From: Dan Carpenter <dan.carpenter@oracle.com>
To: Dudley Du <dudl@cypress.com>
Cc: "linux-input@vger.kernel.org" <linux-input@vger.kernel.org>
Subject: Re: Input: cyapa - add gen5 trackpad device basic functions support
Date: Thu, 22 Jan 2015 11:31:00 +0300 [thread overview]
Message-ID: <20150122083100.GI6507@mwanda> (raw)
In-Reply-To: <BN1PR06MB070851B957DB3FB5E40BDEFD1490@BN1PR06MB070.namprd06.prod.outlook.com>
On Thu, Jan 22, 2015 at 01:50:59AM +0000, Dudley Du wrote:
> Hi Carpenter,
>
> Thanks for the information.
> Could you indicate the tool and the command to generate this warning message?
>
This a Smatch warning.
> In the code,
> 1) length = *gen5_pip->resp_len to get the expected response length,
> 2) then cyapa_empty_pip_output_data() try to polling the response data with the expect length,
> 3) at last, the length stored the real response length that it got in the polling function.
> 4) if the real response length is not 0, then assign the real response to replace the excpeted response length.
The error message is that we dereferenced gen5_pip->resp_len before we
checked whether it was NULL. I believe you are saying that
cyapa_empty_pip_output_data() can modify "gen5_pip->resp_len" so we
need to do the check for NULL.
The problem is that I don't see where "gen5_pip->resp_len" gets changed
inside cyapa_empty_pip_output_data(). Smatch is supposed to do cross
function analysis and detect this but it doesn't see the modification
either. I have been working on this code recently in Smatch so Smatch
may be buggy.
Can you help me out here so I can improve the tools?
According to Smatch "gen5_pip->resp_len" is set in two different
functions.
$ smdb where cyapa_gen5_cmd_states resp_len
drivers/input/mouse/cyapa_gen5.c | cyapa_gen5_initialize | (struct cyapa_gen5_cmd_states)->resp_len | 0
drivers/input/mouse/cyapa_gen5.c | cyapa_i2c_pip_cmd_irq_sync | (struct cyapa_gen5_cmd_states)->resp_len | 0,4096-2117777777777777777
Also I looked at the call tree to see if cyapa_empty_pip_output_data
calls cyapa_i2c_pip_cmd_irq_sync but it doesn't.
$ smdb call_tree cyapa_i2c_pip_cmd_irq_sync | grep cyapa_empty_pip_output_data
But, uh.. it's been years since I tried looking at the call_tree code
so I have no idea if it works...
regards,
dan carpenter
next prev parent reply other threads:[~2015-01-22 8:31 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-21 13:19 Input: cyapa - add gen5 trackpad device basic functions support Dan Carpenter
2015-01-22 1:50 ` Dudley Du
2015-01-22 8:31 ` Dan Carpenter [this message]
2015-01-22 8:44 ` Dudley Du
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150122083100.GI6507@mwanda \
--to=dan.carpenter@oracle.com \
--cc=dudl@cypress.com \
--cc=linux-input@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).