Hello Shayne Chen,
The patch 0a17329ae9c1: "mt76: mt7915: add debugfs knob for RF
registers read/write" from Apr 18, 2022, leads to the following
Smatch static checker warning:
drivers/net/wireless/mediatek/mt76/mt7915/mcu.c:3757 mt7915_mcu_rf_regval()
error: potentially dereferencing uninitialized 'skb'.
drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
3734 int mt7915_mcu_rf_regval(struct mt7915_dev *dev, u32 regidx, u32 *val, bool set)
3735 {
3736 struct {
3737 __le32 idx;
3738 __le32 ofs;
3739 __le32 data;
3740 } __packed req = {
3741 .idx = cpu_to_le32(u32_get_bits(regidx, GENMASK(31, 28))),
3742 .ofs = cpu_to_le32(u32_get_bits(regidx, GENMASK(27, 0))),
3743 .data = set ? cpu_to_le32(*val) : 0,
3744 };
3745 struct sk_buff *skb;
3746 int ret;
3747
3748 if (set)
3749 return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD(RF_REG_ACCESS),
3750 &req, sizeof(req), false);
3751
3752 ret = mt76_mcu_send_and_get_msg(&dev->mt76, MCU_EXT_QUERY(RF_REG_ACCESS),
3753 &req, sizeof(req), true, &skb);
Presumably this has been tested and the static checker is wrong...
But how the heck is send_and_get even supposed to work? If the device
has a ->mcu_send_msg() op then it calls send. The mt76_mcu_send_msg()
function uses send_and_get so that means the device has a
->mcu_send_msg() op. So it will never ever do a get() only sends...
But that can't be true! What is going on???
I've complained about this code before. Nobody could explain it. Other
people had wrong answers for how it worked so I'm not the only person
confused by it.
Update: Oh... *Groan*. Send does *not* rely on ->mcu_send_msg(). It
will still send if we don't have that op. So what must be happening is
that the caller *knows* that the op is NULL. The only way this code can
work is when ->mcu_send_msg is NULL. :/
3754 if (ret)
3755 return ret;
3756
--> 3757 *val = le32_to_cpu(*(__le32 *)(skb->data + 8));
3758 dev_kfree_skb(skb);
3759
3760 return 0;
3761 }
regards,
dan carpenter
