[bug report] ALSA: usb-audio: qcom: Introduce QC USB SND offloading support

Linux Sound subsystem development
 help / color / mirror / Atom feed

From: Dan Carpenter <dan.carpenter@linaro.org>
To: Wesley Cheng <quic_wcheng@quicinc.com>
Cc: linux-sound@vger.kernel.org
Subject: [bug report] ALSA: usb-audio: qcom: Introduce QC USB SND offloading support
Date: Tue, 15 Apr 2025 13:45:51 +0300	[thread overview]
Message-ID: <Z_443_0ySk7a19w8@stanley.mountain> (raw)

Hello Wesley Cheng,

This is a semi-automatic email about new static checker warnings.

Commit 326bbc348298 ("ALSA: usb-audio: qcom: Introduce QC USB SND
offloading support") from Apr 9, 2025, leads to the following Smatch
complaint:

    sound/usb/qcom/qc_audio_offload.c:1454 prepare_qmi_response()
    warn: variable dereferenced before check 'subs->data_endpoint' (see line 1369)

sound/usb/qcom/qc_audio_offload.c
  1368		resp->std_as_opr_intf_desc_valid = 1;
  1369		ret = uaudio_endpoint_setup(subs, subs->data_endpoint, card_num,
                                                  ^^^^^^^^^^^^^^^^^^^
this dereferences subs->data_endpoint without checking for NULL

  1370					    &resp->xhci_mem_info.tr_data,
  1371					    &resp->std_as_data_ep_desc);
  1372		if (ret < 0)
  1373			goto err;
  1374	
  1375		resp->std_as_data_ep_desc_valid = 1;
  1376	
  1377		if (subs->sync_endpoint) {
  1378			ret = uaudio_endpoint_setup(subs, subs->sync_endpoint, card_num,
  1379						    &resp->xhci_mem_info.tr_sync,
  1380						    &resp->std_as_sync_ep_desc);
  1381			if (ret < 0)
  1382				goto drop_data_ep;
  1383	
  1384			resp->std_as_sync_ep_desc_valid = 1;
  1385		}
  1386	
  1387		resp->interrupter_num_valid = 1;
  1388		resp->controller_num_valid = 0;
  1389		ret = usb_get_controller_id(subs->dev);
  1390		if (ret >= 0) {
  1391			resp->controller_num = ret;
  1392			resp->controller_num_valid = 1;
  1393		}
  1394	
  1395		/* event ring */
  1396		ret = uaudio_event_ring_setup(subs, card_num,
  1397					      &resp->xhci_mem_info.evt_ring);
  1398		if (ret < 0)
  1399			goto drop_sync_ep;
  1400	
  1401		uaudio_qdev->er_mapped = true;
  1402		resp->interrupter_num = xhci_sideband_interrupter_id(uadev[card_num].sb);
  1403	
  1404		resp->speed_info = get_speed_info(subs->dev->speed);
  1405		if (resp->speed_info == USB_QMI_DEVICE_SPEED_INVALID_V01) {
  1406			ret = -ENODEV;
  1407			goto free_sec_ring;
  1408		}
  1409	
  1410		resp->speed_info_valid = 1;
  1411	
  1412		ret = uaudio_transfer_buffer_setup(subs, xfer_buf, req_msg->xfer_buff_size,
  1413						   &resp->xhci_mem_info.xfer_buff);
  1414		if (ret < 0) {
  1415			ret = -ENOMEM;
  1416			goto free_sec_ring;
  1417		}
  1418	
  1419		resp->xhci_mem_info_valid = 1;
  1420	
  1421		if (!atomic_read(&uadev[card_num].in_use)) {
  1422			kref_init(&uadev[card_num].kref);
  1423			init_waitqueue_head(&uadev[card_num].disconnect_wq);
  1424			uadev[card_num].num_intf =
  1425				subs->dev->config->desc.bNumInterfaces;
  1426			uadev[card_num].info = kcalloc(uadev[card_num].num_intf,
  1427						       sizeof(struct intf_info),
  1428						       GFP_KERNEL);
  1429			if (!uadev[card_num].info) {
  1430				ret = -ENOMEM;
  1431				goto unmap_er;
  1432			}
  1433			uadev[card_num].udev = subs->dev;
  1434			atomic_set(&uadev[card_num].in_use, 1);
  1435		} else {
  1436			kref_get(&uadev[card_num].kref);
  1437		}
  1438	
  1439		uadev[card_num].usb_core_id = resp->controller_num;
  1440	
  1441		/* cache intf specific info to use it for unmap and free xfer buf */
  1442		uadev[card_num].info[info_idx].data_xfer_ring_va =
  1443						IOVA_MASK(resp->xhci_mem_info.tr_data.va);
  1444		uadev[card_num].info[info_idx].data_xfer_ring_size = PAGE_SIZE;
  1445		uadev[card_num].info[info_idx].sync_xfer_ring_va =
  1446						IOVA_MASK(resp->xhci_mem_info.tr_sync.va);
  1447		uadev[card_num].info[info_idx].sync_xfer_ring_size = PAGE_SIZE;
  1448		uadev[card_num].info[info_idx].xfer_buf_va =
  1449						IOVA_MASK(resp->xhci_mem_info.xfer_buff.va);
  1450		uadev[card_num].info[info_idx].xfer_buf_pa =
  1451						resp->xhci_mem_info.xfer_buff.pa;
  1452		uadev[card_num].info[info_idx].xfer_buf_size =
  1453						resp->xhci_mem_info.xfer_buff.size;
  1454		uadev[card_num].info[info_idx].data_ep_pipe = subs->data_endpoint ?
                                                              ^^^^^^^^^^^^^^^^^^^
So this check is too late

  1455							subs->data_endpoint->pipe : 0;
  1456		uadev[card_num].info[info_idx].sync_ep_pipe = subs->sync_endpoint ?

regards,
dan carpenter

next             reply	other threads:[~2025-04-15 10:45 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-04-15 10:45 Dan Carpenter [this message]
  -- strict thread matches above, loose matches on Subject: below --
2025-04-15 10:47 [bug report] ALSA: usb-audio: qcom: Introduce QC USB SND offloading support Dan Carpenter
2025-04-15 10:46 Dan Carpenter
2025-04-15 10:46 Dan Carpenter
2025-04-15 10:27 Dan Carpenter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Z_443_0ySk7a19w8@stanley.mountain \
    --to=dan.carpenter@linaro.org \
    --cc=linux-sound@vger.kernel.org \
    --cc=quic_wcheng@quicinc.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox