diff --git a/os/linux/gl_hook_api.c b/os/linux/gl_hook_api.c
index e47e203..864efa9 100644
--- a/os/linux/gl_hook_api.c
+++ b/os/linux/gl_hook_api.c
@@ -2505,6 +2505,8 @@
 	kalMemSet(&rAccessEfuseInfoWrite, 0, sizeof(PARAM_CUSTOM_ACCESS_EFUSE_T));
 	u4Index = u2Offset % EFUSE_BLOCK_SIZE;
 
+	if (u4Index > EFUSE_BLOCK_SIZE - 2)
+		return -EINVAL;
 
 	prGlueInfo->prAdapter->aucEepromVaule[u4Index] = u2Content;
 	prGlueInfo->prAdapter->aucEepromVaule[u4Index+1] = u2Content >> 8 & 0xff;
diff --git a/os/linux/gl_p2p.c b/os/linux/gl_p2p.c
index 7bbd977..c021b55 100644
--- a/os/linux/gl_p2p.c
+++ b/os/linux/gl_p2p.c
@@ -493,6 +493,10 @@
 	/* UINT_32 u4Idx = 0; */
 
 	ASSERT(prGlueInfo);
+	if (!prGlueInfo) {
+		DBGLOG(P2P, ERROR, "prGlueInfo error\n");
+		return FALSE;
+	}
 
 	prAdapter = prGlueInfo->prAdapter;
 	prWifiVar = &(prAdapter->rWifiVar);
@@ -501,9 +505,6 @@
 	ASSERT(prWifiVar);
 
 	do {
-		if (prGlueInfo == NULL)
-			break;
-
 		if (prGlueInfo->prP2PInfo[ucIdex] == NULL) {
 			/*alloc memory for p2p info */
 			prGlueInfo->prP2PInfo[ucIdex] = kalMemAlloc(sizeof(GL_P2P_INFO_T), VIR_MEM_TYPE);
@@ -1141,8 +1142,10 @@
 		}
 	}
 
-	if (i == KAL_P2P_NUM)
+	if (i == KAL_P2P_NUM) {
 		DBGLOG(INIT, WARN, "fail to register wiphy to driver\n");
+		goto free_wiphy;
+	}
 
 	return TRUE;
 
diff --git a/os/linux/gl_p2p_cfg80211.c b/os/linux/gl_p2p_cfg80211.c
index 1df21c8..f83d115 100644
--- a/os/linux/gl_p2p_cfg80211.c
+++ b/os/linux/gl_p2p_cfg80211.c
@@ -311,11 +311,12 @@
 
 	do {
 		prGlueInfo = *((P_GLUE_INFO_T *) wiphy_priv(wiphy));
-		prAdapter = prGlueInfo->prAdapter;
 
 		if (prGlueInfo == NULL)
 			break;
 
+		prAdapter = prGlueInfo->prAdapter;
+
 		for (u4Idx = 0; u4Idx < KAL_P2P_NUM; u4Idx++) {
 			if (prGlueInfo->prP2PInfo[u4Idx]->aprRoleHandler ==
 				prGlueInfo->prP2PInfo[u4Idx]->prDevHandler)
@@ -326,16 +327,16 @@
 			}
 		}
 
-		/*u4Idx = 0;*/
-		DBGLOG(P2P, TRACE, "mtk_p2p_cfg80211_add_iface u4Idx=%d\n", u4Idx);
-
-		prP2pInfo = prGlueInfo->prP2PInfo[u4Idx];
-
 		if (u4Idx == KAL_P2P_NUM) {
 			/* Role port full. */
 			break;
 		}
 
