tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-next head: 9682c35ff6ecd76d9462d4749b8b413d3e8e605e commit: 667ecac55861281c1f5e107c8550ae893b3984f6 [5/12] usb: typec: ucsi: return CCI and message from sync_control callback config: csky-randconfig-r072-20250204 (https://download.01.org/0day-ci/archive/20250205/202502050227.tDYOqQsX-lkp@xxxxxxxxx/config) compiler: csky-linux-gcc (GCC) 14.2.0 If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp@xxxxxxxxx> | Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> | Closes: https://lore.kernel.org/r/202502050227.tDYOqQsX-lkp@xxxxxxxxx/ New smatch warnings: drivers/usb/typec/ucsi/ucsi.c:88 ucsi_sync_control_common() error: we previously assumed 'cci' could be null (see line 84) Old smatch warnings: drivers/usb/typec/ucsi/ucsi.c:746 ucsi_get_pd_caps() warn: passing zero to 'ERR_PTR' drivers/usb/typec/ucsi/ucsi.c:1456 ucsi_dr_swap() warn: missing error code 'ret' vim +/cci +88 drivers/usb/typec/ucsi/ucsi.c 667ecac55861281 Dmitry Baryshkov 2025-01-20 58 int ucsi_sync_control_common(struct ucsi *ucsi, u64 command, u32 *cci, 667ecac55861281 Dmitry Baryshkov 2025-01-20 59 void *data, size_t size) 584e8df58942338 Dmitry Baryshkov 2024-06-27 60 { 584e8df58942338 Dmitry Baryshkov 2024-06-27 61 bool ack = UCSI_COMMAND(command) == UCSI_ACK_CC_CI; 584e8df58942338 Dmitry Baryshkov 2024-06-27 62 int ret; 584e8df58942338 Dmitry Baryshkov 2024-06-27 63 584e8df58942338 Dmitry Baryshkov 2024-06-27 64 if (ack) 584e8df58942338 Dmitry Baryshkov 2024-06-27 65 set_bit(ACK_PENDING, &ucsi->flags); 584e8df58942338 Dmitry Baryshkov 2024-06-27 66 else 584e8df58942338 Dmitry Baryshkov 2024-06-27 67 set_bit(COMMAND_PENDING, &ucsi->flags); 584e8df58942338 Dmitry Baryshkov 2024-06-27 68 e37b383df91ba9b Łukasz Bartosik 2024-12-03 69 reinit_completion(&ucsi->complete); e37b383df91ba9b Łukasz Bartosik 2024-12-03 70 584e8df58942338 Dmitry Baryshkov 2024-06-27 71 ret = ucsi->ops->async_control(ucsi, command); 584e8df58942338 Dmitry Baryshkov 2024-06-27 72 if (ret) 584e8df58942338 Dmitry Baryshkov 2024-06-27 73 goto out_clear_bit; 584e8df58942338 Dmitry Baryshkov 2024-06-27 74 584e8df58942338 Dmitry Baryshkov 2024-06-27 75 if (!wait_for_completion_timeout(&ucsi->complete, 5 * HZ)) 584e8df58942338 Dmitry Baryshkov 2024-06-27 76 ret = -ETIMEDOUT; 584e8df58942338 Dmitry Baryshkov 2024-06-27 77 584e8df58942338 Dmitry Baryshkov 2024-06-27 78 out_clear_bit: 584e8df58942338 Dmitry Baryshkov 2024-06-27 79 if (ack) 584e8df58942338 Dmitry Baryshkov 2024-06-27 80 clear_bit(ACK_PENDING, &ucsi->flags); 584e8df58942338 Dmitry Baryshkov 2024-06-27 81 else 584e8df58942338 Dmitry Baryshkov 2024-06-27 82 clear_bit(COMMAND_PENDING, &ucsi->flags); 584e8df58942338 Dmitry Baryshkov 2024-06-27 83 667ecac55861281 Dmitry Baryshkov 2025-01-20 @84 if (!ret && cci) ^^^ This code assumes cci can be NULL 667ecac55861281 Dmitry Baryshkov 2025-01-20 85 ret = ucsi->ops->read_cci(ucsi, cci); 667ecac55861281 Dmitry Baryshkov 2025-01-20 86 667ecac55861281 Dmitry Baryshkov 2025-01-20 87 if (!ret && data && 667ecac55861281 Dmitry Baryshkov 2025-01-20 @88 (*cci & UCSI_CCI_COMMAND_COMPLETE)) ^^^^ But here it's dereferenced without checking 667ecac55861281 Dmitry Baryshkov 2025-01-20 89 ret = ucsi->ops->read_message_in(ucsi, data, size); 667ecac55861281 Dmitry Baryshkov 2025-01-20 90 584e8df58942338 Dmitry Baryshkov 2024-06-27 91 return ret; 584e8df58942338 Dmitry Baryshkov 2024-06-27 92 } -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki
