On Mon, Mar 10, 2025 at 08:54:54AM +0100, Philipp Stanner wrote: > > > > > > 626 return; > > > 627 > > > 628 legacy_iomap_table = (void __iomem > > > **)pcim_iomap_table(pdev); > > > 629 if (!legacy_iomap_table) > > > 630 return; > > > 631 > > > --> 632 legacy_iomap_table[bar] = NULL; > > > ^^^^^^^^^^^^^^^^^^^^^^^ > > > Leading to a buffer overflow. > > Leading to a *potential* buffer overflow. > Smatch is doing cross function analysis in this case. Smatch knows that pcim_iounmap_regions() is fine but the bug is when this is called from pcim_iomap_regions(). drivers/pci/devres.c | pcim_iounmap_regions | pcim_remove_bar_from_legacy_table | PARAM_VALUE | 1 | bar | 0-5 drivers/pci/devres.c | pcim_iomap_regions | pcim_remove_bar_from_legacy_table | PARAM_VALUE | 1 | bar | 0-15 But, that raises a different question because you would expect the map and unmap functions to loop over the same bars. regards, dan carpenter
