Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp1424196pxb; Wed, 10 Feb 2021 08:05:48 -0800 (PST) X-Google-Smtp-Source: ABdhPJxIs8LAOCBfITO1buPoMewfGxfxZDchH/JIWUhOvmcXjHq/xnuYs8wbuku3qo1uIR/fpyqM X-Received: by 2002:aa7:c58e:: with SMTP id g14mr3733725edq.362.1612973148114; Wed, 10 Feb 2021 08:05:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612973148; cv=none; d=google.com; s=arc-20160816; b=Qu20j4Kw3KemWpQVDB6DNTDlTiqSdbHys1yfWBb+W+jVaJyopgAqSNiMcD1KdqKi21 WO9iJwr9NCPGexDbquCqYYbETA68mhVbVeFDGx6/vYxjPwOAV1LXi/C7se1BD8BWN6Ru EHy4yll+AziEQuM+yFBKVpskeaO1UuznuhuUymbSE5D1mtBQ5FBQm44B9Q9EtlQs52fG JXWHfZH8bD3ZUfA18EHw0cSleK67nw25tkFoegCrkFS6o/iuQ4EK++mh5k+OOTYGTLwk 5JHZ4CMyI2kp9+Wbw8uC4F2Kx9fCMkb0v4EutyJRT6aGXQjPibn83m4y8CHcMsvjB4pG Hr0Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :mime-version:user-agent:date:message-id:subject:from:cc:to; bh=uX6doBiSimNZ/1qbukLa9jI+4sLewF8pH9LHZnli+IM=; b=Up8b54RDJpIn/m5NPQnhxs+MLhXEnA085hh9DJAmZoJyYnOOGXJq2tXtcPRxAA3At9 XC3sIbGGXxEuX0GulwpnbcRqgpLXKp4+Xbe3RV56dW/aBrN2Y7CqHlZ8dYAl4yVP6Vyn EyOrSb4a/lhuMkIWlQg2/olPSUAM0xf7q7JVoWXAFiodJ1NlV+CmWS2qCMzPL2I+pGlu 0gkcwdYAgOd0OCaPyBPm/CyGaOXCWVKcRT2ws0ac93I62tZxP0eqUuWak94D+VD6sf4/ 7wCpYq3eQTuGt5kw8XiQjEBFUe1d8GQvmjiNBWH9XPfjuVNZ9ApOlcORBQBavYVQqI4g /KIw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id gz3si1584046ejc.665.2021.02.10.08.05.22; Wed, 10 Feb 2021 08:05:48 -0800 (PST) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231990AbhBJQD6 (ORCPT + 99 others); Wed, 10 Feb 2021 11:03:58 -0500 Received: from youngberry.canonical.com ([91.189.89.112]:47614 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231744AbhBJQD5 (ORCPT ); Wed, 10 Feb 2021 11:03:57 -0500 Received: from 1.general.cking.uk.vpn ([10.172.193.212]) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1l9rxQ-0002Bd-0K; Wed, 10 Feb 2021 16:03:12 +0000 To: Sean Wang Cc: Lorenzo Bianconi , Soul Huang , Sean Wang , Felix Fietkau , Lorenzo Bianconi , "linux-kernel@vger.kernel.org" , "linux-wireless@vger.kernel.org" , "netdev@vger.kernel.org" , "moderated list:ARM/Mediatek SoC support" From: Colin Ian King Subject: re: mt76: mt7921: add MCU support Message-ID: <57068965-649f-ef8e-0dd2-9d25b8bec1c7@canonical.com> Date: Wed, 10 Feb 2021 16:03:11 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Hi, Static analysis with Coverity on linux-next has found an issue with the following commit: commit 1c099ab44727c8e42fe4de4d91b53cec3ef02860 Author: Sean Wang Date: Thu Jan 28 03:33:39 2021 +0800 mt76: mt7921: add MCU support The analysis is as follows: 390 static void 391 mt7921_mcu_tx_rate_report(struct mt7921_dev *dev, struct sk_buff *skb, 392 u16 wlan_idx) 393 { 394 struct mt7921_mcu_wlan_info_event *wtbl_info = 395 (struct mt7921_mcu_wlan_info_event *)(skb->data); 396 struct rate_info rate = {}; 397 u8 curr_idx = wtbl_info->rate_info.rate_idx; 398 u16 curr = le16_to_cpu(wtbl_info->rate_info.rate[curr_idx]); 399 struct mt7921_mcu_peer_cap peer = wtbl_info->peer_cap; 400 struct mt76_phy *mphy = &dev->mphy; 1. var_decl: Declaring variable stats without initializer. 401 struct mt7921_sta_stats *stats; 402 struct mt7921_sta *msta; 403 struct mt76_wcid *wcid; 404 2. Condition wlan_idx >= 288, taking false branch. 405 if (wlan_idx >= MT76_N_WCIDS) 406 return; 3. Condition 0 /* !((((sizeof ((*dev).mt76.wcid[wlan_idx]) == sizeof (char) || sizeof ((*dev).mt76.wcid[wlan_idx]) == sizeof (short)) || sizeof ((*dev).mt76.wcid[wlan_idx]) == sizeof (int)) || sizeof ((*dev).mt76.wcid[wlan_idx]) == sizeof (long)) || sizeof ((*dev).mt76.wcid[wlan_idx]) == sizeof (long long)) */, taking false branch. 4. Condition debug_lockdep_rcu_enabled(), taking true branch. 5. Condition !__warned, taking true branch. 6. Condition 0, taking false branch. 7. Condition rcu_read_lock_held(), taking false branch. 407 wcid = rcu_dereference(dev->mt76.wcid[wlan_idx]); 8. Condition !wcid, taking true branch. 408 if (!wcid) { Uninitialized pointer write (UNINIT) 9. uninit_use: Using uninitialized value stats. 409 stats->tx_rate = rate; 410 return; 411 } Line 409 dereferences pointer stats, however, this pointer has not yet been initialized. The initialization occurs later: 413 msta = container_of(wcid, struct mt7921_sta, wcid); 414 stats = &msta->stats; Colin