Commit 21e7b2c4d59e5d6631b25e71e777cb0160997d6a
Committed by
Martin Schwidefsky
Martin Schwidefsky
1 parent
33b1d09ef3
Exists in
master
and in
7 other branches
[S390] drivers/s390/crypto: Move dereference to after IS_ERR test
If reply is ERR_PTR(...), then it should not be dereferenced, so I have
moved the dereference from the declaration to after the IS_ERR test.
The semantic match that finds the problem is as follows:
(http://www.emn.fr/x-info/coccinelle/)
// <smpl>
@match exists@
expression x, E;
identifier fld;
position p1,p2;
@@
(
x = E;
|
x = E
|
x@p1->fld
... when != x = E
IS_ERR(x@p2)
... when any
)
@other_match exists@
expression match.x, E1, E2;
position match.p1,match.p2;
@@
x = E1
... when != x = E2
when != x@p1
x@p2
@ script:python depends on !other_match@
p1 << match.p1;
p2 << match.p2;
@@
print "* file %s dereference %s test %s" % (p1[0].file,p1[0].line,p2[0].line)
// </smpl>
Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Showing 4 changed files with 28 additions and 12 deletions Side-by-side Diff
drivers/s390/crypto/zcrypt_cex2a.c
| ... | ... | @@ -264,17 +264,21 @@ |
| 264 | 264 | .type = TYPE82_RSP_CODE, |
| 265 | 265 | .reply_code = REP82_ERROR_MACHINE_FAILURE, |
| 266 | 266 | }; |
| 267 | - struct type80_hdr *t80h = reply->message; | |
| 267 | + struct type80_hdr *t80h; | |
| 268 | 268 | int length; |
| 269 | 269 | |
| 270 | 270 | /* Copy the reply message to the request message buffer. */ |
| 271 | - if (IS_ERR(reply)) | |
| 271 | + if (IS_ERR(reply)) { | |
| 272 | 272 | memcpy(msg->message, &error_reply, sizeof(error_reply)); |
| 273 | - else if (t80h->type == TYPE80_RSP_CODE) { | |
| 273 | + goto out; | |
| 274 | + } | |
| 275 | + t80h = reply->message; | |
| 276 | + if (t80h->type == TYPE80_RSP_CODE) { | |
| 274 | 277 | length = min(CEX2A_MAX_RESPONSE_SIZE, (int) t80h->len); |
| 275 | 278 | memcpy(msg->message, reply->message, length); |
| 276 | 279 | } else |
| 277 | 280 | memcpy(msg->message, reply->message, sizeof error_reply); |
| 281 | +out: | |
| 278 | 282 | complete((struct completion *) msg->private); |
| 279 | 283 | } |
| 280 | 284 |
drivers/s390/crypto/zcrypt_pcica.c
| ... | ... | @@ -247,17 +247,21 @@ |
| 247 | 247 | .type = TYPE82_RSP_CODE, |
| 248 | 248 | .reply_code = REP82_ERROR_MACHINE_FAILURE, |
| 249 | 249 | }; |
| 250 | - struct type84_hdr *t84h = reply->message; | |
| 250 | + struct type84_hdr *t84h; | |
| 251 | 251 | int length; |
| 252 | 252 | |
| 253 | 253 | /* Copy the reply message to the request message buffer. */ |
| 254 | - if (IS_ERR(reply)) | |
| 254 | + if (IS_ERR(reply)) { | |
| 255 | 255 | memcpy(msg->message, &error_reply, sizeof(error_reply)); |
| 256 | - else if (t84h->code == TYPE84_RSP_CODE) { | |
| 256 | + goto out; | |
| 257 | + } | |
| 258 | + t84h = reply->message; | |
| 259 | + if (t84h->code == TYPE84_RSP_CODE) { | |
| 257 | 260 | length = min(PCICA_MAX_RESPONSE_SIZE, (int) t84h->len); |
| 258 | 261 | memcpy(msg->message, reply->message, length); |
| 259 | 262 | } else |
| 260 | 263 | memcpy(msg->message, reply->message, sizeof error_reply); |
| 264 | +out: | |
| 261 | 265 | complete((struct completion *) msg->private); |
| 262 | 266 | } |
| 263 | 267 |
drivers/s390/crypto/zcrypt_pcicc.c
| ... | ... | @@ -447,19 +447,23 @@ |
| 447 | 447 | .type = TYPE82_RSP_CODE, |
| 448 | 448 | .reply_code = REP82_ERROR_MACHINE_FAILURE, |
| 449 | 449 | }; |
| 450 | - struct type86_reply *t86r = reply->message; | |
| 450 | + struct type86_reply *t86r; | |
| 451 | 451 | int length; |
| 452 | 452 | |
| 453 | 453 | /* Copy the reply message to the request message buffer. */ |
| 454 | - if (IS_ERR(reply)) | |
| 454 | + if (IS_ERR(reply)) { | |
| 455 | 455 | memcpy(msg->message, &error_reply, sizeof(error_reply)); |
| 456 | - else if (t86r->hdr.type == TYPE86_RSP_CODE && | |
| 456 | + goto out; | |
| 457 | + } | |
| 458 | + t86r = reply->message; | |
| 459 | + if (t86r->hdr.type == TYPE86_RSP_CODE && | |
| 457 | 460 | t86r->cprb.cprb_ver_id == 0x01) { |
| 458 | 461 | length = sizeof(struct type86_reply) + t86r->length - 2; |
| 459 | 462 | length = min(PCICC_MAX_RESPONSE_SIZE, length); |
| 460 | 463 | memcpy(msg->message, reply->message, length); |
| 461 | 464 | } else |
| 462 | 465 | memcpy(msg->message, reply->message, sizeof error_reply); |
| 466 | +out: | |
| 463 | 467 | complete((struct completion *) msg->private); |
| 464 | 468 | } |
| 465 | 469 |
drivers/s390/crypto/zcrypt_pcixcc.c
| ... | ... | @@ -635,13 +635,16 @@ |
| 635 | 635 | }; |
| 636 | 636 | struct response_type *resp_type = |
| 637 | 637 | (struct response_type *) msg->private; |
| 638 | - struct type86x_reply *t86r = reply->message; | |
| 638 | + struct type86x_reply *t86r; | |
| 639 | 639 | int length; |
| 640 | 640 | |
| 641 | 641 | /* Copy the reply message to the request message buffer. */ |
| 642 | - if (IS_ERR(reply)) | |
| 642 | + if (IS_ERR(reply)) { | |
| 643 | 643 | memcpy(msg->message, &error_reply, sizeof(error_reply)); |
| 644 | - else if (t86r->hdr.type == TYPE86_RSP_CODE && | |
| 644 | + goto out; | |
| 645 | + } | |
| 646 | + t86r = reply->message; | |
| 647 | + if (t86r->hdr.type == TYPE86_RSP_CODE && | |
| 645 | 648 | t86r->cprbx.cprb_ver_id == 0x02) { |
| 646 | 649 | switch (resp_type->type) { |
| 647 | 650 | case PCIXCC_RESPONSE_TYPE_ICA: |
| ... | ... | @@ -660,6 +663,7 @@ |
| 660 | 663 | } |
| 661 | 664 | } else |
| 662 | 665 | memcpy(msg->message, reply->message, sizeof error_reply); |
| 666 | +out: | |
| 663 | 667 | complete(&(resp_type->work)); |
| 664 | 668 | } |
| 665 | 669 |