and can be replaced with GFP_KERNEL,
which can sleep and improve the possibility of sucessful allocation.
This is found by a static analysis tool named DCNS written by myself.
And I also manually check it.
Signed-off-by: Jia-Ju Bai
---
drivers/net/wimax/i2400m/tx.c | 2 +-
1 file changed, 1 insert
usily wait.
This is not necessary and can be replaced with msleep() to
avoid busy waiting.
This is found by a static analysis tool named DCNS written by myself.
And I also manually check it.
Signed-off-by: Jia-Ju Bai
---
drivers/net/wan/sbni.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion
is not necessary and can be replaced with GFP_KERNEL,
which can sleep and improve the possibility of sucessful allocation.
This is found by a static analysis tool named DCNS written by myself.
And I also manually check it.
Signed-off-by: Jia-Ju Bai
---
drivers/net/usb/hso.c | 2 +-
1 file changed
On 2018/4/10 23:01, Boris Ostrovsky wrote:
On 04/10/2018 10:31 AM, Jia-Ju Bai wrote:
On 2018/4/10 22:27, Boris Ostrovsky wrote:
On 04/09/2018 11:03 AM, Jia-Ju Bai wrote:
pcistub_probe() is never called in atomic context.
This function is only set as ".probe" in struct pci_driver
not necessary and can be replaced with GFP_KERNEL,
which can sleep and improve the possibility of sucessful allocation.
This is found by a static analysis tool named DCNS written by myself.
And I also manually check it.
Signed-off-by: Jia-Ju Bai
---
drivers/xen/xen-pciback/pci_stub.c | 2 +-
1
gned-off-by: Jia-Ju Bai
---
drivers/staging/irda/drivers/irda-usb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/irda/drivers/irda-usb.c
b/drivers/staging/irda/drivers/irda-usb.c
index 723e49b..c6c8c2c 100644
--- a/drivers/staging/irda/drivers/irda-usb.c
+++ b
sy waiting.
This is found by a static analysis tool named DCNS written by myself.
And I also manually check it.
Signed-off-by: Jia-Ju Bai
---
drivers/staging/irda/drivers/irda-usb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/irda/drivers/irda-usb.c
sy waiting.
This is found by a static analysis tool named DCNS written by myself.
And I also manually check it.
Signed-off-by: Jia-Ju Bai
---
drivers/net/can/sja1000/peak_pci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/can/sja1000/peak_pci.c
b/drivers/net/c
and can be replaced with usleep_range() to
avoid busy waiting.
This is found by a static analysis tool named DCNS written by myself.
And I also manually check it.
Signed-off-by: Jia-Ju Bai
---
drivers/net/can/sja1000/peak_pcmcia.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git
myself.
And I also manually check it.
Signed-off-by: Jia-Ju Bai
---
drivers/net/dsa/b53/b53_common.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
index 274f367..e070ff6 100644
--- a/drivers/net/dsa/b53
e replaced with usleep_range() to
avoid busy waiting.
This is found by a static analysis tool named DCNS written by myself.
And I also manually check it.
Signed-off-by: Jia-Ju Bai
---
drivers/net/ethernet/dec/tulip/de4x5.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/d
ten by myself.
And I also manually check it.
Signed-off-by: Jia-Ju Bai
---
drivers/net/ethernet/intel/i40evf/i40evf_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/intel/i40evf/i40evf_main.c
b/drivers/net/ethernet/intel/i40evf/i40evf_main.c
index 182
e replaced with GFP_KERNEL,
which can sleep and improve the possibility of sucessful allocation.
This is found by a static analysis tool named DCNS written by myself.
And I also manually check it.
Signed-off-by: Jia-Ju Bai
---
drivers/net/ieee802154/atusb.c | 2 +-
1 file changed, 1 inser
er getting called from atomic context, sxgbe_sw_reset()
calls mdelay() to busily wait.
This is not necessary and can be replaced with usleep_range() to
avoid busy waiting.
This is found by a static analysis tool named DCNS written by myself.
And I also manually check it.
Signed-off-by: Jia-Ju Bai
--
h does not sleep for allocation.
GFP_ATOMIC is not necessary and can be replaced with GFP_KERNEL,
which can sleep and improve the possibility of sucessful allocation.
