[BUG] atm: firestream: possible uninitialized-variable access in fs_open()

From: Li Tuo
Date: Sat Jul 31 2021 - 02:24:58 EST

Next message: Li Tuo: "[BUG] video: fbdev: sis: possible uninitialized-variable access in SiS_SetCRT2FIFO_300()"
Previous message: kernel test robot: "[fsnotify] 4c40d6efc8: unixbench.score -3.3% regression"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

Our static analysis tool finds a possible uninitialized-variable access in the firestream driver in Linux 5.14.0-rc3:

In the function fs_open(), a memory block is allocated through kmalloc(), and its return value is assigned to the pointer vcc.
883:    vcc = kmalloc(sizeof(struct fs_vcc), GFP_KERNEL);

If the following condition is false, vcc->channo will remain uninitialized.
898:    if (!test_bit(ATM_VF_PARTIAL, &atm_vcc->flags))

However, it is accessed in some statements such as:
1036:    submit_command (... , QE_CMD_CONFIG_TX | QE_CMD_IMM_INQ | vcc->channo, ...);
1040:    submit_command (... , QE_CMD_TX_EN | QE_CMD_IMM_INQ | vcc->channo, ...);
1043:    set_bit (vcc->channo, dev->tx_inuse);
1047:    dev->atm_vccs[vcc->channo] = atm_vcc;
1057:    dev->atm_vccs[vcc->channo] = NULL;
1065:    submit_command (... , QE_CMD_CONFIG_RX | QE_CMD_IMM_INQ | vcc->channo, ...);
1072:    submit_command (... , QE_CMD_CONFIG_RX | QE_CMD_IMM_INQ | vcc->channo, ...);
1085:    submit_command (... , QE_CMD_RX_EN | QE_CMD_IMM_INQ | vcc->channo, ...);

I am not quite sure whether this possible uninitialized-variable access is real and how to fix it if it is real.
Any feedback would be appreciated, thanks!

Reported-by: TOTE Robot <oslab@xxxxxxxxxxxxxxx>

Best wishes,
Tuo Li

Next message: Li Tuo: "[BUG] video: fbdev: sis: possible uninitialized-variable access in SiS_SetCRT2FIFO_300()"
Previous message: kernel test robot: "[fsnotify] 4c40d6efc8: unixbench.score -3.3% regression"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]