drivers/net/usb/hso.c:2626 hso_create_bulk_serial_device() warn: variable dereferenced before check 'serial->tiocmget' (see line 2620)

From: kernel test robot
Date: Wed Aug 12 2020 - 10:20:28 EST


tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: fb893de323e2d39f7a1f6df425703a2edbdf56ea
commit: af0de1303c4e8f44fadd7b4c593f09f22324b04f usb: hso: obey DMA rules in tiocmget
date: 10 months ago
config: ia64-randconfig-m031-20200811 (attached as .config)
compiler: ia64-linux-gcc (GCC) 9.3.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@xxxxxxxxx>

New smatch warnings:
drivers/net/usb/hso.c:2626 hso_create_bulk_serial_device() warn: variable dereferenced before check 'serial->tiocmget' (see line 2620)

Old smatch warnings:
drivers/net/usb/hso.c:1400 hso_serial_set_termios() error: we previously assumed 'old' could be null (see line 1391)

vim +2626 drivers/net/usb/hso.c

2595
2596 /* Creates a bulk AT channel */
2597 static struct hso_device *hso_create_bulk_serial_device(
2598 struct usb_interface *interface, int port)
2599 {
2600 struct hso_device *hso_dev;
2601 struct hso_serial *serial;
2602 int num_urbs;
2603 struct hso_tiocmget *tiocmget;
2604
2605 hso_dev = hso_create_device(interface, port);
2606 if (!hso_dev)
2607 return NULL;
2608
2609 serial = kzalloc(sizeof(*serial), GFP_KERNEL);
2610 if (!serial)
2611 goto exit;
2612
2613 serial->parent = hso_dev;
2614 hso_dev->port_data.dev_serial = serial;
2615
2616 if ((port & HSO_PORT_MASK) == HSO_PORT_MODEM) {
2617 num_urbs = 2;
2618 serial->tiocmget = kzalloc(sizeof(struct hso_tiocmget),
2619 GFP_KERNEL);
> 2620 serial->tiocmget->serial_state_notification
2621 = kzalloc(sizeof(struct hso_serial_state_notification),
2622 GFP_KERNEL);
2623 /* it isn't going to break our heart if serial->tiocmget
2624 * allocation fails don't bother checking this.
2625 */
> 2626 if (serial->tiocmget && serial->tiocmget->serial_state_notification) {
2627 tiocmget = serial->tiocmget;
2628 tiocmget->endp = hso_get_ep(interface,
2629 USB_ENDPOINT_XFER_INT,
2630 USB_DIR_IN);
2631 if (!tiocmget->endp) {
2632 dev_err(&interface->dev, "Failed to find INT IN ep\n");
2633 goto exit;
2634 }
2635
2636 tiocmget->urb = usb_alloc_urb(0, GFP_KERNEL);
2637 if (tiocmget->urb) {
2638 mutex_init(&tiocmget->mutex);
2639 init_waitqueue_head(&tiocmget->waitq);
2640 } else
2641 hso_free_tiomget(serial);
2642 }
2643 }
2644 else
2645 num_urbs = 1;
2646
2647 if (hso_serial_common_create(serial, num_urbs, BULK_URB_RX_SIZE,
2648 BULK_URB_TX_SIZE))
2649 goto exit;
2650
2651 serial->in_endp = hso_get_ep(interface, USB_ENDPOINT_XFER_BULK,
2652 USB_DIR_IN);
2653 if (!serial->in_endp) {
2654 dev_err(&interface->dev, "Failed to find BULK IN ep\n");
2655 goto exit2;
2656 }
2657
2658 if (!
2659 (serial->out_endp =
2660 hso_get_ep(interface, USB_ENDPOINT_XFER_BULK, USB_DIR_OUT))) {
2661 dev_err(&interface->dev, "Failed to find BULK IN ep\n");
2662 goto exit2;
2663 }
2664
2665 serial->write_data = hso_std_serial_write_data;
2666
2667 /* and record this serial */
2668 set_serial_by_index(serial->minor, serial);
2669
2670 /* setup the proc dirs and files if needed */
2671 hso_log_port(hso_dev);
2672
2673 /* done, return it */
2674 return hso_dev;
2675
2676 exit2:
2677 hso_serial_tty_unregister(serial);
2678 hso_serial_common_free(serial);
2679 exit:
2680 hso_free_tiomget(serial);
2681 kfree(serial);
2682 kfree(hso_dev);
2683 return NULL;
2684 }
2685

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@xxxxxxxxxxxx

Attachment: .config.gz
Description: application/gzip