From: Dan Carpenter <dan.carpenter@oracle.com>
To: tiwai@suse.de
Cc: alsa-devel@alsa-project.org
Subject: ALSA: tons of false positives because of snd_ctl_find_id()
Date: Fri, 2 Feb 2018 11:29:03 +0300 [thread overview]
Message-ID: <20180202082903.GA11023@mwanda> (raw)
Hello Takashi Iwai,
The patch 72cbfd45fac6: "ALSA: ice1724 - Add ESI Maya44 support" from
May 6, 2009, leads to the following static checker warning:
sound/pci/ice1712/maya44.c:204 maya_vol_put()
error: buffer overflow 'chip->wm' 2 <= u32max.
sound/pci/ice1712/maya44.c
199 static int maya_vol_put(struct snd_kcontrol *kcontrol,
200 struct snd_ctl_elem_value *ucontrol)
201 {
202 struct snd_maya44 *chip = snd_kcontrol_chip(kcontrol);
203 struct snd_wm8776 *wm =
204 &chip->wm[snd_ctl_get_ioff(kcontrol, &ucontrol->id)];
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This is a false positive obviously, but this code is crazy hard for
static analysis to parse.
snd_ctl_find_id() in sound/core/control.c
682 /**
683 * snd_ctl_find_id - find the control instance with the given id
684 * @card: the card instance
685 * @id: the id to search
686 *
687 * Finds the control instance with the given id from the card.
688 *
689 * The caller must down card->controls_rwsem before calling this function
690 * (if the race condition can happen).
691 *
692 * Return: The pointer of the instance if found, or %NULL if not.
693 *
694 */
695 struct snd_kcontrol *snd_ctl_find_id(struct snd_card *card,
696 struct snd_ctl_elem_id *id)
697 {
698 struct snd_kcontrol *kctl;
699
700 if (snd_BUG_ON(!card || !id))
701 return NULL;
702 if (id->numid != 0)
703 return snd_ctl_find_numid(card, id->numid);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
On this path, we don't check id->index. Which is fine because we don't
use it. It would really make my life simpler if we could set the
unchecked fields to zero. How Smatch works is that we merge all the
success paths together so it would either be zero or checked which is
easy to deal with. In the current code it's either checked or
unchecked which is just unchecked when you merge the success paths
together.
I can probably figure out other ways to deal with this if that's not a
good idea.
704 list_for_each_entry(kctl, &card->controls, list) {
705 if (kctl->id.iface != id->iface)
706 continue;
707 if (kctl->id.device != id->device)
708 continue;
709 if (kctl->id.subdevice != id->subdevice)
710 continue;
711 if (strncmp(kctl->id.name, id->name, sizeof(kctl->id.name)))
712 continue;
713 if (kctl->id.index > id->index)
714 continue;
715 if (kctl->id.index + kctl->count <= id->index)
716 continue;
717 return kctl;
718 }
719 return NULL;
720 }
721 EXPORT_SYMBOL(snd_ctl_find_id);
regards,
dan carpenter
next reply other threads:[~2018-02-02 8:29 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-02 8:29 Dan Carpenter [this message]
2018-02-02 9:07 ` ALSA: tons of false positives because of snd_ctl_find_id() Takashi Sakamoto
2018-02-02 9:57 ` Dan Carpenter
2018-02-12 13:20 ` Takashi Iwai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180202082903.GA11023@mwanda \
--to=dan.carpenter@oracle.com \
--cc=alsa-devel@alsa-project.org \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.