2022-01-07 11:50:25

by Jiasheng Jiang

[permalink] [raw]
Subject: [PATCH v3] ide: Check for null pointer after calling devm_ioremap

In linux-stable-5.15.13, this file has been removed and combined
to `drivers/ata/pata_platform.c` without this bug.
But in the older LTS kernels, like 5.10.90, this bug still exists.
As the possible failure of the devres_alloc(), the devm_ioremap() and
devm_ioport_map() may return NULL pointer.
And then, the 'base' and 'alt_base' are used in plat_ide_setup_ports().
Therefore, it should be better to add the check in order to avoid the
dereference of the NULL pointer.
Actually, it introduced the bug from commit 8cb1f567f4c0
("ide: Platform IDE driver") and we can know from the commit message
that it tended to be similar to the `drivers/ata/pata_platform.c`.
But actually, even the first time pata_platform was built,
commit a20c9e820864 ("[PATCH] ata: Generic platform_device libata driver"),
there was no the bug, as there was a check after the ioremap().
So possibly the bug was caused by ide itself.

Fixes: 8cb1f567f4c0 ("ide: Platform IDE driver")
Cc: [email protected]#5.10.90
Signed-off-by: Jiasheng Jiang <[email protected]>
---
Changelog

v2 -> v3

* Change 1. Correct the fixes tag and commit message.
* Change 2. Correct the code.
---
drivers/ide/ide_platform.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/drivers/ide/ide_platform.c b/drivers/ide/ide_platform.c
index 91639fd6c276..5500c5afb3ca 100644
--- a/drivers/ide/ide_platform.c
+++ b/drivers/ide/ide_platform.c
@@ -85,6 +85,10 @@ static int plat_ide_probe(struct platform_device *pdev)
alt_base = devm_ioport_map(&pdev->dev,
res_alt->start, resource_size(res_alt));
}
+ if (!base || !alt_base) {
+ ret = -ENOMEM;
+ goto out;
+ }

memset(&hw, 0, sizeof(hw));
plat_ide_setup_ports(&hw, base, alt_base, pdata, res_irq->start);
--
2.25.1



2022-01-07 12:07:47

by Damien Le Moal

[permalink] [raw]
Subject: Re: [PATCH v3] ide: Check for null pointer after calling devm_ioremap

On 1/7/22 20:50, Jiasheng Jiang wrote:
> In linux-stable-5.15.13, this file has been removed and combined
> to `drivers/ata/pata_platform.c` without this bug.
> But in the older LTS kernels, like 5.10.90, this bug still exists.
> As the possible failure of the devres_alloc(), the devm_ioremap() and
> devm_ioport_map() may return NULL pointer.
> And then, the 'base' and 'alt_base' are used in plat_ide_setup_ports().
> Therefore, it should be better to add the check in order to avoid the
> dereference of the NULL pointer.
> Actually, it introduced the bug from commit 8cb1f567f4c0
> ("ide: Platform IDE driver") and we can know from the commit message
> that it tended to be similar to the `drivers/ata/pata_platform.c`.
> But actually, even the first time pata_platform was built,
> commit a20c9e820864 ("[PATCH] ata: Generic platform_device libata driver"),
> there was no the bug, as there was a check after the ioremap().
> So possibly the bug was caused by ide itself.
>
> Fixes: 8cb1f567f4c0 ("ide: Platform IDE driver")
> Cc: [email protected]#5.10.90

This should be:

Cc: [email protected] #5.10

(no release number specified)

> Signed-off-by: Jiasheng Jiang <[email protected]>
> ---
> Changelog
>
> v2 -> v3
>
> * Change 1. Correct the fixes tag and commit message.
> * Change 2. Correct the code.

What exactly was corrected should be the change log.
And please keep the history for all versions of the patch (keep v1 -> v2
changes listed here).

> ---
> drivers/ide/ide_platform.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/ide/ide_platform.c b/drivers/ide/ide_platform.c
> index 91639fd6c276..5500c5afb3ca 100644
> --- a/drivers/ide/ide_platform.c
> +++ b/drivers/ide/ide_platform.c
> @@ -85,6 +85,10 @@ static int plat_ide_probe(struct platform_device *pdev)
> alt_base = devm_ioport_map(&pdev->dev,
> res_alt->start, resource_size(res_alt));
> }
> + if (!base || !alt_base) {
> + ret = -ENOMEM;
> + goto out;
> + }
>
> memset(&hw, 0, sizeof(hw));
> plat_ide_setup_ports(&hw, base, alt_base, pdata, res_irq->start);


--
Damien Le Moal
Western Digital Research