linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [bug report] nfc: st-nci: Move loopback usage from HCI to NCI
@ 2016-07-07 15:49 Dan Carpenter
  0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2016-07-07 15:49 UTC (permalink / raw)
  To: christophe.ricard; +Cc: linux-wireless

Hello Christophe Ricard,

The patch 3aacd7fe552b: "nfc: st-nci: Move loopback usage from HCI to
NCI" from Apr 30, 2016, leads to the following static checker warning:

	drivers/nfc/st-nci/vendor_cmds.c:351 st_nci_loopback()
	error: potentially dereferencing uninitialized 'skb'.

drivers/nfc/st-nci/vendor_cmds.c
   336  static int st_nci_loopback(struct nfc_dev *dev, void *data,
   337                             size_t data_len)
   338  {
   339          int r;
   340          struct sk_buff *msg, *skb;
   341          struct nci_dev *ndev = nfc_get_drvdata(dev);
   342  
   343          if (data_len <= 0)
   344                  return -EPROTO;
   345  
   346          r = nci_nfcc_loopback(ndev, data, data_len, &skb);
   347          if (r < 0)
   348                  return r;
   349  
   350          msg = nfc_vendor_cmd_alloc_reply_skb(dev, ST_NCI_VENDOR_OUI,
   351                                               LOOPBACK, skb->len);


This bug is slightly complicated to analyze.

The complaint is basically that nci_nfcc_loopback() can return positive
error codes like ENOMEM instead of -ENOMEM.  The reason is that
nci_req_complete() is normally takes some sort of custom positive
error code like NCI_STATUS_REJECTED.  Later on we cast transform it to
a negative kernel error code.

But the two callers in nci_hci_data_received_cb() which pass regular
kernel error codes to nci_req_complete().

   352          if (!msg) {
   353                  r = -ENOMEM;
   354                  goto free_skb;
   355          }
   356  
   357          if (nla_put(msg, NFC_ATTR_VENDOR_DATA, skb->len, skb->data)) {
   358                  kfree_skb(msg);
   359                  r = -ENOBUFS;
   360                  goto free_skb;
   361          }
   362  
   363          r = nfc_vendor_cmd_reply(msg);
   364  free_skb:
   365          kfree_skb(skb);
   366          return r;
   367  }

regards,
dan carpenter

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2016-07-07 15:51 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-07-07 15:49 [bug report] nfc: st-nci: Move loopback usage from HCI to NCI Dan Carpenter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).