+		/*u4Idx = 0;*/
+		DBGLOG(P2P, TRACE, "mtk_p2p_cfg80211_add_iface u4Idx=%d\n", u4Idx);
+
+		prP2pInfo = prGlueInfo->prP2PInfo[u4Idx];
+
 		DBGLOG(P2P, TRACE, "mtk_p2p_cfg80211_add_iface name = %s\n", name);
 #if KERNEL_VERSION(3, 17, 0) <= CFG80211_VERSION_CODE
 		prNewNetDevice = alloc_netdev_mq(sizeof(NETDEV_PRIVATE_GLUE_INFO), name,
@@ -454,17 +455,20 @@
 			switch (type) {
 			case NL80211_IFTYPE_P2P_CLIENT:
 				DBGLOG(P2P, TRACE, "NL80211_IFTYPE_P2P_CLIENT.\n");
+				prSwitchModeMsg->eOpMode = OP_MODE_INFRASTRUCTURE;
+				kalP2PSetRole(prGlueInfo, 1, u4Idx);
+				break;
 			case NL80211_IFTYPE_STATION:
-				if (type == NL80211_IFTYPE_STATION)
 					DBGLOG(P2P, TRACE, "NL80211_IFTYPE_STATION.\n");
 				prSwitchModeMsg->eOpMode = OP_MODE_INFRASTRUCTURE;
 				kalP2PSetRole(prGlueInfo, 1, u4Idx);
 				break;
 			case NL80211_IFTYPE_AP:
 				DBGLOG(P2P, TRACE, "NL80211_IFTYPE_AP.\n");
+				prSwitchModeMsg->eOpMode = OP_MODE_ACCESS_POINT;
 				kalP2PSetRole(prGlueInfo, 2, u4Idx);
+				break;
 			case NL80211_IFTYPE_P2P_GO:
-				if (type == NL80211_IFTYPE_P2P_GO)
 					DBGLOG(P2P, TRACE, "NL80211_IFTYPE_P2P_GO not AP.\n");
 				prSwitchModeMsg->eOpMode = OP_MODE_ACCESS_POINT;
 				kalP2PSetRole(prGlueInfo, 2, u4Idx);
@@ -480,9 +484,23 @@
 		}
 
 		/* Send Msg to DevFsm and active P2P dev BSS */
-		prMsgActiveBss = cnmMemAlloc(prGlueInfo->prAdapter, RAM_TYPE_MSG, sizeof(MSG_P2P_ACTIVE_DEV_BSS_T));
+		prMsgActiveBss =
+			(P_MSG_P2P_ACTIVE_DEV_BSS_T) cnmMemAlloc(prGlueInfo->prAdapter, RAM_TYPE_MSG,
+								sizeof(MSG_P2P_ACTIVE_DEV_BSS_T));
+
+		if (prMsgActiveBss == NULL) {
+			ASSERT(FALSE);
+			DBGLOG(INIT, WARN, "unable to alloc msg\n");
+			kfree(prWdev);
+			prWdev = ERR_PTR(-ENOMEM);
+			free_netdev(prGlueInfo->prP2PInfo[u4Idx]->aprRoleHandler);
+			prGlueInfo->prP2PInfo[u4Idx]->aprRoleHandler = NULL;
+			break;
+		}
+
 		prMsgActiveBss->rMsgHdr.eMsgId = MID_MNY_P2P_ACTIVE_BSS;
 		mboxSendMsg(prGlueInfo->prAdapter, MBOX_ID_0, (P_MSG_HDR_T) prMsgActiveBss, MSG_SEND_METHOD_BUF);
+
 	} while (FALSE);
 
 	return prWdev;
@@ -1437,8 +1455,6 @@
 /* int inactivity_timeout; */
 /* }; */
 /* ////////////////// */
-
-	return i4Rslt;
 }				/* mtk_p2p_cfg80211_start_ap */
 
 #if (CFG_SUPPORT_DFS_MASTER == 1)
@@ -1481,12 +1497,9 @@
 		prGlueInfo->prP2PInfo[ucRoleIdx]->cac_time_ms = cac_time_ms;
 
 
-		if (chandef) {
 			mtk_p2p_cfg80211func_channel_format_switch(chandef, chandef->chan, &rRfChnlInfo);
 
 			p2pFuncSetChannel(prGlueInfo->prAdapter, ucRoleIdx, &rRfChnlInfo);
-		} else
-			break;
 
 		DBGLOG(P2P, INFO, "mtk_p2p_cfg80211_start_radar_detection.(role %d)\n", ucRoleIdx);
 
@@ -1596,13 +1609,10 @@
 		memcpy(prGlueInfo->prP2PInfo[ucRoleIdx]->chandef->chan, params->chandef.chan,
 							sizeof(struct ieee80211_channel));
 
-		if (params) {
 			mtk_p2p_cfg80211func_channel_format_switch(&params->chandef,
 								params->chandef.chan, &rRfChnlInfo);
 
 			p2pFuncSetChannel(prGlueInfo->prAdapter, ucRoleIdx, &rRfChnlInfo);
-		} else
-			break;
 