This is found by a static analysis tool named DCNS written by myself.
And I also manually check it.
Signed-off-by: Jia-Ju Bai
---
d
tten by myself.
And I also manually check it.
Signed-off-by: Jia-Ju Bai
---
drivers/mmc/host/wbsd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mmc/host/wbsd.c b/drivers/mmc/host/wbsd.c
index 546aaf8..6224d12 100644
--- a/drivers/mmc/host/wbsd.c
+++ b/drivers/mmc/host
sy waiting.
This is found by a static analysis tool named DCNS written by myself.
And I also manually check it.
Signed-off-by: Jia-Ju Bai
---
drivers/mmc/host/wbsd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mmc/host/wbsd.c b/drivers/mmc/host/wbsd.c
index 546aaf
range() to
avoid busy waiting.
This is found by a static analysis tool named DCNS written by myself.
And I also manually check it.
Signed-off-by: Jia-Ju Bai
---
drivers/mmc/host/wbsd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mmc/host/wbsd.c b/drivers/mmc/host/wb
necessary and can be replaced with usleep_range() to
avoid busy waiting.
This is found by a static analysis tool named DCNS written by myself.
And I also manually check it.
Signed-off-by: Jia-Ju Bai
---
drivers/mtd/nand/diskonchip.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions
laced with GFP_KERNEL,
which can sleep and improve the possibility of sucessful allocation.
This is found by a static analysis tool named DCNS written by myself.
And I also manually check it.
Signed-off-by: Jia-Ju Bai
---
drivers/misc/ti-st/st_kim.c | 2 +-
1 file changed, 1 insertion(+),
coherent() with GFP_ATOMIC,
which does not sleep for allocation.
GFP_ATOMIC is not necessary and can be replaced with GFP_KERNEL,
which can sleep and improve the possibility of sucessful allocation.
This is found by a static analysis tool named DCNS written by myself.
And I also manually check it.
Signe
urb() with GFP_ATOMIC,
which does not sleep for allocation.
GFP_ATOMIC is not necessary and can be replaced with GFP_KERNEL,
which can sleep and improve the possibility of sucessful allocation.
This is found by a static analysis tool named DCNS written by myself.
And I also manually check it
urb() with GFP_ATOMIC,
which does not sleep for allocation.
GFP_ATOMIC is not necessary and can be replaced with GFP_KERNEL,
which can sleep and improve the possibility of sucessful allocation.
This is found by a static analysis tool named DCNS written by myself.
And I also manually check it
tomic context, fcpcipnp_setup()
calls mdelay() to busily wait.
This is not necessary and can be replaced with usleep_range() to
avoid busy waiting.
This is found by a static analysis tool named DCNS written by myself.
And I also manually check it.
Signed-off-by: Jia-Ju Bai
---
drivers/isdn/hisax/his
lled from atomic context, fcpci_init()
calls mdelay() to busily wait.
This is not necessary and can be replaced with usleep_range() to
avoid busy waiting.
This is found by a static analysis tool named DCNS written by myself.
And I also manually check it.
Signed-off-by: Jia-Ju Bai
---
dr
On 2018/9/24 17:26, Jiri Kosina wrote:
On Thu, 13 Sep 2018, Jia-Ju Bai wrote:
hid_alloc_report_buf() has to be called with GFP_ATOMIC in
__hid_request(), because there are the following callchains
leading to __hid_request() being an atomic context:
picolcd_send_and_wait (acquire a spinlock
e can't sleep".
It's trickier to say for sure when you're not holding a lock...
Jia-Ju Bai is working on this. The tool is available on github. It's
still being improved, though, so perhaps it's not yet ready for eg 0-day
inclusion. He can give more details.
Th
.
Signed-off-by: Jia-Ju Bai
---
drivers/staging/rtlwifi/halmac/rtl_halmac.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/rtlwifi/halmac/rtl_halmac.c
b/drivers/staging/rtlwifi/halmac/rtl_halmac.c
index 66f0a6dfc52c..e921a62e72a3 100644
--- a/drivers/staging
checked by
my code review.
Signed-off-by: Jia-Ju Bai
---
drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
index b26533983864
static analysis tool (DSAC-2) and checked by
my code review.
Signed-off-by: Jia-Ju Bai
---
drivers/staging/rtl8188eu/core/rtw_cmd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/rtl8188eu/core/rtw_cmd.c
b/drivers/staging/rtl8188eu/core/rtw_cmd.c
index
On 2018/6/20 17:56, Dan Carpenter wrote:
On Wed, Jun 20, 2018 at 05:50:16PM +0800, Jia-Ju Bai wrote:
The driver may sleep with holding a spinlock.
The function call paths (from bottom to top) in Linux-4.16.7 are:
[FUNC] kzalloc(GFP_KERNEL)
drivers/staging/rtl8723bs/os_dep/ioctl_linux.c, 323
pci_specified_resource_alignment
In fact, I suspect that my report is false, because I always have an
impression that printk() cannot sleep.
But according to the call path, I cannot find where I make the mistake...
So could someone please help me to point the mistake?
Best wishes,
Jia-Ju Bai
E?
The function could still return 0 in case the flag is set.
If it's only used in three locations, I think it would be better to
simply remove it from vsprintf() and have the three callers call
clk_get_rate() directly.
Agreed.
Best wishes,
Jia-Ju Bai
On 2018/5/31 22:08, Matthew Wilcox wrote:
On Thu, May 31, 2018 at 09:10:07PM +0800, Jia-Ju Bai wrote:
I write a static analysis tool (DSAC), and it finds that kfree() can sleep.
Here is the call path for kfree().
Please look at it *from the bottom up*.
[FUNC] alloc_pages(GFP_KERNEL)
arch
On 2018/5/31 22:09, Christopher Lameter wrote:
On Thu, 31 May 2018, Jia-Ju Bai wrote:
I write a static analysis tool (DSAC), and it finds that kfree() can sleep.
That should not happen.
Here is the call path for kfree().
Please look at it *from the bottom up*.
[FUNC] alloc_pages
tool does not follow the data flow well, and I need to
improve it.
In this case of kfree(), I want know how the data flow leads to my mistake.
Best wishes,
Jia-Ju Bai
On 2018/8/13 20:42, Paul E. McKenney wrote:
On Mon, Aug 13, 2018 at 05:26:49PM +0800, Jia-Ju Bai wrote:
On 2018/8/13 12:18, Paul E. McKenney wrote:
On Mon, Aug 13, 2018 at 11:04:10AM +0800, Jia-Ju Bai wrote:
The kernel may sleep with holding a spinlock.
The function call paths (from
ix these bugs, the original calls to mutex_lock(&priv->conf_mutex) and
mutex_unlock(&priv->conf_mutex) are moved to the places, which can
protect the accesses to the shared variable.
Signed-off-by: Jia-Ju Bai
---
drivers/net/wireless/st/cw1200/scan.c | 13 ++---
1 file changed, 6 i
ted by a spinlock, but the free operation
is not protected by this spinlock, thus a concurrency use-after-free bug
may occur.
To fix this bug, the spin-lock and spin-unlock function calls in
r8a66597_endpoint_disable() are moved to protect the free operation.
Signed-off-by: Jia-Ju Bai
---
drive
On 2018/12/18 19:11, Greg KH wrote:
On Tue, Dec 18, 2018 at 06:00:20PM +0800, Jia-Ju Bai wrote:
The function r8a66597_endpoint_disable() and r8a66597_urb_enqueue() may
be concurrently executed.
The two functions both access a possible shared variable "hep->hcpriv".
This share
ted by a spinlock, but the free operation
is not protected by this spinlock, thus a concurrency use-after-free bug
may occur.
To fix this bug, the spin-lock and spin-unlock function calls in
r8a66597_endpoint_disable() are moved to protect the free operation.
Signed-off-by: Jia-Ju Bai
---
v2:
*
urb->transfer_buffer;
Thus, a concurrency use-after-free bug may occur.
This possible bug is found by a static analysis tool written by myself.
Best wishes,
Jia-Ju Bai
On 2018/12/20 21:46, Johan Hovold wrote:
On Thu, Dec 20, 2018 at 09:41:16PM +0800, Jia-Ju Bai wrote:
In drivers/usb/serial/garmin_gps.c,
the functions garmin_read_bulk_callback() and garmin_write_bulk_callback()
may be concurrently executed.
