From: Dan Carpenter <dan.carpenter@linaro.org>
To: Wesley Cheng <quic_wcheng@quicinc.com>
Cc: linux-sound@vger.kernel.org
Subject: [bug report] ALSA: usb-audio: qcom: Introduce QC USB SND offloading support
Date: Tue, 15 Apr 2025 13:45:51 +0300 [thread overview]
Message-ID: <Z_443_0ySk7a19w8@stanley.mountain> (raw)
Hello Wesley Cheng,
This is a semi-automatic email about new static checker warnings.
Commit 326bbc348298 ("ALSA: usb-audio: qcom: Introduce QC USB SND
offloading support") from Apr 9, 2025, leads to the following Smatch
complaint:
sound/usb/qcom/qc_audio_offload.c:1454 prepare_qmi_response()
warn: variable dereferenced before check 'subs->data_endpoint' (see line 1369)
sound/usb/qcom/qc_audio_offload.c
1368 resp->std_as_opr_intf_desc_valid = 1;
1369 ret = uaudio_endpoint_setup(subs, subs->data_endpoint, card_num,
^^^^^^^^^^^^^^^^^^^
this dereferences subs->data_endpoint without checking for NULL
1370 &resp->xhci_mem_info.tr_data,
1371 &resp->std_as_data_ep_desc);
1372 if (ret < 0)
1373 goto err;
1374
1375 resp->std_as_data_ep_desc_valid = 1;
1376
1377 if (subs->sync_endpoint) {
1378 ret = uaudio_endpoint_setup(subs, subs->sync_endpoint, card_num,
1379 &resp->xhci_mem_info.tr_sync,
1380 &resp->std_as_sync_ep_desc);
1381 if (ret < 0)
1382 goto drop_data_ep;
1383
1384 resp->std_as_sync_ep_desc_valid = 1;
1385 }
1386
1387 resp->interrupter_num_valid = 1;
1388 resp->controller_num_valid = 0;
1389 ret = usb_get_controller_id(subs->dev);
1390 if (ret >= 0) {
1391 resp->controller_num = ret;
1392 resp->controller_num_valid = 1;
1393 }
1394
1395 /* event ring */
1396 ret = uaudio_event_ring_setup(subs, card_num,
1397 &resp->xhci_mem_info.evt_ring);
1398 if (ret < 0)
1399 goto drop_sync_ep;
1400
1401 uaudio_qdev->er_mapped = true;
1402 resp->interrupter_num = xhci_sideband_interrupter_id(uadev[card_num].sb);
1403
1404 resp->speed_info = get_speed_info(subs->dev->speed);
1405 if (resp->speed_info == USB_QMI_DEVICE_SPEED_INVALID_V01) {
1406 ret = -ENODEV;
1407 goto free_sec_ring;
1408 }
1409
1410 resp->speed_info_valid = 1;
1411
1412 ret = uaudio_transfer_buffer_setup(subs, xfer_buf, req_msg->xfer_buff_size,
1413 &resp->xhci_mem_info.xfer_buff);
1414 if (ret < 0) {
1415 ret = -ENOMEM;
1416 goto free_sec_ring;
1417 }
1418
1419 resp->xhci_mem_info_valid = 1;
1420
1421 if (!atomic_read(&uadev[card_num].in_use)) {
1422 kref_init(&uadev[card_num].kref);
1423 init_waitqueue_head(&uadev[card_num].disconnect_wq);
1424 uadev[card_num].num_intf =
1425 subs->dev->config->desc.bNumInterfaces;
1426 uadev[card_num].info = kcalloc(uadev[card_num].num_intf,
1427 sizeof(struct intf_info),
1428 GFP_KERNEL);
1429 if (!uadev[card_num].info) {
1430 ret = -ENOMEM;
1431 goto unmap_er;
1432 }
1433 uadev[card_num].udev = subs->dev;
1434 atomic_set(&uadev[card_num].in_use, 1);
1435 } else {
1436 kref_get(&uadev[card_num].kref);
1437 }
1438
1439 uadev[card_num].usb_core_id = resp->controller_num;
1440
1441 /* cache intf specific info to use it for unmap and free xfer buf */
1442 uadev[card_num].info[info_idx].data_xfer_ring_va =
1443 IOVA_MASK(resp->xhci_mem_info.tr_data.va);
1444 uadev[card_num].info[info_idx].data_xfer_ring_size = PAGE_SIZE;
1445 uadev[card_num].info[info_idx].sync_xfer_ring_va =
1446 IOVA_MASK(resp->xhci_mem_info.tr_sync.va);
1447 uadev[card_num].info[info_idx].sync_xfer_ring_size = PAGE_SIZE;
1448 uadev[card_num].info[info_idx].xfer_buf_va =
1449 IOVA_MASK(resp->xhci_mem_info.xfer_buff.va);
1450 uadev[card_num].info[info_idx].xfer_buf_pa =
1451 resp->xhci_mem_info.xfer_buff.pa;
1452 uadev[card_num].info[info_idx].xfer_buf_size =
1453 resp->xhci_mem_info.xfer_buff.size;
1454 uadev[card_num].info[info_idx].data_ep_pipe = subs->data_endpoint ?
^^^^^^^^^^^^^^^^^^^
So this check is too late
1455 subs->data_endpoint->pipe : 0;
1456 uadev[card_num].info[info_idx].sync_ep_pipe = subs->sync_endpoint ?
regards,
dan carpenter
next reply other threads:[~2025-04-15 10:45 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-15 10:45 Dan Carpenter [this message]
-- strict thread matches above, loose matches on Subject: below --
2025-04-15 10:47 [bug report] ALSA: usb-audio: qcom: Introduce QC USB SND offloading support Dan Carpenter
2025-04-15 10:46 Dan Carpenter
2025-04-15 10:46 Dan Carpenter
2025-04-15 10:27 Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z_443_0ySk7a19w8@stanley.mountain \
--to=dan.carpenter@linaro.org \
--cc=linux-sound@vger.kernel.org \
--cc=quic_wcheng@quicinc.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.