Hello Stanley Chang,
The patch 8a590d7371f0: "extcon: add Realtek DHC RTD SoC Type-C
driver" from Sep 4, 2023 (linux-next), leads to the following Smatch
static checker warning:
drivers/extcon/extcon-rtk-type-c.c:905 __updated_type_c_parameter_by_efuse()
error: 'buf' dereferencing possible ERR_PTR()
drivers/extcon/extcon-rtk-type-c.c
873 static int __updated_type_c_parameter_by_efuse(struct type_c_data *type_c)
874 {
875 struct type_c_cfg *type_c_cfg = type_c->type_c_cfg;
876 struct cc_param *cc_param;
877 struct nvmem_cell *cell;
878 s8 cc1_4p7k = 0;
879 s8 cc1_12k = 0;
880 s8 cc1_0p2v = 0;
881 s8 cc1_0p8v = 0;
882 s8 cc1_2p6v = 0;
883 s8 cc1_0p66v = 0;
884 s8 cc1_1p23v = 0;
885 s8 cc2_4p7k = 0;
886 s8 cc2_12k = 0;
887 s8 cc2_0p2v = 0;
888 s8 cc2_0p8v = 0;
889 s8 cc2_2p6v = 0;
890 s8 cc2_0p66v = 0;
891 s8 cc2_1p23v = 0;
892
893 cell = nvmem_cell_get(type_c->dev, "usb-cal");
894 if (IS_ERR(cell)) {
895 dev_warn(type_c->dev, "%s failed to get usb-cal: %ld\n",
896 __func__, PTR_ERR(cell));
897 } else {
898 unsigned char *buf;
899 size_t buf_size;
900 int value_size = 4;
901 int value_mask = (BIT(value_size) - 1);
902
903 buf = nvmem_cell_read(cell, &buf_size);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This does a variable size allocation. Not sure how large. But
allocations need to be checked for failure.
904
--> 905 cc1_0p2v = get_value((buf[0] >> value_size * 0) & value_mask);
^^^^^^
Or it leads to a crash.
906 cc1_0p8v = get_value((buf[0] >> value_size * 1) & value_mask);
907 cc1_2p6v = get_value((buf[1] >> value_size * 0) & value_mask);
908 cc1_0p66v = get_value((buf[1] >> value_size * 1) & value_mask);
909 cc1_1p23v = get_value((buf[2] >> value_size * 0) & value_mask);
910
911 cc2_0p2v = get_value((buf[3] >> value_size * 0) & value_mask);
912 cc2_0p8v = get_value((buf[3] >> value_size * 1) & value_mask);
913 cc2_2p6v = get_value((buf[4] >> value_size * 0) & value_mask);
914 cc2_0p66v = get_value((buf[4] >> value_size * 1) & value_mask);
915 cc2_1p23v = get_value((buf[5] >> value_size * 0) & value_mask);
916
917 cc1_4p7k = get_value((buf[6] >> value_size * 0) & value_mask);
918 cc1_12k = get_value((buf[6] >> value_size * 1) & value_mask);
919 cc2_4p7k = get_value((buf[7] >> value_size * 0) & value_mask);
920 cc2_12k = get_value((buf[7] >> value_size * 1) & value_mask);
921
922 kfree(buf);
923 nvmem_cell_put(cell);
924 }
925
926 dev_dbg(type_c->dev, "check efuse cc1_4p7k=%d cc1_12k=%d cc2_4p7k=%d cc2_12k=%d\n",
927 cc1_4p7k, cc1_12k, cc2_4p7k, cc2_12k);
928 dev_dbg(type_c->dev, "check efuse cc1_0p2v=%d cc1_0p8v=%d cc1_2p6v=%d cc1_0p66v=%d cc1_1p23v=%d\n",
929 cc1_0p2v, cc1_0p8v, cc1_2p6v, cc1_0p66v, cc1_1p23v);
930 dev_dbg(type_c->dev, "check efuse cc2_0p2v=%d cc2_0p8v=%d cc2_2p6v=%d cc2_0p66v=%d cc2_1p23v=%d\n",
931 cc2_0p2v, cc2_0p8v, cc2_2p6v, cc2_0p66v, cc2_1p23v);
932
933 cc_param = &type_c_cfg->cc1_param;
934 cc_param->rp_4p7k_code = cc_param->rp_4p7k_code + cc1_4p7k;
935 cc_param->rp_12k_code = cc_param->rp_12k_code + cc1_12k;
936
937 cc_param->vref_1p23v = cc_param->vref_1p23v + cc1_1p23v;
938 cc_param->vref_0p66v = cc_param->vref_0p66v + cc1_0p66v;
939 cc_param->vref_2p6v = cc_param->vref_2p6v + cc1_2p6v;
940 cc_param->vref_0p8v = cc_param->vref_0p8v + cc1_0p8v;
941 cc_param->vref_0p2v = cc_param->vref_0p2v + cc1_0p2v;
942
943 cc_param = &type_c_cfg->cc2_param;
944 cc_param->rp_4p7k_code = cc_param->rp_4p7k_code + cc2_4p7k;
945 cc_param->rp_12k_code = cc_param->rp_12k_code + cc2_12k;
946
947 cc_param->vref_1p23v = cc_param->vref_1p23v + cc2_1p23v;
948 cc_param->vref_0p66v = cc_param->vref_0p66v + cc2_0p66v;
949 cc_param->vref_2p6v = cc_param->vref_2p6v + cc2_2p6v;
950 cc_param->vref_0p8v = cc_param->vref_0p8v + cc2_0p8v;
951 cc_param->vref_0p2v = cc_param->vref_0p2v + cc2_0p2v;
952
953 return 0;
954 }
regards,
dan carpenter
