[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZeoggIXSLy+lVHP1@cae.in-ulm.de>
Date: Thu, 7 Mar 2024 21:16:00 +0100
From: "Christian A. Ehrhardt" <lk@...e.de>
To: coverity-bot <keescook@...omium.org>
Cc: Jameson Thies <jthies@...gle.com>, Hans de Goede <hdegoede@...hat.com>,
Fabrice Gasnier <fabrice.gasnier@...s.st.com>,
Neil Armstrong <neil.armstrong@...aro.org>,
linux-usb@...r.kernel.org, Benson Leung <bleung@...omium.org>,
Saranya Gopal <saranya.gopal@...el.com>,
Dmitry Baryshkov <dmitry.baryshkov@...aro.org>,
Abhishek Pandit-Subedi <abhishekpandit@...omium.org>,
Prashant Malani <pmalani@...omium.org>,
Heikki Krogerus <heikki.krogerus@...ux.intel.com>,
linux-kernel@...r.kernel.org,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
"Gustavo A. R. Silva" <gustavo@...eddedor.com>,
linux-next@...r.kernel.org, linux-hardening@...r.kernel.org
Subject: Re: Coverity: ucsi_check_cable(): Null pointer dereferences
Hi,
On Thu, Mar 07, 2024 at 11:34:21AM -0800, coverity-bot wrote:
> Hello!
>
> This is an experimental semi-automated report about issues detected by
> Coverity from a scan of next-20240307 as part of the linux-next scan project:
> https://scan.coverity.com/projects/linux-next-weekly-scan
>
> You're getting this email because you were associated with the identified
> lines of code (noted below) that were touched by commits:
>
> Tue Mar 5 13:11:08 2024 +0000
> f896d5e8726c ("usb: typec: ucsi: Register SOP/SOP' Discover Identity Responses")
>
> Coverity reported the following:
>
> *** CID 1584245: Null pointer dereferences (FORWARD_NULL)
> drivers/usb/typec/ucsi/ucsi.c:1136 in ucsi_check_cable()
> 1130 }
> 1131
> 1132 ret = ucsi_register_cable(con);
> 1133 if (ret < 0)
> 1134 return ret;
> 1135
> vvv CID 1584245: Null pointer dereferences (FORWARD_NULL)
> vvv Passing "con" to "ucsi_get_cable_identity", which dereferences null "con->cable".
> 1136 ret = ucsi_get_cable_identity(con);
> 1137 if (ret < 0)
> 1138 return ret;
> 1139
> 1140 ret = ucsi_register_plug(con);
> 1141 if (ret < 0)
>
> If this is a false positive, please let us know so we can mark it as
> such, or teach the Coverity rules to be smarter. If not, please make
> sure fixes get into linux-next. :) For patches fixing this, please
> include these lines (but double-check the "Fixes" first):
This looks like a false positive to me. The code looks like this:
if (con->cable)
return 0;
[ ... ]
ret = ucsi_register_cable(con)
if (ret < 0)
return ret;
ret = ucsi_get_cable_identity(con);
[ ... ]
>From the con->cable check coverity concludes that con->cable is
initially NULL. Later ucsi_register_cable() initializes con->cable
if successful. Coverity seems to miss this and still thinks that
con->cable is NULL. Then converity correctly notices that
ucsi_get_cable_identity() dereferences con->cable and complains.
regards Christian
Powered by blists - more mailing lists