Bug 106201

Summary: there exists a wrong return value of function eni_do_init() when ioremap_nocache() fails
Product: Drivers Reporter: RUC_Soft_Sec (rucsoftsec)
Component: OtherAssignee: drivers_other
Status: NEW ---    
Severity: normal    
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 4.2 Subsystem:
Regression: No Bisected commit-id:

Description RUC_Soft_Sec 2015-10-19 08:11:52 UTC 
In function eni_do_init() at drivers/atm/eni.c:1700, the call to ioremap_nocache() in line 1726 may fail, and thus function eni_do_init() will return the value of variable 'error'. And, the function eni_do_init() will return 0 at last when it runs well. However, when the call to pci_write_config_word() in line 1717 succeeds, the value of 'error' is 0. So the function eni_do_init() will return 0 to its caller functions when it runs error because of the failing call to ioremap_nocache() in line 1726, leading to a wrong return value in function eni_do_init().
The related code snippets in eni_do_init are as following.
eni_do_init@@drivers/atm/eni.c:1700
1700 static int eni_do_init(struct atm_dev *dev)
1701 {
			......
1717         if ((error = pci_write_config_word(pci_dev,PCI_COMMAND,
1718             PCI_COMMAND_MEMORY |
1719             (eni_dev->asic ? PCI_COMMAND_PARITY | PCI_COMMAND_SERR : 0)))) {
1720                 printk(KERN_ERR DEV_LABEL "(itf %d): can't enable memory "
1721                     "(0x%02x)\n",dev->number,error);
1722                 return -EIO;
1723         }
1724         printk(KERN_NOTICE DEV_LABEL "(itf %d): rev.%d,base=0x%lx,irq=%d,",
1725             dev->number,pci_dev->revision,real_base,eni_dev->irq);
1726         if (!(base = ioremap_nocache(real_base,MAP_MAX_SIZE))) {   //error = 0
1727                 printk("\n");
1728                 printk(KERN_ERR DEV_LABEL "(itf %d): can't set up page "
1729                     "mapping\n",dev->number);
1730                 return error;
1731         }
			......
1792 }



Generally, the return value of caller functions which call function ioremap_nocache() shall be set to a negative number when the call to ioremap_nocache() fails, like the following codes in another file.
pmc_setup_dev @@arch/x86/kernel/pmc_atom.c:296
296 static int pmc_setup_dev(struct pci_dev *pdev)
297 {
            ......
312         pmc->regmap = ioremap_nocache(pmc->base_addr, PMC_MMIO_REG_LEN);
313         if (!pmc->regmap) {
314                 dev_err(&pdev->dev, "error: ioremap failed\n");
315                 return -ENOMEM;
316         }
            ......
327 }

Thank you

RUC_Soft_Sec