From: kernel test robot <lkp@intel.com>
To: kbuild@lists.01.org
Subject: drivers/net/wireless/mediatek/mt76/mt7921/acpi_sar.c:57 mt7921_acpi_read() error: dereferencing freed memory 'sar_root'
Date: Thu, 18 Aug 2022 15:48:00 +0800 [thread overview]
Message-ID: <202208181543.V5DNm77M-lkp@intel.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 4680 bytes --]
BCC: lkp(a)intel.com
CC: kbuild-all(a)lists.01.org
CC: linux-kernel(a)vger.kernel.org
TO: Deren Wu <deren.wu@mediatek.com>
CC: Felix Fietkau <nbd@nbd.name>
CC: Sean Wang <sean.wang@mediatek.com>
CC: Quan Zhou <quan.zhou@mediatek.com>
CC: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: 3b06a2755758937add738545ba4a544fc5a1c56d
commit: f965333e491e36adb0fa91e389fba8685b704fb6 mt76: mt7921: introduce ACPI SAR support
date: 5 weeks ago
:::::: branch date: 10 hours ago
:::::: commit date: 5 weeks ago
config: ia64-randconfig-m031-20220814 (https://download.01.org/0day-ci/archive/20220818/202208181543.V5DNm77M-lkp(a)intel.com/config)
compiler: ia64-linux-gcc (GCC) 12.1.0
If you fix the issue, kindly add following tag where applicable
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
smatch warnings:
drivers/net/wireless/mediatek/mt76/mt7921/acpi_sar.c:57 mt7921_acpi_read() error: dereferencing freed memory 'sar_root'
vim +/sar_root +57 drivers/net/wireless/mediatek/mt76/mt7921/acpi_sar.c
f965333e491e36 Deren Wu 2022-05-20 6
f965333e491e36 Deren Wu 2022-05-20 7 static int
f965333e491e36 Deren Wu 2022-05-20 8 mt7921_acpi_read(struct mt7921_dev *dev, u8 *method, u8 **tbl, u32 *len)
f965333e491e36 Deren Wu 2022-05-20 9 {
f965333e491e36 Deren Wu 2022-05-20 10 struct acpi_buffer buf = { ACPI_ALLOCATE_BUFFER, NULL };
f965333e491e36 Deren Wu 2022-05-20 11 union acpi_object *sar_root, *sar_unit;
f965333e491e36 Deren Wu 2022-05-20 12 struct mt76_dev *mdev = &dev->mt76;
f965333e491e36 Deren Wu 2022-05-20 13 acpi_handle root, handle;
f965333e491e36 Deren Wu 2022-05-20 14 acpi_status status;
f965333e491e36 Deren Wu 2022-05-20 15 u32 i = 0;
f965333e491e36 Deren Wu 2022-05-20 16
f965333e491e36 Deren Wu 2022-05-20 17 root = ACPI_HANDLE(mdev->dev);
f965333e491e36 Deren Wu 2022-05-20 18 if (!root)
f965333e491e36 Deren Wu 2022-05-20 19 return -EOPNOTSUPP;
f965333e491e36 Deren Wu 2022-05-20 20
f965333e491e36 Deren Wu 2022-05-20 21 status = acpi_get_handle(root, method, &handle);
f965333e491e36 Deren Wu 2022-05-20 22 if (ACPI_FAILURE(status))
f965333e491e36 Deren Wu 2022-05-20 23 return -EIO;
f965333e491e36 Deren Wu 2022-05-20 24
f965333e491e36 Deren Wu 2022-05-20 25 status = acpi_evaluate_object(handle, NULL, NULL, &buf);
f965333e491e36 Deren Wu 2022-05-20 26 if (ACPI_FAILURE(status))
f965333e491e36 Deren Wu 2022-05-20 27 return -EIO;
f965333e491e36 Deren Wu 2022-05-20 28
f965333e491e36 Deren Wu 2022-05-20 29 sar_root = buf.pointer;
f965333e491e36 Deren Wu 2022-05-20 30 if (sar_root->type != ACPI_TYPE_PACKAGE ||
f965333e491e36 Deren Wu 2022-05-20 31 sar_root->package.count < 4 ||
f965333e491e36 Deren Wu 2022-05-20 32 sar_root->package.elements[0].type != ACPI_TYPE_INTEGER) {
f965333e491e36 Deren Wu 2022-05-20 33 dev_err(mdev->dev, "sar cnt = %d\n",
f965333e491e36 Deren Wu 2022-05-20 34 sar_root->package.count);
f965333e491e36 Deren Wu 2022-05-20 35 goto free;
f965333e491e36 Deren Wu 2022-05-20 36 }
f965333e491e36 Deren Wu 2022-05-20 37
f965333e491e36 Deren Wu 2022-05-20 38 if (!*tbl) {
f965333e491e36 Deren Wu 2022-05-20 39 *tbl = devm_kzalloc(mdev->dev, sar_root->package.count,
f965333e491e36 Deren Wu 2022-05-20 40 GFP_KERNEL);
f965333e491e36 Deren Wu 2022-05-20 41 if (!*tbl)
f965333e491e36 Deren Wu 2022-05-20 42 goto free;
f965333e491e36 Deren Wu 2022-05-20 43 }
f965333e491e36 Deren Wu 2022-05-20 44 if (len)
f965333e491e36 Deren Wu 2022-05-20 45 *len = sar_root->package.count;
f965333e491e36 Deren Wu 2022-05-20 46
f965333e491e36 Deren Wu 2022-05-20 47 for (i = 0; i < sar_root->package.count; i++) {
f965333e491e36 Deren Wu 2022-05-20 48 sar_unit = &sar_root->package.elements[i];
f965333e491e36 Deren Wu 2022-05-20 49
f965333e491e36 Deren Wu 2022-05-20 50 if (sar_unit->type != ACPI_TYPE_INTEGER)
f965333e491e36 Deren Wu 2022-05-20 51 break;
f965333e491e36 Deren Wu 2022-05-20 52 *(*tbl + i) = (u8)sar_unit->integer.value;
f965333e491e36 Deren Wu 2022-05-20 53 }
f965333e491e36 Deren Wu 2022-05-20 54 free:
f965333e491e36 Deren Wu 2022-05-20 55 kfree(sar_root);
f965333e491e36 Deren Wu 2022-05-20 56
f965333e491e36 Deren Wu 2022-05-20 @57 return (i == sar_root->package.count) ? 0 : -EINVAL;
f965333e491e36 Deren Wu 2022-05-20 58 }
f965333e491e36 Deren Wu 2022-05-20 59
--
0-DAY CI Kernel Test Service
https://01.org/lkp
next reply other threads:[~2022-08-18 7:48 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-18 7:48 kernel test robot [this message]
-- strict thread matches above, loose matches on Subject: below --
2022-08-16 10:10 drivers/net/wireless/mediatek/mt76/mt7921/acpi_sar.c:57 mt7921_acpi_read() error: dereferencing freed memory 'sar_root' kernel test robot
2022-08-15 11:29 kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202208181543.V5DNm77M-lkp@intel.com \
--to=lkp@intel.com \
--cc=kbuild@lists.01.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.