From: Omar Ramirez Luna <omar.ramirez@ti.com>
To: linux-omap <linux-omap@vger.kernel.org>
Cc: Ernesto Ramos <ernesto@ti.com>, Nishanth Menon <nm@ti.com>,
Hiroshi Doyu <Hiroshi.DOYU@nokia.com>,
Ameya Palande <ameya.palande@nokia.com>
Subject: [PATCH 3/3] DSPBRIDGE: NULL Pointer Dereference fix
Date: Wed, 13 Jan 2010 19:11:16 -0600 [thread overview]
Message-ID: <1263431476-19206-4-git-send-email-omar.ramirez@ti.com> (raw)
In-Reply-To: <1263431476-19206-3-git-send-email-omar.ramirez@ti.com>
From: Ernesto Ramos <ernesto@ti.com>
This patch takes care of the possible null pointers
dereferenced within dsp bridge driver.
Signed-off-by: Ernesto Ramos <ernesto@ti.com>
CC: Nishanth Menon <nm@ti.com>
CC: Hiroshi Doyu <Hiroshi.DOYU@nokia.com>
CC: Ameya Palande <ameya.palande@nokia.com>
---
drivers/dsp/bridge/rmgr/nldr.c | 3 ++-
drivers/dsp/bridge/rmgr/node.c | 6 +++---
drivers/dsp/bridge/rmgr/proc.c | 9 ++++-----
drivers/dsp/bridge/wmd/chnl_sm.c | 2 +-
4 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/drivers/dsp/bridge/rmgr/nldr.c b/drivers/dsp/bridge/rmgr/nldr.c
index 24eb9c6..e977a94 100644
--- a/drivers/dsp/bridge/rmgr/nldr.c
+++ b/drivers/dsp/bridge/rmgr/nldr.c
@@ -1007,7 +1007,8 @@ DSP_STATUS NLDR_Unload(struct NLDR_NODEOBJECT *hNldrNode, enum NLDR_PHASE phase)
/* Unload main library */
pRootLib = &hNldrNode->root;
}
- UnloadLib(hNldrNode, pRootLib);
+ if (pRootLib)
+ UnloadLib(hNldrNode, pRootLib);
} else {
if (hNldrNode->fOverlay)
UnloadOvly(hNldrNode, phase);
diff --git a/drivers/dsp/bridge/rmgr/node.c b/drivers/dsp/bridge/rmgr/node.c
index 9127751..fd9e7cf 100644
--- a/drivers/dsp/bridge/rmgr/node.c
+++ b/drivers/dsp/bridge/rmgr/node.c
@@ -906,7 +906,7 @@ DSP_STATUS NODE_ChangePriority(struct NODE_OBJECT *hNode, s32 nPriority)
GT_2trace(NODE_debugMask, GT_ENTER, "NODE_ChangePriority: "
"hNode: 0x%x\tnPriority: %d\n", hNode, nPriority);
- if (!MEM_IsValidHandle(hNode, NODE_SIGNATURE)) {
+ if (!MEM_IsValidHandle(hNode, NODE_SIGNATURE) || !hNode->hNodeMgr) {
GT_1trace(NODE_debugMask, GT_7CLASS,
"Invalid NODE Handle: 0x%x\n", hNode);
status = DSP_EHANDLE;
@@ -2612,7 +2612,7 @@ DSP_STATUS NODE_Terminate(struct NODE_OBJECT *hNode, OUT DSP_STATUS *pStatus)
GT_1trace(NODE_debugMask, GT_ENTER,
"NODE_Terminate: hNode: 0x%x\n", hNode);
- if (!MEM_IsValidHandle(hNode, NODE_SIGNATURE)) {
+ if (!MEM_IsValidHandle(hNode, NODE_SIGNATURE) || !hNode->hNodeMgr) {
status = DSP_EHANDLE;
goto func_end;
}
@@ -3329,7 +3329,7 @@ DSP_STATUS NODE_GetUUIDProps(DSP_HPROCESSOR hProcessor,
pNodeId, pNodeProps);
status = PROC_GetDevObject(hProcessor, &hDevObject);
