[BUG] net: 3com: 3c59x: Possible null-pointer dereferences caused by Compaq PCI BIOS32 problem

Next message: kernel test robot: "[tip:master] BUILD SUCCESS 528296f905ad05866e35c895ef685dccbf80c761"
Previous message: Frode Nordahl: "[PATCH] erspan: Initialize options_len before referencing options."
Next in thread: Andrew Lunn: "Re: [BUG] net: 3com: 3c59x: Possible null-pointer dereferences caused by Compaq PCI BIOS32 problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tuo Li

Date: Fri Dec 12 2025 - 02:52:15 EST

Hi,

I found a few potential null-pointer dereferences in vortex_probe1() in
Linux 6.18.

IIn this function, gendev is checked at lines 1109 and 1173, which
indicates that it may be NULL. However, it is later passed directly to
dma_alloc_coherent() at line 1211:

vp->rx_ring = dma_alloc_coherent(gendev, ...)

This can lead to some null-pointer dereferences. Here is an example
calling context:

dma_alloc_coherent(gendev, ...)
dma_alloc_attrs(dev, ...)
get_dma_ops(dev);
if (dev->dma_ops) // dereferenced here
WARN_ON_ONCE(!dev->coherent_dma_mask); // dereferenced here

Similarly, pdev is checked by an if statement at line 1466, but is then
used unconditionally when freeing DMA memory at line 1476:

dma_free_coherent(&pdev->dev, ...)

It looks like these issues stem from the call at line 987 used as a
workaround for the Compaq PCI BIOS32 problem:

vortex_eisa_init(void)
/* Special code to work-around the Compaq PCI BIOS32 problem. */
if (compaq_ioaddr) {
vortex_probe1(NULL, ioport_map(compaq_ioaddr, VORTEX_TOTAL_SIZE),
compaq_irq, compaq_device_id, vortex_cards_found++);
}

This passes a NULL gendev into vortex_probe1().

I am not fully sure whether these paths are reachable in practice and how
to fix it. Any feedback would be appreciated.

Sincerely,
Tuo Li