From: Jiasheng Jiang
Sent: 07 January 2022 09:12
In linux-stable-5.15.13, this file has been removed and combined to `drivers/ata/pata_platform.c` without this bug. But in the older LTS kernels, like 5.10.90, this bug still exists. As the possible failure of the devres_alloc(), the devm_ioremap() and devm_ioport_map() may return NULL pointer. And then, the 'base' and 'alt_base' are used in plat_ide_setup_ports(). Therefore, it should be better to add the check in order to avoid the dereference of the NULL pointer. Actually, it introduced the bug from commit 8cb1f567f4c0 ("ide: Platform IDE driver") and we can know from the commit message that it tended to be similar to the `drivers/ata/pata_platform.c`. But actually, even the first time pata_platform was built, commit a20c9e820864 ("[PATCH] ata: Generic platform_device libata driver"), there was no the bug, as there was a check after the ioremap(). So possibly the bug was caused by ide itself.
Fixes: 8cb1f567f4c0 ("ide: Platform IDE driver") Cc: stable@vger.kernel.org#5.10.90 Signed-off-by: Jiasheng Jiang jiasheng@iscas.ac.cn
Changelog
v1 -> v2
- Change 1. Correct the fixes tag and commit message.
drivers/ide/ide_platform.c | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/drivers/ide/ide_platform.c b/drivers/ide/ide_platform.c index 91639fd6c276..5500c5afb3ca 100644 --- a/drivers/ide/ide_platform.c +++ b/drivers/ide/ide_platform.c @@ -85,6 +85,10 @@ static int plat_ide_probe(struct platform_device *pdev) alt_base = devm_ioport_map(&pdev->dev, res_alt->start, resource_size(res_alt)); }
- if (!base || !!alt_base) {
ret = -ENOMEM;goto out;- }
That !!alt_base doesn't look right. Without looking at the rest of the code maybe: if (!base && !alt_base) may be correct.
It also rather makes me wonder about the actual failure return value. If devm_ioport_map() returns a 'port number' for inb()/outb() then zero is technically a valid value!
David
- Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)