In garmin_write_bulk_callback() on line 969
On 2019/1/7 16:52, Greg KH wrote:
On Mon, Jan 07, 2019 at 04:47:43PM +0800, Jia-Ju Bai wrote:
The driver functions mxs_auart_settermios(), dma_rx_callback() and
dma_tx_callback() can be concurrently executed.
In Linux 4.19:
mxs_auart_settermios
mxs_auart_dma_exit
On 2019/1/7 16:57, Greg KH wrote:
On Mon, Jan 07, 2019 at 04:12:22PM +0800, Jia-Ju Bai wrote:
In drivers/char/pcmcia/synclink_cs.c, the functions mgslpc_open() and
hdlcdev_open() can be concurrently executed.
hdlcdev_open
startup
claim_resources
rx_alloc_buffers
ock_irqsave() in
nv_start_xmit() and nv_start_xmit_optimized() are moved to the
front of "prev_tx_ctx->skb = skb;"
Signed-off-by: Jia-Ju Bai
---
drivers/net/ethernet/nvidia/forcedeth.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/nvid
On 2019/1/8 20:54, Zhu Yanjun wrote:
在 2019/1/8 20:45, Jia-Ju Bai 写道:
In drivers/net/ethernet/nvidia/forcedeth.c, the functions
nv_start_xmit() and nv_start_xmit_optimized() can be concurrently
executed with nv_poll_controller().
nv_start_xmit
line 2321: prev_tx_ctx->skb =
ol written by myself and
my manual code review.
To fix these possible bugs, the mutex lock "modem_info_mutex" used in
isdn_tty_tiocmset() is added in isdn_tty_set_termios().
Signed-off-by: Jia-Ju Bai
---
drivers/isdn/i4l/isdn_tty.c | 6 +-
1 file changed, 5 insertions(+), 1 dele
On 2019/1/4 8:47, Benjamin Herrenschmidt wrote:
On Wed, 2018-12-26 at 21:56 +0800, Jia-Ju Bai wrote:
In drivers/fsi/fsi-sbefifo.c, the functions sbefifo_user_release(),
sbefifo_user_read() and sbefifo_user_write() may be concurrently executed.
So after refreshing my mind, looking at the
() are
added in sbefifo_user_release().
Signed-off-by: Jia-Ju Bai
---
drivers/fsi/fsi-sbefifo.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/fsi/fsi-sbefifo.c b/drivers/fsi/fsi-sbefifo.c
index d92f5b87c251..e278a9014b8f 100644
--- a/drivers/fsi/fsi-sbefifo.c
+++ b/drivers/fs
-after-free bug may occur
in HFCPCI_l1hw().
To fix these bugs, the calls to spin_lock_irqsave() and
spin_unlock_irqrestore() are added in HFCPCI_l1hw(), to protect the
access to cs->tx_skb.
Signed-off-by: Jia-Ju Bai
---
drivers/isdn/hisax/hfc_pci.c | 2 ++
1 file changed, 2 insertions(+)
dif
ne 691: proto->prepare_tx(..., skb->len, ...)
Thus, a possible concurrency use-after-free bugs may occur.
To fix this bug, the calls to spin_lock_irqsave() and
spin_unlock_irqrestore() are added in arcnet_reply_tasklet() to protect
dev_kfree_skb(lp->outgoing.skb).
Signed-off-by: Jia-Ju Ba
ossible fixing way is to use a lock to protect these accesses.
I am not sure about this way, so I only report the bugs.
Best wishes,
Jia-Ju Bai
ne 691: proto->prepare_tx(..., skb->len, ...)
Thus, a possible concurrency use-after-free bugs may occur.
To fix this bug, the calls to spin_lock_irqsave() and
spin_unlock_irqrestore() are added in arcnet_reply_tasklet() to protect
dev_kfree_skb(lp->outgoing.skb).
Signed-off-by: Jia-Ju Bai
On 2018/10/9 17:07, Lee Jones wrote:
On Mon, 17 Sep 2018, Jia-Ju Bai wrote:
On 2018/9/17 9:03, Lee Jones wrote:
On Sat, 15 Sep 2018, Jia-Ju Bai wrote:
The driver may sleep in an interrupt handler.