- if (DSP_SUCCEEDED(status) && hDevObject != NULL) {
+ if (!hDevObject) {
status = DEV_GetNodeManager(hDevObject, &hNodeMgr);
if (hNodeMgr == NULL) {
status = DSP_EHANDLE;
diff --git a/drivers/dsp/bridge/rmgr/proc.c b/drivers/dsp/bridge/rmgr/proc.c
index f88128e..6693651 100644
--- a/drivers/dsp/bridge/rmgr/proc.c
+++ b/drivers/dsp/bridge/rmgr/proc.c
@@ -573,12 +573,11 @@ DSP_STATUS PROC_Detach(struct PROCESS_CONTEXT *pr_ctxt)
DSP_STATUS status = DSP_SOK;
struct PROC_OBJECT *pProcObject = NULL;
- if (pr_ctxt && pr_ctxt->hProcessor)
- pProcObject = (struct PROC_OBJECT *)pr_ctxt->hProcessor;
-
DBC_Require(cRefs > 0);
- GT_1trace(PROC_DebugMask, GT_ENTER, "Entered PROC_Detach, args:\n\t"
- "pr_ctxt->phProcessor: 0x%x\n", *pProcObject);
+ GT_0trace(PROC_DebugMask, GT_ENTER, "Entered PROC_Detach\n");
+
+ if (pr_ctxt)
+ pProcObject = (struct PROC_OBJECT *)pr_ctxt->hProcessor;
if (MEM_IsValidHandle(pProcObject, PROC_SIGNATURE)) {
/* Notify the Client */
diff --git a/drivers/dsp/bridge/wmd/chnl_sm.c b/drivers/dsp/bridge/wmd/chnl_sm.c
index f0bd986..7c1d7f7 100644
--- a/drivers/dsp/bridge/wmd/chnl_sm.c
+++ b/drivers/dsp/bridge/wmd/chnl_sm.c
@@ -326,7 +326,7 @@ DSP_STATUS WMD_CHNL_CancelIO(struct CHNL_OBJECT *hChnl)
struct CHNL_MGR *pChnlMgr = NULL;
/* Check args: */
- if (MEM_IsValidHandle(pChnl, CHNL_SIGNATURE)) {
+ if (MEM_IsValidHandle(pChnl, CHNL_SIGNATURE) && pChnl->pChnlMgr) {
iChnl = pChnl->uId;
uMode = pChnl->uMode;
pChnlMgr = pChnl->pChnlMgr;
--
1.6.2.4
next prev parent reply other threads:[~2010-01-14 1:20 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-01-14 1:11 [PATCH 0/3] Interface tightening patches Omar Ramirez Luna
2010-01-14 1:11 ` [PATCH 1/3] DSPBRIDGE: Interface tightening to check for invalid input parameters Omar Ramirez Luna
2010-01-14 1:11 ` [PATCH 2/3] DSPBRIDGE: Undo allocation of resources in case of cp_to_usr fails Omar Ramirez Luna
2010-01-14 1:11 ` Omar Ramirez Luna [this message]
2010-01-18 18:31 ` [PATCH 3/3] DSPBRIDGE: NULL Pointer Dereference fix Ramirez Luna, Omar
2010-01-18 18:30 ` [PATCH 2/3] DSPBRIDGE: Undo allocation of resources in case of cp_to_usr fails Ramirez Luna, Omar
2010-01-18 18:30 ` [PATCH 1/3] DSPBRIDGE: Interface tightening to check for invalid input parameters Ramirez Luna, Omar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1263431476-19206-4-git-send-email-omar.ramirez@ti.com \
--to=omar.ramirez@ti.com \
--cc=Hiroshi.DOYU@nokia.com \
--cc=ameya.palande@nokia.com \
--cc=ernesto@ti.com \
--cc=linux-omap@vger.kernel.org \
--cc=nm@ti.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox