[BUG] atm: firestream: possible uninitialized-variable access in fs_open()
From: Li Tuo
Date: Sat Jul 31 2021 - 02:24:58 EST
Hello,
Our static analysis tool finds a possible uninitialized-variable access
in the firestream driver in Linux 5.14.0-rc3:
In the function fs_open(), a memory block is allocated through
kmalloc(), and its return value is assigned to the pointer vcc.
883: vcc = kmalloc(sizeof(struct fs_vcc), GFP_KERNEL);
If the following condition is false, vcc->channo will remain uninitialized.
898: if (!test_bit(ATM_VF_PARTIAL, &atm_vcc->flags))
However, it is accessed in some statements such as:
1036: submit_command (... , QE_CMD_CONFIG_TX | QE_CMD_IMM_INQ |
vcc->channo, ...);
1040: submit_command (... , QE_CMD_TX_EN | QE_CMD_IMM_INQ |
vcc->channo, ...);
1043: set_bit (vcc->channo, dev->tx_inuse);
1047: dev->atm_vccs[vcc->channo] = atm_vcc;
1057: dev->atm_vccs[vcc->channo] = NULL;
1065: submit_command (... , QE_CMD_CONFIG_RX | QE_CMD_IMM_INQ |
vcc->channo, ...);
1072: submit_command (... , QE_CMD_CONFIG_RX | QE_CMD_IMM_INQ |
vcc->channo, ...);
1085: submit_command (... , QE_CMD_RX_EN | QE_CMD_IMM_INQ |
vcc->channo, ...);
I am not quite sure whether this possible uninitialized-variable access
is real and how to fix it if it is real.
Any feedback would be appreciated, thanks!
Reported-by: TOTE Robot <oslab@xxxxxxxxxxxxxxx>
Best wishes,
Tuo Li