The function call paths (from bottom to top) in Linux-4.17 are:
[FUNC] mutex_lock_nested
(), the bug fix is to remove the
calls to spin-lock and -unlock functions in coh901318_config().
Signed-off-by: Jia-Ju Bai
---
drivers/dma/coh901318.c | 4
1 file changed, 4 deletions(-)
diff --git a/drivers/dma/coh901318.c b/drivers/dma/coh901318.c
index eebaba3d9e78..fd862a478738 100644
--- a
Thanks for the reply :)
On 2018/10/3 23:54, Takashi Iwai wrote:
On Wed, 03 Oct 2018 14:50:25 +0200,
Jia-Ju Bai wrote:
CPU0:
snd_trident_hw_free
snd_trident_free_voice
line 3870: spin_lock_irqsave()
line 3881: voice->substream = NULL; [WRITE]
C
On 2018/9/30 3:20, Jiri Kosina wrote:
On Sat, 29 Sep 2018, Jia-Ju Bai wrote:
picolcd_send_and_wait (acquire a spinlock)
hid_hw_request
__hid_request
hid_alloc_report_buf(GFP_KERNEL)
picolcd_reset (acquire a spinlock)
hid_hw_request
__hid_request
On 2018/10/4 13:24, Takashi Iwai wrote:
On Thu, 04 Oct 2018 05:08:45 +0200,
Jia-Ju Bai wrote:
Thanks for the reply :)
On 2018/10/3 23:54, Takashi Iwai wrote:
On Wed, 03 Oct 2018 14:50:25 +0200,
Jia-Ju Bai wrote:
CPU0:
snd_trident_hw_free
snd_trident_free_voice
line
On 2018/9/17 9:03, Lee Jones wrote:
On Sat, 15 Sep 2018, Jia-Ju Bai wrote:
The driver may sleep in an interrupt handler.
The function call paths (from bottom to top) in Linux-4.17 are:
[FUNC] mutex_lock_nested
drivers/mfd/ezx-pcap.c, 272:
mutex_lock_nested in pcap_adc_irq (interrupt
ot correct, because it is dangerous to return directly.
I think you should return an error and then implement error handling
code for these functions.
Best wishes,
Jia-Ju Bai
it_rd0_ring() is called by vnt_start().
You should also implement error handling code in vnt_start(), and let
vnt_start() returns an error number too.
The same for device_init_rd1_ring(), device_init_td0_ring() and
device_init_td1_ring().
Best wishes,
Jia-Ju Bai
uot;macroKeyEvents[macro]" is executed.
To fix these possible bugs, macro is checked before being used.
Signed-off-by: Jia-Ju Bai
---
drivers/input/tablet/aiptek.c | 7 ---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/input/tablet/aiptek.c b/drivers/input/tablet/aipt
ow when the code "av7110->ci_slot[data[0]]" is used.
To fix this possible bug, data[0] is assigned to a local variable, which
replaces the use of data[0].
Signed-off-by: Jia-Ju Bai
---
drivers/media/pci/ttpci/av7110.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --
skb->data[3] is assigned to a local variable before
DMA mapping, and then the driver accesses this local variable instead of
skb->data[3].
Signed-off-by: Jia-Ju Bai
---
drivers/atm/eni.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/atm/eni.c b/drivers/atm/en
s problem, the calculation result of skb->data is stored in a
local variable before DMA mapping, and then the driver accesses this
local variable instead of skb->data.
Signed-off-by: Jia-Ju Bai
---
drivers/atm/idt77252.c | 9 +
1 file changed, 5 insertions(+), 4 deletions(-)
diff --
e.
To fix this problem, dma_map_single() is called after these accesses.
Signed-off-by: Jia-Ju Bai
---
drivers/net/vmxnet3/vmxnet3_drv.c | 20 ++--
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c
b/drivers/net/vmxnet3/vmxnet3_drv.c
index ca3
->data_p = 0;
These accesses may cause data inconsistency between CPU cache and hardware.
I am not sure how to properly fix this problem, and thus I only report it.
Best wishes,
Jia-Ju Bai
hardware.
