Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp1689748pxj; Wed, 19 May 2021 11:31:57 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx/WaUqbq3q2Zg1aLsLdZqydZUC40v88gf0jSUZ+/E6VSG3VvJDDL0QfhjUtI8ZhSP3x7fY X-Received: by 2002:a17:906:5285:: with SMTP id c5mr510507ejm.282.1621449117178; Wed, 19 May 2021 11:31:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1621449117; cv=none; d=google.com; s=arc-20160816; b=YV0U3G4Wf2KCT/f/JmyHryWuubbBVzmsFdXyA6OuWBYtQhJdyo3bjOfVVqiIlj9F7n bo3I2wv/v0cCQ3rR+085Z1EDJfKm+4YN+vGorWP6IJgK9JQofATGOjgLhfC/R9Mc1fAq eT/yaqL/myvf2pUqIPo/iEO2E89XGb6PjrxGC0tT2DfEoCyhBbRkjAvlYeE2y/2UwruX n2xga3m6yVFNlWt0MRJ3c9luevv6Piqbo/nGBXXSGn6izDoxVSwaE47bEF3uPZ2/wj5Q u048vLBHEsuz24qEygRY5bMrmCwYMA3WPU58ywo/Mv/tkiqMQm8efR6j24vySw0GyRh5 6Smw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=CXi9ZJTQ7L7FSHgEGdvSYj+oXb2IqANDPyavbrcuBn4=; b=uRyY3FUDX0CJ6zEEA87vr0NXsIlta6UjFRinSYVnGJIdMmGob8X/LFRJlYa7qnlww6 07jVLvB55/o3LMlgfQND5icNH54fFd8h/21ZLzaeIP4saVa8NMh3cX0qXa9rSnbqXpt1 L5hJXJAwtpKwhA7rfxHncnotprYbPrJ+Ovh29NIgEUwXNkn+p5kvImgGPjPOJ+hqcqyn i3sw9+scHD7JtY7SHShX9744vqfhVaNZ5CQ5+XxGe9N7OtgPrH0UxWjD2jC4xgHXJomj /iRH9A7VaU2FA/PLVRH/kIyWkQs6zhCwfM+kDohKtUPU+XKmr3a/P2UtZRa3UeIgEvw8 3tXw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=E3AGjHlT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id jg13si502512ejc.288.2021.05.19.11.31.31; Wed, 19 May 2021 11:31:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=E3AGjHlT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1351816AbhERTYr (ORCPT + 99 others); Tue, 18 May 2021 15:24:47 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37452 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1351817AbhERTY1 (ORCPT ); Tue, 18 May 2021 15:24:27 -0400 Received: from mail-il1-x130.google.com (mail-il1-x130.google.com [IPv6:2607:f8b0:4864:20::130]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 09D6FC061760 for ; Tue, 18 May 2021 12:23:09 -0700 (PDT) Received: by mail-il1-x130.google.com with SMTP id j30so10121403ila.5 for ; Tue, 18 May 2021 12:23:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CXi9ZJTQ7L7FSHgEGdvSYj+oXb2IqANDPyavbrcuBn4=; b=E3AGjHlTYVk7+nTSuYrNsectzZCPRKmUEnWS96aPpztrVrJlWneXFE+XFLJ1VNLUfC aMfrnR7HCcW33p6XEaTVTZhd5cSLZL96EdwyIF/9tTmKrywDDNL46dzlUwl0mk5CsX7E DcErxGTiPwnpLdOTcZdFpOoMJ6M6o2QWdvSGZeW3qeSg6vUJYcCsGN3N+41wj/CS9V1Q JadECSjVTJli/NAxJz2H67r2Y39ygVHZSijyjghCz9DYFJ+QnhFNLq/teYKQMvFFmEWW WNK7ywVnwY3UuSao5HRkSQeU8VrQKG4CWf/hRzuuFWOWqEXlocJBdo4l1e6y2FWhB3A8 KU+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CXi9ZJTQ7L7FSHgEGdvSYj+oXb2IqANDPyavbrcuBn4=; b=Wk4BjtAW+aCvJ+lujXfAC1EHWPnYAYBuQZNMT0a/MfgKAnp6WYiI+89USopKFwPNeY A1zHcgMv1Jf2I3FgtV3T7CnkhOtBD/ZwzkWesJwch4GRwn5Ld5sDWWkJa0z/QPAbWnRT O/r7tFeGMiyVdEUi/o25JdNj+Hb52JNVdSLwKhXKUjeBpHw0MzMtRwjfHULk43AspRnX pzYTfipZRHbfKpiIcluhSawGzzGemKSVSEjUhgqHAaADRQpi4AyxJoL5WKODMHwBBoqU eFdYYimkwAEhJiaTrpp8OsGJ5BlqgCxJo3pXqgzTBl7vcKw3qbii2A9y9Fp5LO+DJFrN Fk2g== X-Gm-Message-State: AOAM532QY7g2FK+wDklvdlAe+h1toxEn38HI7QGdJlrLcPmiBTloXvV9 5BKWv5XQXxLd3w1H60zh0dlXPMsq6OCbQeh8mbnjhiwMnRteefJU X-Received: by 2002:a92:4446:: with SMTP id a6mr6088757ilm.9.1621365788410; Tue, 18 May 2021 12:23:08 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Tong Zhang Date: Tue, 18 May 2021 12:22:57 -0700 Message-ID: Subject: Re: misc: alcor_pci: fix null-ptr-deref when there is no PCI bridge To: Colin Ian King Cc: Greg Kroah-Hartman , Arnd Bergmann , "linux-kernel@vger.kernel.org" Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, May 18, 2021 at 11:32 AM Colin Ian King wrote: > > Hi, > > Static analysis on linux-next with Coverity has detected an issue in > drivers/misc/cardreader/alcor_pci.c in function > alcor_pci_init_check_aspm with the following commit: > > commit 3ce3e45cc333da707d4d6eb433574b990bcc26f5 > Author: Tong Zhang > Date: Thu May 13 00:07:33 2021 -0400 > > misc: alcor_pci: fix null-ptr-deref when there is no PCI bridge > > The analysis is as follows: > > 135 static void alcor_pci_init_check_aspm(struct alcor_pci_priv *priv) > 136 { > 137 struct pci_dev *pci; > 138 int where; > 139 u32 val32; > 140 > 141 priv->pdev_cap_off = alcor_pci_find_cap_offset(priv, > priv->pdev); > 142 /* > 143 * A device might be attached to root complex directly and > 144 * priv->parent_pdev will be NULL. In this case we don't > check its > 145 * capability and disable ASPM completely. > 146 */ > > 1. Condition !priv->parent_pdev, taking true branch. > 2. var_compare_op: Comparing priv->parent_pdev to null implies that > priv->parent_pdev might be null. > > 147 if (!priv->parent_pdev) > > Dereference after null check (FORWARD_NULL) > 3. var_deref_model: Passing null pointer priv->parent_pdev to > alcor_pci_find_cap_offset, which dereferences it. > > 148 priv->parent_cap_off = alcor_pci_find_cap_offset(priv, > 149 > priv->parent_pdev); > > When !priv->parent_pdev is true, then priv->parent_pdev is NULL and > hence the call to alcor_pci_find_cap_offset() is dereferencing a null > pointer in the priv->parent_pdev argument. > > I suspect the logic in the if statement is inverted, the ! should be > removed. This seems too trivial to be wrong. Maybe I'm missing something > deeper. Hi Colin, Thanks for pointing that out. You are right. I made a terrible mistake here while refactoring the patch. :'( I think I need to get away from this thing for a while and have some rest. - Tong > > Colin >