Hello, I tried another script for the semantic patch language out. This source code analysis approach points out that the implementation of the function “iwl_req_fw_callback” contains still an unchecked call of the function “kmemdup”. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/net/wireless/intel/iwlwifi/iwl-drv.c?id=1c0cc5f1ae5ee5a6913704c0d75a6e99604ee30a#n1454 https://elixir.bootlin.com/linux/v5.4-rc2/source/drivers/net/wireless/intel/iwlwifi/iwl-drv.c#L1454 Can it be that just an other data structure member should be used for the desired null pointer check at this place? Regards, Markus
On Sat, 2019-10-12 at 19:26 +0200, Markus Elfring wrote:
> Hello,
>
> I tried another script for the semantic patch language out.
> This source code analysis approach points out that the implementation
> of the function “iwl_req_fw_callback” contains still an unchecked call
> of the function “kmemdup”.
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/net/wireless/intel/iwlwifi/iwl-drv.c?id=1c0cc5f1ae5ee5a6913704c0d75a6e99604ee30a#n1454
> https://elixir.bootlin.com/linux/v5.4-rc2/source/drivers/net/wireless/intel/iwlwifi/iwl-drv.c#L1454
>
> Can it be that just an other data structure member should be used
> for the desired null pointer check at this place?
Hi Markus,
Sorry for the delay in replying to this.
I've checked this now and you are right. We are checking the element
in the array that contains the length of the allocation we requested
instead of checking the pointer returned by kmemdup(). This was
probably a typo.
I have fixed this in our internal tree and it will reach the mainline
following our normal upstreaming process.
Thanks for reporting!
--
Cheers,
Luca.