 		DBGLOG(P2P, INFO, "mtk_p2p_cfg80211_channel_switch.(role %d)\n", ucRoleIdx);
 
@@ -2642,17 +2652,20 @@
 		switch (type) {
 		case NL80211_IFTYPE_P2P_CLIENT:
 			DBGLOG(P2P, TRACE, "NL80211_IFTYPE_P2P_CLIENT.\n");
+			prSwitchModeMsg->eOpMode = OP_MODE_INFRASTRUCTURE;
+			kalP2PSetRole(prGlueInfo, 1, ucRoleIdx);
+			break;
 		case NL80211_IFTYPE_STATION:
-			if (type == NL80211_IFTYPE_STATION)
 				DBGLOG(P2P, TRACE, "NL80211_IFTYPE_STATION.\n");
 			prSwitchModeMsg->eOpMode = OP_MODE_INFRASTRUCTURE;
 			kalP2PSetRole(prGlueInfo, 1, ucRoleIdx);
 			break;
 		case NL80211_IFTYPE_AP:
 			DBGLOG(P2P, TRACE, "NL80211_IFTYPE_AP.\n");
+			prSwitchModeMsg->eOpMode = OP_MODE_ACCESS_POINT;
 			kalP2PSetRole(prGlueInfo, 2, ucRoleIdx);
+			break;
 		case NL80211_IFTYPE_P2P_GO:
-			if (type == NL80211_IFTYPE_P2P_GO)
 				DBGLOG(P2P, TRACE, "NL80211_IFTYPE_P2P_GO not AP.\n");
 			prSwitchModeMsg->eOpMode = OP_MODE_ACCESS_POINT;
 			kalP2PSetRole(prGlueInfo, 2, ucRoleIdx);
@@ -2678,13 +2691,16 @@
 {
 	INT_32 i4Rslt = -EINVAL;
 	P_GLUE_INFO_T prGlueInfo = (P_GLUE_INFO_T) NULL;
+	struct net_device *dev = (struct net_device *) NULL;
 	RF_CHANNEL_INFO_T rRfChnlInfo;
 	UINT_8 ucRoleIdx = 0;
-	struct net_device *dev = (struct net_device *)wiphy_dev(wiphy);
+
+	if ((wiphy == NULL) || (chandef == NULL))
+		return i4Rslt;
+
+	dev = (struct net_device *) wiphy_dev(wiphy);
 
 	do {
-		if ((wiphy == NULL) || (chandef == NULL))
-			break;
 		DBGLOG(P2P, INFO, "mtk_p2p_cfg80211_set_channel.\n");
 
 		prGlueInfo = *((P_GLUE_INFO_T *) wiphy_priv(wiphy));
diff --git a/os/linux/gl_p2p_kal.c b/os/linux/gl_p2p_kal.c
index 22a6eaf..3fe22c3 100644
--- a/os/linux/gl_p2p_kal.c
+++ b/os/linux/gl_p2p_kal.c
@@ -1394,12 +1394,15 @@
 struct ieee80211_channel *kalP2pFuncGetChannelEntry(IN P_GL_P2P_INFO_T prP2pInfo, IN P_RF_CHANNEL_INFO_T prChannelInfo)
 {
 	struct ieee80211_channel *prTargetChannelEntry = (struct ieee80211_channel *)NULL;
+	struct wiphy *wiphy = (struct wiphy *) NULL;
 	UINT_32 u4TblSize = 0, u4Idx = 0;
-	struct wiphy *wiphy = prP2pInfo->prWdev->wiphy;
+
+	if ((prP2pInfo == NULL) || (prChannelInfo == NULL))
+		return NULL;
+
+	wiphy = prP2pInfo->prWdev->wiphy;
 
 	do {
-		if ((prP2pInfo == NULL) || (prChannelInfo == NULL))
-			break;
 
 		switch (prChannelInfo->eBand) {
 		case BAND_2G4:
diff --git a/os/linux/gl_qa_agent.c b/os/linux/gl_qa_agent.c
index a914561..990aab7 100644
--- a/os/linux/gl_qa_agent.c
+++ b/os/linux/gl_qa_agent.c
@@ -2388,7 +2388,6 @@
 	ResponseToQA(HqaCmdFrame, prIwReqData, 2 + Len, i4Ret);
 
