    6 +++---
> drivers/dsp/bridge/rmgr/proc.c   |    9 ++++-----
> drivers/dsp/bridge/wmd/chnl_sm.c |    2 +-
> 4 files changed, 10 insertions(+), 10 deletions(-)
>

Pushed to dspbridge.

- omar