On Fri, Oct 08, 2021 at 04:03:10PM +0200, Johannes Berg wrote:
> On Fri, 2021-10-08 at 16:00 +0300, Dan Carpenter wrote:
> >
> > 1146 ret = mt76_mcu_send_and_get_msg(&dev->mt76, MCU_EXT_CMD_EFUSE_ACCESS, &req,
> > 1147 sizeof(req), true, &skb);
> >
> > If mt76_mcu_send_and_get_msg() calls the dev->mcu_ops->mcu_send_msg()
> > then "skb" is not initialized.
> >
> > 1148 if (ret)
> > 1149 return ret;
> > 1150
> > --> 1151 res = (struct mt7921_mcu_eeprom_info *)skb->data;
>
> Looks like possibly 'skb' is always initialized if
> mt76_mcu_send_and_get_msg() returns 0 (success)?
>
This build is with cross function analysis enabled so Smatch looks for
that.
The problem is that the caller has to know if dev->mcu_ops->mcu_send_msg
is NULL or not because if it's non-NULL "skb" is not set. Perhaps that
means it should be separated into two functions and we pick which one
to call depending on whether the pointer is set.
drivers/net/wireless/mediatek/mt76/mcu.c
54 int mt76_mcu_send_and_get_msg(struct mt76_dev *dev, int cmd, const void *data,
55 int len, bool wait_resp, struct sk_buff **ret_skb)
^^^^^^^
This is the parameter.
56 {
57 struct sk_buff *skb;
58
59 if (dev->mcu_ops->mcu_send_msg)
60 return dev->mcu_ops->mcu_send_msg(dev, cmd, data, len, wait_resp);
The function pointer doesn't set *ret_skb at all.
61
62 skb = mt76_mcu_msg_alloc(dev, data, len);
63 if (!skb)
64 return -ENOMEM;
65
66 return mt76_mcu_skb_send_and_get_msg(dev, skb, cmd, wait_resp, ret_skb);
But this does.
67 }
regards,
dan carpenter