 exit:
-
 	kfree(Buffer);
 
 	return i4Ret;
diff --git a/os/linux/gl_vendor.c b/os/linux/gl_vendor.c
index 227cd2e..13abe5d 100644
--- a/os/linux/gl_vendor.c
+++ b/os/linux/gl_vendor.c
@@ -835,10 +835,12 @@
 	DBGLOG(REQ, INFO, "vendor command: data_len=%d\n", data_len);
 
 	attr = (struct nlattr *)data;
-	if (attr->nla_type == WIFI_ATTRIBUTE_COUNTRY_CODE) {
+
+	if (attr->nla_type != WIFI_ATTRIBUTE_COUNTRY_CODE)
+		return -EINVAL;
+
 		country[0] = *((PUINT_8)nla_data(attr));
 		country[1] = *((PUINT_8)nla_data(attr) + 1);
-	}
 
 	DBGLOG(REQ, INFO, "Set country code: %c%c\n", country[0], country[1]);
 
diff --git a/os/linux/gl_wext.c b/os/linux/gl_wext.c
index 2afad9c..d1f6bf2 100644
--- a/os/linux/gl_wext.c
+++ b/os/linux/gl_wext.c
@@ -1343,7 +1343,7 @@
 	/* } */
 
 	if (prGlueInfo->eParamMediaStateIndicated == PARAM_MEDIA_STATE_DISCONNECTED) {
-		memset(prAddr, 0, 6);
+		memset(prAddr, 0, sizeof(*prAddr));
 		return 0;
 	}
 
@@ -2381,7 +2381,7 @@
 		wlanSetAcpiState(prGlueInfo->prAdapter, ePowerState);
 	}
 
-	prGlueInfo->ePowerState = ePowerState;
+		prGlueInfo->ePowerState = ParamDeviceStateD0;
 
 	return ret;
 }				/* wext_set_txpow */
@@ -2957,7 +2957,8 @@
 		}
 
 		/* PN */
-		memcpy(&prWpiKey->aucPN[0], &prIWEncExt->tx_seq[0], IW_ENCODE_SEQ_MAX_SIZE * 2);
+		memcpy(&prWpiKey->aucPN[0], &prIWEncExt->tx_seq[0], IW_ENCODE_SEQ_MAX_SIZE);
+		memcpy(&prWpiKey->aucPN[8], &prIWEncExt->rx_seq[0], IW_ENCODE_SEQ_MAX_SIZE);
 
 		/* BSSID */
 		memcpy(prWpiKey->aucAddrIndex, prIWEncExt->addr.sa_data, 6);
@@ -3115,6 +3116,12 @@
 				memcpy(((PUINT_8) prKey->aucKeyMaterial) + 16, prIWEncExt->key + 24, 8);
 				memcpy((prKey->aucKeyMaterial) + 24, prIWEncExt->key + 16, 8);
 			} else {
+				/* aucKeyMaterial is defined as a 32-elements array */
+				if (prIWEncExt->key_len > 32) {
+					DBGLOG(REQ, ERROR, "prIWEncExt->key_len: %d is too long!\n",
+						prIWEncExt->key_len);
+					return -EFAULT;
+				}
 				memcpy(prKey->aucKeyMaterial, prIWEncExt->key, prIWEncExt->key_len);
 			}
 
@@ -3622,13 +3629,19 @@
 	case SIOCSIWENCODEEXT:	/* 0x8B34, set extended encoding token & mode */
 		if (iwr->u.encoding.pointer) {
 			u4ExtraSize = iwr->u.encoding.length;
+
+			if (u4ExtraSize > sizeof(struct iw_encode_ext)) {
+				ret = -EINVAL;
+				break;
+			}
+
 			prExtraBuf = kalMemAlloc(u4ExtraSize, VIR_MEM_TYPE);
 			if (!prExtraBuf) {
 				ret = -ENOMEM;
 				break;
 			}
 
-			if (copy_from_user(prExtraBuf, iwr->u.encoding.pointer, iwr->u.encoding.length))
+			if (copy_from_user(prExtraBuf, iwr->u.encoding.pointer, u4ExtraSize))
 				ret = -EFAULT;
 		} else if (iwr->u.encoding.length != 0) {
 			ret = -EINVAL;