===================================================================
@@ -246,10 +246,8 @@ static int gen_ndis_query_resp(struct rn
/* mandatory */
case RNDIS_OID_GEN_MAXIMUM_FRAME_SIZE:
pr_debug("%s: RNDIS_OID_GEN_MAXIMUM_FRAME_SIZE\n", __func__);
- if (params->dev) {
- *outbuf = cpu_to_le32(params->dev->mtu);
- retval = 0;
- }
+ *outbuf = cpu_to_le32(params->dev->mtu);
+ retval = 0;
break;
/* mandatory */
@@ -266,19 +264,15 @@ static int gen_ndis_query_resp(struct rn
/* mandatory */
case RNDIS_OID_GEN_TRANSMIT_BLOCK_SIZE:
pr_debug("%s: RNDIS_OID_GEN_TRANSMIT_BLOCK_SIZE\n", __func__);
- if (params->dev) {
- *outbuf = cpu_to_le32(params->dev->mtu);
- retval = 0;
- }
+ *outbuf = cpu_to_le32(params->dev->mtu);
+ retval = 0;
break;
/* mandatory */
case RNDIS_OID_GEN_RECEIVE_BLOCK_SIZE:
pr_debug("%s: RNDIS_OID_GEN_RECEIVE_BLOCK_SIZE\n", __func__);
- if (params->dev) {
- *outbuf = cpu_to_le32(params->dev->mtu);
- retval = 0;
- }
+ *outbuf = cpu_to_le32(params->dev->mtu);
+ retval = 0;
break;
/* mandatory */
@@ -405,21 +399,17 @@ static int gen_ndis_query_resp(struct rn
/* mandatory */
case RNDIS_OID_802_3_PERMANENT_ADDRESS:
pr_debug("%s: RNDIS_OID_802_3_PERMANENT_ADDRESS\n", __func__);
- if (params->dev) {
- length = ETH_ALEN;
- memcpy(outbuf, params->host_mac, length);
- retval = 0;
- }
+ length = ETH_ALEN;
+ memcpy(outbuf, params->host_mac, length);
+ retval = 0;
break;
/* mandatory */
case RNDIS_OID_802_3_CURRENT_ADDRESS:
pr_debug("%s: RNDIS_OID_802_3_CURRENT_ADDRESS\n", __func__);
- if (params->dev) {
- length = ETH_ALEN;
- memcpy(outbuf, params->host_mac, length);
- retval = 0;
- }
+ length = ETH_ALEN;
+ memcpy(outbuf, params->host_mac, length);
+ retval = 0;
break;
/* mandatory */
In gen_ndis_query_resp(), params->dev is checked against NULL several times in the *switch* statement; however, first it gets passed to dev_get_stats() which dereferences it unconditionally. Moreover, params->dev is checked at the start of rndis_query_response() (our function's only caller) and error is returned if it's NULL, so the checks inside the *switch* appear totally redundant -- remove them. Found by Linux Verification Center (linuxtesting.org) with the Svace static analysis tool. Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru> --- This patch is against the usb-next branch of Greg KH's usb.git repo. The previous attempt to deal with this issue by Jim Lin [1] got withdrawn, so 5 Svace's reports against this driver are stuck in our "debt" list since 2022 -- trying to move the situation forward now that I have some time... [1] https://lore.kernel.org/all/20220908175615.5095-1-jilin@nvidia.com/ drivers/usb/gadget/function/rndis.c | 34 ++++++++++++---------------------- 1 file changed, 12 insertions(+), 22 deletions(-)