On Sep 25 Alexey Khoroshilov wrote:
> There is no check if ioremap_nocache() returns a valid pointer.
> Potentially it can lead to null pointer dereference.
>
> Found by Linux Driver Verification project (linuxtesting.org).
>
> Signed-off-by: Alexey Khoroshilov <khoroshi...@ispras.ru>
> ---
> drivers/firewire/nosy.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/drivers/firewire/nosy.c b/drivers/firewire/nosy.c
> index 631c977b0da5..f68a749f740b 100644
> --- a/drivers/firewire/nosy.c
> +++ b/drivers/firewire/nosy.c
> @@ -566,6 +566,11 @@ add_card(struct pci_dev *dev, const struct pci_device_id
> *unused)
>
> lynx->registers = ioremap_nocache(pci_resource_start(dev, 0),
> PCILYNX_MAX_REGISTER);
> + if (lynx->registers == NULL) {
> + dev_err(&dev->dev, "Failed to map registers\n");
> + ret = -ENOMEM;
> + goto fail_deallocate2;
> + }
>
> lynx->rcv_start_pcl = pci_alloc_consistent(lynx->pci_device,
> sizeof(struct pcl), &lynx->rcv_start_pcl_bus);
> @@ -679,6 +684,8 @@ fail_deallocate:
> pci_free_consistent(lynx->pci_device, PAGE_SIZE,
> lynx->rcv_buffer, lynx->rcv_buffer_bus);
> iounmap(lynx->registers);
> +
> +fail_deallocate2:
> kfree(lynx);
>
> fail_disable:
Thanks. Committed to linux1394.git.
I folded the following cosmetic change into the commit:
--- a/drivers/firewire/nosy.c
+++ b/drivers/firewire/nosy.c
@@ -569,7 +569,7 @@ add_card(struct pci_dev *dev, const struct pci_device_id
*unused)
if (lynx->registers == NULL) {
dev_err(&dev->dev, "Failed to map registers\n");
ret = -ENOMEM;
- goto fail_deallocate2;
+ goto fail_deallocate_lynx;
}
lynx->rcv_start_pcl = pci_alloc_consistent(lynx->pci_device,
@@ -583,7 +583,7 @@ add_card(struct pci_dev *dev, const struct pci_device_id
*unused)
lynx->rcv_buffer == NULL) {
dev_err(&dev->dev, "Failed to allocate receive buffer\n");
ret = -ENOMEM;
- goto fail_deallocate;
+ goto fail_deallocate_buffers;
}
lynx->rcv_start_pcl->next = cpu_to_le32(lynx->rcv_pcl_bus);
lynx->rcv_pcl->next = cpu_to_le32(PCL_NEXT_INVALID);
@@ -646,7 +646,7 @@ add_card(struct pci_dev *dev, const struct pci_device_id
*unused)
dev_err(&dev->dev,
"Failed to allocate shared interrupt %d\n", dev->irq);
ret = -EIO;
- goto fail_deallocate;
+ goto fail_deallocate_buffers;
}
lynx->misc.parent = &dev->dev;
@@ -673,7 +673,7 @@ fail_free_irq:
reg_write(lynx, PCI_INT_ENABLE, 0);
free_irq(lynx->pci_device->irq, lynx);
-fail_deallocate:
+fail_deallocate_buffers:
if (lynx->rcv_start_pcl)
pci_free_consistent(lynx->pci_device, sizeof(struct pcl),
lynx->rcv_start_pcl, lynx->rcv_start_pcl_bus);
@@ -685,7 +685,7 @@ fail_deallocate:
lynx->rcv_buffer, lynx->rcv_buffer_bus);
iounmap(lynx->registers);
-fail_deallocate2:
+fail_deallocate_lynx:
kfree(lynx);
fail_disable:
--
Stefan Richter
-======----- =-=- -=--=
http://arcgraph.de/sr/