To fix this problem, ((struct p54_hdr *)skb->data)->req_id is stored in
a local variable before DMA mapping, and then the driver accesses this
local variable instead of skb->data.
Signed-off-by: Jia-Ju Bai
---
drivers/net/wireless/intersil/p54/p54pci.c | 4 +++-
1 file
to properly fix this problem, and thus I only report it.
Best wishes,
Jia-Ju Bai
h as:
bufl->bufers[y].len = sg->length;
bufl->num_bufs = sg_nctr;
bufers = buflout->bufers;
buflout->num_bufs = sg_nctr;
These accesses may cause data inconsistency between CPU cache and hardware.
I am not sure how to properly fix this problem, and thus I only report it.
Best wishes,
Jia-Ju Bai
d hardware.
I am not sure how to properly fix this problem, and thus I only report it.
Best wishes,
Jia-Ju Bai
fer overflow.
To fix this problem, "fsc->command" is assigned to a local variable, and
then this local variable is used to replace "fsc->command".
Signed-off-by: Jia-Ju Bai
---
drivers/scsi/esas2r/esas2r_flash.c | 7 ---
1 file changed, 4 insertions(+), 3 deletions
p" can be
modified to cause buffer overflow when the driver accesses
"vfdi_ops[req->op]".
To fix this problem, "req->op" is assigned to a local variable, and then
the driver accesses this variable instead of "req->op".
Signed-off-by: Jia-Ju Bai
---
dri
On 2020/8/3 9:12, Zhou Wang wrote:
On 2020/8/2 22:52, Jia-Ju Bai wrote:
In qm_qp_ctx_cfg(), "sqc" and "aeqc" are mapped to streaming DMA:
eqc_dma = dma_map_single(..., eqc, ...);
..
aeqc_dma = dma_map_single(..., aeqc, ...);
Only sqc, cqc will be configu
On 2020/8/2 23:47, James Bottomley wrote:
On Sun, 2020-08-02 at 23:21 +0800, Jia-Ju Bai wrote:
Because "fs" is mapped to DMA, its data can be modified at anytime by
malicious or malfunctioning hardware. In this case, the check
"if (fsc->command >= cmdcnt)" ca
On 2021/3/23 19:35, Greg KH wrote:
On Sun, Mar 07, 2021 at 12:49:15AM -0800, Jia-Ju Bai wrote:
When usb_otg_descriptor_alloc() returns NULL to usb_desc, no error
return code of msg_bind() is assigned.
To fix this bug, status is assigned with -ENOMEM in this case.
Reported-by: TOTE Robot
When usb_otg_descriptor_alloc() returns NULL to usb_desc, no error
return code of msg_bind() is assigned.
To fix this bug, status is assigned with -ENOMEM in this case.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
v2:
* Fix a mistake in the report.
Thank Greg for good advice
On 2021/3/23 21:57, Greg KH wrote:
On Fri, Mar 05, 2021 at 02:24:05AM -0800, Jia-Ju Bai wrote:
When device_create_file() fails and returns a non-zero value,
no error return code of driver_sysfs_add() is assigned.
To fix this bug, ret is assigned with the return value of
device_create_file
When device_create_file() fails and returns a non-zero value,
no error return code of driver_sysfs_add() is assigned.
To fix this bug, ret is assigned with the return value of
device_create_file(), and then ret is checked.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
v2:
* Fix a
When input_register_device() fails, no error return code is assigned.
To fix this bug, ret is assigned with -ENOENT as error return code.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/hid/hid-alps.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/hid/hid-alps.c b
When omap4iss_get() returns NULL, no error return code is assigned.
To fix this bug, ret is assigned with -EINVAL as error return code.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/staging/media/omap4iss/iss.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff
When mlx5_is_fpga_lookaside() returns a non-zero value, no error
return code is assigned.
To fix this bug, err is assigned with -EINVAL as error return code.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/net/ethernet/mellanox/mlx5/core/fpga/core.c | 4 +++-
1 file changed, 3
When dma_mapping_error() returns an error, no error return code of
sun8i_ce_prng_generate() is assigned.
To fix this bug, err is assigned with -EFAULT as error return code.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/crypto/allwinner/sun8i-ce/sun8i-ce-prng.c | 1 +
1 file
When bdx_read_mac() fails, no error return code of bdx_probe()
is assigned.
