On 28/10/2020 12:00, Colin Ian King wrote:
> Hi,
>
> Static analysis of linux-next with Coverity has found a potential null
> pointer dereference issue with the following commit:
>
> commit 1b5c1be2c88e8445a20fa1929e26c37e7ca8c926
> Author: Nishanth Menon <nm@xxxxxx>
> Date: Mon Oct 29 15:01:45 2012 -0500
>
> PM / devfreq: map devfreq drivers to governor using name
>
>
> The analysis is as follows for devfreq_remove_governor in
> drivers/devfreq/devfreq.c
>
> 1312
>
> deref_ptr_in_call: Dereferencing pointer devfreq->governor.
>
> 1313 if (!strncmp(devfreq->governor->name, governor->name,
> 1314 DEVFREQ_NAME_LEN)) {
> 1315 /* we should have a devfreq governor! */
>
> Dereference before null check (REVERSE_INULL)
> check_after_deref: Null-checking devfreq->governor suggests that it may
> be null, but it has already been dereferenced on all paths leading to
> the check.
>
> 1316 if (!devfreq->governor) {
> 1317 dev_warn(dev, "%s: Governor %s NOT
> present\n",
> 1318 __func__, governor->name);
> 1319 continue;
> 1320 /* Fall through */
>
> So devfreq->governor->name is dereferencing devfreq->governor before a
> null check on devfreq->governor
>
> Colin
>
I forgot to mention, an identical issue also exists here:
1247 list_for_each_entry(devfreq, &devfreq_list, node) {
1248 int ret = 0;
1249 struct device *dev = devfreq->dev.parent;
1250
deref_ptr_in_call: Dereferencing pointer devfreq->governor.
1251 if (!strncmp(devfreq->governor->name, governor->name,
1252 DEVFREQ_NAME_LEN)) {
1253 /* The following should never occur */
Dereference before null check (REVERSE_INULL)
check_after_deref: Null-checking devfreq->governor suggests that it may
be null, but it has already been dereferenced on all paths leading to
the check.
1254 if (devfreq->governor) {
1255 dev_warn(dev,
1256 "%s: Governor %s already
present\n",
1257 __func__,
devfreq->governor->name);
