Hi,
thanks for the report.
> 47 buf = NULL;
>
> Condition rlen > 0, taking false branch.
>
> 48 if (rlen > 0) {
> 49 buf = kmalloc(rlen, GFP_KERNEL);
> 50 if (!buf)
> 51 return -ENOMEM;
> 52 }
>
> 53 usleep_range(1000, 2000); /* avoid I2C errors */
> 54
> CID 1470241 (#1 of 1): Explicit null dereferenced (FORWARD_NULL).
> var_deref_model: Passing null pointer buf to usb_control_msg, which
> dereferences it.
>
> 55 ret = usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0),
> req, type,
> 56 value, index, buf, rlen, 2000);
>
>
> The assignment of buf = NULL means a null buffer is passed down the usb
> control message stack until it eventually gets dereferenced. This only
> occurs when rlen <= 0. I was unsure how to fix this for the case when
> rlen <= 0, so I am flagging this up as an issue that needs fixing.
>
Since rlen is an u16, null pointer is passed only when rlen == 0,
so I think it is not a problem,
but I am OK to add a guard in order to make scan result clean.
regards,
Akihiro
