On 1/25/22 01:45, Zhou Qingyang wrote: > In __pata_platform_probe(), devm_kzalloc() is assigned to ap->ops and > there is a dereference of it right after that, which could introduce a > NULL pointer dereference bug. > > Fix this by adding a NULL check of ap->ops. > > This bug was found by a static analyzer. > > Builds with 'make allyesconfig' show no new warnings, > and our static analyzer no longer warns about this code. > > Fixes: f3d5e4f18dba ("ata: pata_of_platform: Allow to use 16-bit wide data transfer") > Signed-off-by: Zhou Qingyang <zhou1615@xxxxxxx> > --- > The analysis employs differential checking to identify inconsistent > security operations (e.g., checks or kfrees) between two code paths > and confirms that the inconsistent operations are not recovered in the > current function or the callers, so they constitute bugs. > > Note that, as a bug found by static analysis, it can be a false > positive or hard to trigger. Multiple researchers have cross-reviewed > the bug. See below. Reviewing the fix would be good too :) > > drivers/ata/pata_platform.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/ata/pata_platform.c b/drivers/ata/pata_platform.c > index 028329428b75..021ef9cbcbc1 100644 > --- a/drivers/ata/pata_platform.c > +++ b/drivers/ata/pata_platform.c > @@ -128,6 +128,8 @@ int __pata_platform_probe(struct device *dev, struct resource *io_res, > ap = host->ports[0]; > > ap->ops = devm_kzalloc(dev, sizeof(*ap->ops), GFP_KERNEL); > + if (ap->ops) This of course should be "if (!ap->ops)", obviously... I fixed that when applying. > + return -ENOMEM; > ap->ops->inherits = &ata_sff_port_ops; > ap->ops->cable_detect = ata_cable_unknown; > ap->ops->set_mode = pata_platform_set_mode; -- Damien Le Moal Western Digital Research