To fix this bug, err is assigned with -EFAULT as error return code.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/net/ethernet/tehuti/tehuti.c | 1 +
1 file changed, 1 insertion(+)
diff --git a
When mspro_block_init_card() fails, no error return code of
mspro_block_resume() is assigned.
To fix this bug, rc is assigned with the return value of
mspro_block_init_card(), and then rc is checked.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/memstick/core/mspro_block.c
My static analysis tool reports that no error return code is assigned in
error handling code of msb_resume().
However, many other drivers assign error return code in xxx_resume(),
such as sky2_resume() and e1000_resume().
I wonder whether this is intentional?
Best wishes,
Jia-Ju Bai
When bch_bio_alloc_pages() fails, no error return code of
cached_dev_cache_miss() is assigned.
To fix this bug, ret is assigned with -ENOMEN as error return code.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/md/bcache/request.c | 4 +++-
1 file changed, 3 insertions(+), 1
When iavf_process_config() fails, no error return code of
iavf_init_get_resources() is assigned.
To fix this bug, err is assigned with the return value of
iavf_process_config(), and then err is checked.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/net/ethernet/intel/iavf
When __v4l2_ctrl_modify_range() fails, no error return code of
imx274_s_frame_interval() is assigned.
To fix this bug, ret is assigned with the return valye of
__v4l2_ctrl_modify_range(), and then ret is checked.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/media/i2c/imx274.c
When check_fwfile_format() fails, no error return code of
if_usb_prog_firmware() is assigned.
To fix this bug, ret is assigned with -EINVAL as error return code.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/net/wireless/marvell/libertas_tf/if_usb.c | 4 +++-
1 file changed, 3
When dma_set_mask() or pci_iomap() fails, no error return code of
wd719x_pci_probe() is assigned.
To fix this bug, err is assigned with -EIO as error return code.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/scsi/wd719x.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a
When bitmap_empty() or feature->feature_num triggers an error,
no error return code of smu_v11_0_set_allowed_mask() is assigned.
To fix this bug, ret is assigned with -EINVAL as error return code.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/gpu/drm/amd/pm/swsmu/sm
Hi Coly,
Thanks a lot for your detailed explanation :)
Best wishes,
Jia-Ju Bai
On 2021/3/5 12:05, Coly Li wrote:
On 3/5/21 10:46 AM, Jia-Ju Bai wrote:
When bch_bio_alloc_pages() fails, no error return code of
cached_dev_cache_miss() is assigned.
To fix this bug, ret is assigned with -ENOMEN
When np is NULL or of_parse_phandle() returns NULL, no error return code
of ufshcd_populate_vreg() is assigned.
To fix this bug, ret is assigned with -EINVAL or -ENOENT as error return
code.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/scsi/ufs/ufshcd-pltfrm.c | 2 ++
1 file
Robot
Signed-off-by: Jia-Ju Bai
---
net/xdp/xsk.c | 8 +++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
index 4faabd1ecfd1..f1c1db07dd07 100644
--- a/net/xdp/xsk.c
+++ b/net/xdp/xsk.c
@@ -484,8 +484,14 @@ static int xsk_generic_xmit(struct sock
When the list of reloc_roots is empty, no error return code of
btrfs_recover_relocation() is assigned.
To fix this bug, err is assigned with -ENOENT as error return code.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
fs/btrfs/relocation.c | 4 +++-
1 file changed, 3 insertions(+), 1
When the list of xdev->notifier.asd_list is empty, no error return code
of xvip_graph_init() is assigned.
To fix this bug, ret is assigned with -ENOENT as error return code.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/media/platform/xilinx/xilinx-vipp.c | 1 +
1 file chan
When the list of head is empty, no error return code of
ufshcd_init_clocks() is assigned.
To fix this bug, ret is assigned with -ENOENT as error return code.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/scsi/ufs/ufshcd.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion
When the list of clk_list is empty, no error return code of
ufshcd_devfreq_target() is assigned.
To fix this bug, ret is assigned with -ENOENT as error return code.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/scsi/ufs/ufshcd.c | 1 +
1 file changed, 1 insertion(+)
diff --git
201 - 300 of 755 matches
Mail list logo
