From: sashiko-bot@kernel.org
To: "Markus Elfring" <Markus.Elfring@web.de>
Cc: linux-pci@vger.kernel.org
Subject: Re: [PATCH] PCI: pnv_php: Use common error handling code in pnv_php_alloc_slot()
Date: Thu, 11 Jun 2026 09:33:11 +0000 [thread overview]
Message-ID: <20260611093312.0F7371F00893@smtp.kernel.org> (raw)
In-Reply-To: <5cd04727-44c5-4ace-af86-d3c227234d4b@web.de>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
New issues:
- [Low] The patch introduces spaghetti code by placing an error cleanup label inside the body of an intermediate 'if' block.
Pre-existing issues:
- [High] Calling SLOT_WARN() when alloc_workqueue() fails causes a NULL pointer dereference because php_slot->bus is uninitialized.
--
commit fc5acb6d5ef23950f12a496bbb0ba6bddebe9f87
Author: Markus Elfring <elfring@users.sourceforge.net>
PCI: pnv_php: Use common error handling code in pnv_php_alloc_slot()
This commit introduces a new goto label to reuse error handling when allocating
a PCI hotplug slot in pnv_php.
> diff --git a/drivers/pci/hotplug/pnv_php.c b/drivers/pci/hotplug/pnv_php.c
> index ff92a5c301b81..e448f18020026 100644
> --- a/drivers/pci/hotplug/pnv_php.c
> +++ b/drivers/pci/hotplug/pnv_php.c
[ ... ]
> @@ -791,16 +791,15 @@ static struct pnv_php_slot *pnv_php_alloc_slot(struct device_node *dn)
[ ... ]
> /* Allocate workqueue for this slot's interrupt handling */
> php_slot->wq = alloc_workqueue("pciehp-%s", WQ_PERCPU, 0, php_slot->name);
> if (!php_slot->wq) {
> SLOT_WARN(php_slot, "Cannot alloc workqueue\n");
[Severity: High]
This is a pre-existing issue, but can this call to SLOT_WARN() cause a NULL
pointer dereference?
Looking at pnv_php_alloc_slot(), php_slot->pdev and php_slot->bus are not
initialized until much later in the function. Since the structure is
kzalloc'd, SLOT_WARN() will evaluate with a NULL php_slot->pdev and fall back
to dev_warn(&(sl)->bus->dev, ...).
Because php_slot->bus is also NULL here, this calculates an offset from a NULL
pointer and passes it to dev_warn(), which will crash when it attempts to read
the device name.
> kfree(php_slot->name);
> +free_php_slot:
[Severity: Low]
Does placing a cleanup label inside an intermediate if block obscure the
control flow?
Standard kernel coding style typically places cleanup labels sequentially at
the end of the function rather than embedding them inside failure paths.
> kfree(php_slot);
> return NULL;
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/5cd04727-44c5-4ace-af86-d3c227234d4b@web.de?part=1
prev parent reply other threads:[~2026-06-11 9:33 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-11 9:25 [PATCH] PCI: pnv_php: Use common error handling code in pnv_php_alloc_slot() Markus Elfring
2026-06-11 9:33 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260611093312.0F7371F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Markus.Elfring@web.de \
--cc=linux-pci@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox