From patchwork Tue May 16 11:09:03 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 99861 Delivered-To: patch@linaro.org Received: by 10.182.142.97 with SMTP id rv1csp1824949obb; Tue, 16 May 2017 04:10:11 -0700 (PDT) X-Received: by 10.98.151.2 with SMTP id n2mr11556343pfe.29.1494933011036; Tue, 16 May 2017 04:10:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1494933011; cv=none; d=google.com; s=arc-20160816; b=TvYbm1TYbTupprsa34yo/fu1DAFnSUwNJ6LmYwdAfHDyiIC4pOM1uW+7jsrVlDLI8r MeTQuGsszJw0f0UHQwbr+0YhL6EOwpupErZqOuk84BPTaEgFg0a7zQsF4gHxL9NZlD9Y mvcBXzgPowpyamMYyZu+yKjxRoe2XslUiEdwcLjIslCmpATMmGlReRfQcwSA8Cv7lNrJ IngjBmk2XipVMIGXX6ZrIIOx6qzGEkAa3sy6/Qo9J7NIWCOre0dvOJVW7S/Pb0THTSmW 9tWa8QZ4WMPq1CknIbKYX7xfGXQxADFy6BaPOs6rI6g1FUL4JCM/4FPzIpBh9nRqMA7v wTmg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=wBP4GoGgCDO+iBwpg7n/VDkSQu+qf6KqurzrJA74qGQ=; b=ttSwYyqbwPS8y9+zpk9lmCnIQYwu+qtpd6yofJnYCxdnVuuSqiuPY/IzpJRHUGEau2 e826fnNKIaMuC3rbkYIpGB2/nWIsAcLiswP2xfg6s90g1XXZIGlK7HN4iLKFMCyiX11x xum3r8s2NpI+qm+n7H+wHx4Gcx5Z7VfgTt9z/ibd7IcvVu5btvA/dnvV45U3Yg7rny8n y73ujPo9ijLAf16hifKAEkO8zsi5BAuzyUGgVoYCEV1Vqt1kbR6IImEXGQ2x0Wmk/Bw4 fLb+5Xry01mQC93XCm/jau6vxsrPQUgVN4e+y94MaQyni5GHviEaBtNLEw7FOx/LaPVj 7W4w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-input-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-input-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o6si8799373pfk.340.2017.05.16.04.10.10 for ; Tue, 16 May 2017 04:10:11 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-input-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-input-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-input-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751932AbdEPLJ6 (ORCPT ); Tue, 16 May 2017 07:09:58 -0400 Received: from mout.kundenserver.de ([212.227.126.134]:60129 "EHLO mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751752AbdEPLJS (ORCPT ); Tue, 16 May 2017 07:09:18 -0400 Received: from wuerfel.lan ([78.42.17.5]) by mrelayeu.kundenserver.de (mreue002 [212.227.15.129]) with ESMTPA (Nemesis) id 0LvcQG-1e4TlL1RRE-017TyX; Tue, 16 May 2017 13:09:11 +0200 From: Arnd Bergmann To: Srinivas Pandruvada , Jiri Kosina Cc: linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, arnd@arndb.de Subject: [PATCH 1/5] HID: intel_ish-hid: fix potential uninitialized data usage Date: Tue, 16 May 2017 13:09:03 +0200 Message-Id: <20170516110907.3545799-2-arnd@arndb.de> X-Mailer: git-send-email 2.9.0 In-Reply-To: <20170516110907.3545799-1-arnd@arndb.de> References: <20170516110907.3545799-1-arnd@arndb.de> X-Provags-ID: V03:K0:tIQg/riSCQGoEVVk80GBlVFWmDYoJtSO1r/ZTOWRdYux1UjRpse pJ6QUrrtgDFChzizKeUtxv9cFMbQoY1k8jLbePat0Id1CjO96JQFa7gFE5YgygJ75VVvAqe vBojzM0mWB+oh27+hDSBebOy9hnebVCi1UjwcLeZgrVz3jJB4miPhyhw5Me/x1KQX7GS96E SPmHD3UuulS3BcXJ9gF7Q== X-UI-Out-Filterresults: notjunk:1; V01:K0:IZ9QNfWXcLg=:qWoZQacZ0cowT9JELYMbxO bWoFV0EEZhCUf045iasbiXXpB/2sZ5HT7cus6svWyUMot1aYrCGXs1oGHqPa14AXarm4F0Hed T4YT0noaCtQhsWSDwhJamb2M4n9KHI6IJgSu/7lKls2UH70cYPzxMhCFb6DdGzxKdxFq+OIsh VF6+L25L/Jfo12ImCOdDe9dsyfbJzHl+19/gUSaN+qniV6/Fo+T7INf6uKCHS58PE2SwNWzrr ndLOLEs0LPP0o2GUAS7JjMf5vErsAsEPgJY8rK26TY5JNPxlDIhMdr25Zhm6thYd7P9xnrrk8 BmCl3XOXWo8selTfvAtv4pcssTCnOq3CgonRFMs8i+cOd9jcq9DJtRyQ8EQHHmp/5EVI2LWIS MeiY6/JIUnqSyi/lkiNNHongxAWArAKHXmLvJxHQdpJ780NA/yU48E9gGmw+g1Ie96wXLTUT0 74+Gg+gC4pzG7T9iJl/WJDkwgnThOWcK79OpXjfSbxecsv0XffR+3G8Aw7Rc2msB5GR56A7+p HZtx1xsJE83INop26h+71xXI06EeosFpTK6hToLx1EDntNz57ZnKaiFf9XLy8Yn5LSnQfp8ag eQUMWDRzPUqnXnrBeFwc9e0EH4qBQLBdXEddk3yeBjYq/If2oTtZq/kgxvUMLw+Y3BiW7A4AZ fOJsluf3KqShmUNdodCsmFzvTG+vlU9PX4k6K2PVWRZsQ4a9YhQsHEhVSeGWp5mT2jLk= Sender: linux-input-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-input@vger.kernel.org gcc points out an uninialized pointer dereference that could happen if we ever get to recv_ishtp_cl_msg_dma() or recv_ishtp_cl_msg() with an empty &dev->read_list: drivers/hid/intel-ish-hid/ishtp/client.c: In function 'recv_ishtp_cl_msg_dma': drivers/hid/intel-ish-hid/ishtp/client.c:1049:3: error: 'cl' may be used uninitialized in this function [-Werror=maybe-uninitialized] The warning only appeared in very few randconfig builds, as the spinlocks tend to prevent gcc from tracing the variables. I only saw it in configurations that had neither SMP nor LOCKDEP enabled. I have not been able to figure out whether this case can happen in practice, but it's better to be defensive here and handle the case explicitly by returning from the function. Signed-off-by: Arnd Bergmann --- drivers/hid/intel-ish-hid/ishtp/client.c | 10 ++++++++++ 1 file changed, 10 insertions(+) -- 2.9.0 -- To unsubscribe from this list: send the line "unsubscribe linux-input" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/hid/intel-ish-hid/ishtp/client.c b/drivers/hid/intel-ish-hid/ishtp/client.c index aad61328f282..69c9d43612ec 100644 --- a/drivers/hid/intel-ish-hid/ishtp/client.c +++ b/drivers/hid/intel-ish-hid/ishtp/client.c @@ -829,6 +829,11 @@ void recv_ishtp_cl_msg(struct ishtp_device *dev, } spin_lock_irqsave(&dev->read_list_spinlock, dev_flags); + if (list_empty(&dev->read_list.list)) { + spin_unlock_irqrestore(&dev->read_list_spinlock, dev_flags); + goto eoi; + } + rb_count = -1; list_for_each_entry(rb, &dev->read_list.list, list) { ++rb_count; @@ -954,6 +959,11 @@ void recv_ishtp_cl_msg_dma(struct ishtp_device *dev, void *msg, unsigned long flags; spin_lock_irqsave(&dev->read_list_spinlock, dev_flags); + if (list_empty(&dev->read_list.list)) { + spin_unlock_irqrestore(&dev->read_list_spinlock, dev_flags); + goto eoi; + } + list_for_each_entry(rb, &dev->read_list.list, list) { cl = rb->cl; if (!cl || !(cl->host_client_id == hbm->host_client_id &&