[bug report] mei: fix error flow in probe

All of lore.kernel.org
 help / color / mirror / Atom feed

* [bug report] mei: fix error flow in probe
@ 2026-06-10 15:22 Dan Carpenter
  0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2026-06-10 15:22 UTC (permalink / raw)
  To: Alexander Usyskin; +Cc: kernel-janitors

Hello Alexander Usyskin,

Commit 1ebc180d2b90 ("mei: fix error flow in probe") from Nov 2, 2025
(linux-next), leads to the following Smatch static checker warning:

	drivers/misc/mei/platform-vsc.c:384 mei_vsc_probe()
	error: potential zalloc NULL dereference: 'mei_dev->cdev'

drivers/misc/mei/platform-vsc.c
    334 static int mei_vsc_probe(struct platform_device *pdev)
    335 {
    336         struct device *dev = &pdev->dev;
    337         struct mei_device *mei_dev;
    338         struct mei_vsc_hw *hw;
    339         struct vsc_tp *tp;
    340         int ret;
    341 
    342         tp = *(struct vsc_tp **)dev_get_platdata(dev);
    343         if (!tp)
    344                 return dev_err_probe(dev, -ENODEV, "no platform data\n");
    345 
    346         mei_dev = kzalloc(size_add(sizeof(*mei_dev), sizeof(*hw)), GFP_KERNEL);
    347         if (!mei_dev)
    348                 return -ENOMEM;
    349 
    350         mei_device_init(mei_dev, dev, false, &mei_vsc_hw_ops);
    351 
    352         mei_dev->fw_f_fw_ver_supported = 0;
    353         mei_dev->kind = MEI_DEV_KIND_IVSC;
    354 
    355         hw = mei_dev_to_vsc_hw(mei_dev);
    356         atomic_set(&hw->write_lock_cnt, 0);
    357         hw->tp = tp;
    358 
    359         platform_set_drvdata(pdev, mei_dev);
    360 
    361         vsc_tp_register_event_cb(tp, mei_vsc_event_cb, mei_dev);
    362 
    363         ret = mei_register(mei_dev, dev);

If mei_register() fails to allocate mei_dev->cdev

    364         if (ret)
    365                 goto err;
    366 
    367         ret = mei_start(mei_dev);
    368         if (ret) {
    369                 dev_err_probe(dev, ret, "init hw failed\n");
    370                 goto err;
    371         }
    372 
    373         pm_runtime_enable(mei_dev->parent);
    374 
    375         return 0;
    376 
    377 err:
    378         mei_cancel_work(mei_dev);
    379 
    380         vsc_tp_register_event_cb(tp, NULL, NULL);
    381 
    382         mei_disable_interrupts(mei_dev);
    383 
--> 384         mei_deregister(mei_dev);

Then it leads to a crash here.

    385 
    386         return ret;
    387 }

This email is a free service from the Smatch-CI project [smatch.sf.net].

regards,
dan carpenter

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2026-06-10 15:22 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-10 15:22 [bug report] mei: fix error flow in probe Dan Carpenter

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.