Re: [PATCH 4.4 28/31] video: hgafb: fix potential NULL pointer dereference

From: Pavel Machek
Date: Tue May 25 2021 - 16:47:08 EST

Next message: Srinivas Pandruvada: "[PATCH 0/2] thermal: int340x: processor_thermal: Add new PCI MMIO based thermal driver"
Previous message: Sargun Dhillon: "Re: [PATCH v2 2/4] seccomp: Refactor notification handler to prepare for new semantics"
In reply to: Greg Kroah-Hartman: "[PATCH 4.4 28/31] video: hgafb: fix potential NULL pointer dereference"
Next in thread: Igor Torrente: "Re: [PATCH 4.4 28/31] video: hgafb: fix potential NULL pointer dereference"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi!

> From: Igor Matheus Andrade Torrente <igormtorrente@xxxxxxxxx>
>
> commit dc13cac4862cc68ec74348a80b6942532b7735fa upstream.
>
> The return of ioremap if not checked, and can lead to a NULL to be
> assigned to hga_vram. Potentially leading to a NULL pointer
> dereference.
>
> The fix adds code to deal with this case in the error label and
> changes how the hgafb_probe handles the return of hga_card_detect.

This will break hgafb completely, right? And crash system without hga
card as a bonus.

> +++ b/drivers/video/fbdev/hgafb.c
> @@ -285,6 +285,8 @@ static int hga_card_detect(void)
> hga_vram_len = 0x08000;
>
> hga_vram = ioremap(0xb0000, hga_vram_len);
> + if (!hga_vram)
> + return -ENOMEM;
>
> if (request_region(0x3b0, 12, "hgafb"))
> release_io_ports = 1;
> @@ -344,13 +346,18 @@ static int hga_card_detect(void)
> hga_type_name = "Hercules";
> break;
> }
> - return 1;
> + return 0;

Ok, so calling convention is now "0 means detected".

> @@ -548,13 +555,11 @@ static struct fb_ops hgafb_ops = {
> static int hgafb_probe(struct platform_device *pdev)
> {
> struct fb_info *info;
> + int ret;
...
> + ret = hga_card_detect();
> + if (!ret)
> + return ret;
>
> printk(KERN_INFO "hgafb: %s with %ldK of memory detected.\n",
> hga_type_name, hga_vram_len/1024);
>

If the card is detected, 0 is returned, !0 is true, and we abort
detection....

Pavel

Signed-off-by: Pavel Machek <pavel@xxxxxxx>

diff --git a/drivers/video/fbdev/hgafb.c b/drivers/video/fbdev/hgafb.c
index c35f217db53f..d6a95ea49c64 100644
--- a/drivers/video/fbdev/hgafb.c
+++ b/drivers/video/fbdev/hgafb.c
@@ -282,7 +282,7 @@ static int hga_card_detect(void)
void __iomem *p, *q;
unsigned short p_save, q_save;

- hga_vram_len = 0x08000;
+ hga_vram_len = 0x08000;

hga_vram = ioremap(0xb0000, hga_vram_len);
if (!hga_vram)
@@ -558,7 +558,7 @@ static int hgafb_probe(struct platform_device *pdev)
int ret;

ret = hga_card_detect();
- if (!ret)
+ if (ret)
return ret;

printk(KERN_INFO "hgafb: %s with %ldK of memory detected.\n",

--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

Attachment: signature.asc
Description: PGP signature

Next message: Srinivas Pandruvada: "[PATCH 0/2] thermal: int340x: processor_thermal: Add new PCI MMIO based thermal driver"
Previous message: Sargun Dhillon: "Re: [PATCH v2 2/4] seccomp: Refactor notification handler to prepare for new semantics"
In reply to: Greg Kroah-Hartman: "[PATCH 4.4 28/31] video: hgafb: fix potential NULL pointer dereference"
Next in thread: Igor Torrente: "Re: [PATCH 4.4 28/31] video: hgafb: fix potential NULL pointer dereference"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]