Bug 9567

Summary: NULL pointer dereference on file drivers/video/w100fb.c
Product: Drivers Reporter: Marcio Buss (marciobuss)
Component: Video(Other)Assignee: Jeff Zhou (xinzhou.sjtu)
Status: RESOLVED CODE_FIX    
Severity: normal CC: akpm
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 2.6.23 Subsystem:
Regression: --- Bisected commit-id:

Description Marcio Buss 2007-12-14 15:38:20 UTC
On file /drivers/video/w100fb.c there is a null pointer dereference.
There are many paths to the error. One example path is as follows:

(1) The condition at line 643 is true
(2) the statement "goto out" at line 644 is then executed, making
    the program to jump to line 767
(3) the expression fb_dealloc_cmap(&info->cmap) takes place with a
    null pointer "info".

Another path, which makes the error even more apparent, is: 

(1) The condition at line 671, "if (!info)" is true
(2) the statement "goto out" at line 673 is executed
(3) the program jumps to line 767, and the same error occurs.
Comment 1 Jeff Zhou 2007-12-16 07:08:17 UTC
well, I think it's quite obvious that the NULL pointer check is forgotten,
and during the driver test, the routine that 'info' allocation failure 
hasn't been tested.

+ line 767, the original source: 
out:
	fb_dealloc_cmap(&info->cmap);
	kfree(info->pseudo_palette);
	if (remapped_fbuf != NULL)
		iounmap(remapped_fbuf);
	if (remapped_regs != NULL)
		iounmap(remapped_regs);
	if (remapped_base != NULL)
		iounmap(remapped_base);
	if (info)
		framebuffer_release(info);
	return err;
}


The release process mainly concerns on
1) umap the fbuf, registers and memory base
2) free the info struct.

And these two do not have relations with each other,
so I think it's better if we change the code like this:

+ line 767, the modified source: 
out:
	if (remapped_fbuf != NULL)
		iounmap(remapped_fbuf);
	if (remapped_regs != NULL)
		iounmap(remapped_regs);
	if (remapped_base != NULL)
		iounmap(remapped_base);

	if (info) {

		fb_dealloc_cmap(&info->cmap);
		kfree(info->pseudo_palette);

		framebuffer_release(info);
	}

	return err;
}
Comment 2 Andrew Morton 2008-01-18 14:01:53 UTC
Please propose a patch and mail it to myself and linux-fbdev-devel@lists.sourceforge.net, thanks.
Comment 3 Andrew Morton 2008-04-15 21:42:58 UTC
I queued a fix, thanks.