On Mon, Sep 14, 2020 at 05:48:07PM +0300, Dan Carpenter wrote:
> Hi Jie,
>
> url:
> https://github.com/0day-ci/linux/commits/Jie-Deng/i2c-virtio-add-a-virtio-i2c-frontend-driver/20200911-115013
> base: https://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux.git
> i2c/for-next
> config: parisc-randconfig-m031-20200913 (attached as .config)
> compiler: hppa-linux-gcc (GCC) 9.3.0
>
> If you fix the issue, kindly add following tag as appropriate
> Reported-by: kernel test robot <[email protected]>
> Reported-by: Dan Carpenter <[email protected]>
>
> smatch warnings:
> drivers/i2c/busses/i2c-virtio.c:160 virtio_i2c_xfer() error: we previously
> assumed 'vmsg' could be null (see line 137)
>
It's quite possible a false positive. Look at 122. But I agree that for-loop is
not the best for such things to understand. Perhaps switching to do {} while ()
will make it better.
> #
> https://github.com/0day-ci/linux/commit/0a54ec771966748fcbc86256b830b5f786168b7d
> git remote add linux-review https://github.com/0day-ci/linux
> git fetch --no-tags linux-review
> Jie-Deng/i2c-virtio-add-a-virtio-i2c-frontend-driver/20200911-115013
> git checkout 0a54ec771966748fcbc86256b830b5f786168b7d
> vim +/vmsg +160 drivers/i2c/busses/i2c-virtio.c
>
> 0a54ec77196674 Jie Deng 2020-09-11 109 static int virtio_i2c_xfer(struct
> i2c_adapter *adap, struct i2c_msg *msgs, int num)
> 0a54ec77196674 Jie Deng 2020-09-11 110 {
> 0a54ec77196674 Jie Deng 2020-09-11 111 struct virtio_i2c *vi =
> i2c_get_adapdata(adap);
> 0a54ec77196674 Jie Deng 2020-09-11 112 struct virtqueue *vq = vi->vq;
> 0a54ec77196674 Jie Deng 2020-09-11 113 struct virtio_i2c_msg *vmsg;
> 0a54ec77196674 Jie Deng 2020-09-11 114 unsigned long time_left;
> 0a54ec77196674 Jie Deng 2020-09-11 115 int len, i, ret = 0;
> 0a54ec77196674 Jie Deng 2020-09-11 116
> 0a54ec77196674 Jie Deng 2020-09-11 117 mutex_lock(&vi->i2c_lock);
> 0a54ec77196674 Jie Deng 2020-09-11 118 vmsg = &vi->vmsg;
> 0a54ec77196674 Jie Deng 2020-09-11 119 vmsg->buf = NULL;
> 0a54ec77196674 Jie Deng 2020-09-11 120
> 0a54ec77196674 Jie Deng 2020-09-11 121 for (i = 0; i < num; i++) {
> 0a54ec77196674 Jie Deng 2020-09-11 122 ret =
> virtio_i2c_add_msg(vq, vmsg, &msgs[i]);
> 0a54ec77196674 Jie Deng 2020-09-11 123 if (ret) {
> 0a54ec77196674 Jie Deng 2020-09-11 124
> dev_err(&adap->dev, "failed to add msg[%d] to virtqueue.\n", i);
> 0a54ec77196674 Jie Deng 2020-09-11 125 break;
> 0a54ec77196674 Jie Deng 2020-09-11 126 }
> 0a54ec77196674 Jie Deng 2020-09-11 127
> 0a54ec77196674 Jie Deng 2020-09-11 128 virtqueue_kick(vq);
> 0a54ec77196674 Jie Deng 2020-09-11 129
> 0a54ec77196674 Jie Deng 2020-09-11 130 time_left =
> wait_for_completion_timeout(&vi->completion, adap->timeout);
> 0a54ec77196674 Jie Deng 2020-09-11 131 if (!time_left) {
> 0a54ec77196674 Jie Deng 2020-09-11 132
> dev_err(&adap->dev, "msg[%d]: addr=0x%x timeout.\n", i, msgs[i].addr);
> 0a54ec77196674 Jie Deng 2020-09-11 133 break;
> 0a54ec77196674 Jie Deng 2020-09-11 134 }
> 0a54ec77196674 Jie Deng 2020-09-11 135
> 0a54ec77196674 Jie Deng 2020-09-11 136 vmsg = (struct
> virtio_i2c_msg *)virtqueue_get_buf(vq, &len);
> 0a54ec77196674 Jie Deng 2020-09-11 @137 if (vmsg) {
> ^^^^
> Check for NULL.
>
> 0a54ec77196674 Jie Deng 2020-09-11 138 /* vmsg should
> point to the same address with &vi->vmsg */
> 0a54ec77196674 Jie Deng 2020-09-11 139 if (vmsg !=
> &vi->vmsg) {
> 0a54ec77196674 Jie Deng 2020-09-11 140
> dev_err(&adap->dev, "msg[%d]: addr=0x%x virtqueue error.\n",
> 0a54ec77196674 Jie Deng 2020-09-11 141
> i, le16_to_cpu(vmsg->hdr.addr));
> 0a54ec77196674 Jie Deng 2020-09-11 142 break;
> 0a54ec77196674 Jie Deng 2020-09-11 143 }
> 0a54ec77196674 Jie Deng 2020-09-11 144 if
> (vmsg->status != VIRTIO_I2C_MSG_OK) {
> 0a54ec77196674 Jie Deng 2020-09-11 145
> dev_err(&adap->dev, "msg[%d]: addr=0x%x error=%d.\n",
> 0a54ec77196674 Jie Deng 2020-09-11 146
> i, le16_to_cpu(vmsg->hdr.addr), vmsg->status);
> 0a54ec77196674 Jie Deng 2020-09-11 147 break;
> 0a54ec77196674 Jie Deng 2020-09-11 148 }
> 0a54ec77196674 Jie Deng 2020-09-11 149 if
> ((msgs[i].flags & I2C_M_RD) && msgs[i].len)
> 0a54ec77196674 Jie Deng 2020-09-11 150
> memcpy(msgs[i].buf, vmsg->buf, msgs[i].len);
> 0a54ec77196674 Jie Deng 2020-09-11 151
> 0a54ec77196674 Jie Deng 2020-09-11 152
> kfree(vmsg->buf);
> 0a54ec77196674 Jie Deng 2020-09-11 153 vmsg->buf =
> NULL;
> 0a54ec77196674 Jie Deng 2020-09-11 154 }
> 0a54ec77196674 Jie Deng 2020-09-11 155
> 0a54ec77196674 Jie Deng 2020-09-11 156
> reinit_completion(&vi->completion);
> 0a54ec77196674 Jie Deng 2020-09-11 157 }
> 0a54ec77196674 Jie Deng 2020-09-11 158
> 0a54ec77196674 Jie Deng 2020-09-11 159 mutex_unlock(&vi->i2c_lock);
> 0a54ec77196674 Jie Deng 2020-09-11 @160 kfree(vmsg->buf);
> ^^^^^^^^^
> Unchecked dereference.
>
> 0a54ec77196674 Jie Deng 2020-09-11 161 return ((ret < 0) ? ret : i);
> 0a54ec77196674 Jie Deng 2020-09-11 162 }
>
> ---
> 0-DAY CI Kernel Test Service, Intel Corporation
> https://lists.01.org/hyperkitty/list/[email protected]
--
With Best Regards,
Andy Shevchenko
_______________________________________________
Virtualization mailing list
[email protected]
https://lists.linuxfoundation.org/mailman/listinfo/virtualization
