Bug 13853

Summary: found a possible null pointer dereference in file ariadne.c
Product: Drivers Reporter: Martin Ettl (ettl.martin)
Component: NetworkAssignee: drivers_network (drivers_network)
Status: CLOSED CODE_FIX    
Severity: normal CC: alan, crindy646
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 2.6.30 Subsystem:
Regression: No Bisected commit-id:
Attachments: A proposed patch generated automatically by tool R2Fix

Description Martin Ettl 2009-07-27 13:12:51 UTC 
Hello,

i have checked the sources of the linux kernel with the static code analysis tool cppcheck. It found an issue in file linux-2.6.30/drivers/net/ariadne.c at line 424.

Take a look at the code:

static irqreturn_t ariadne_interrupt(int irq, void *data)
{
    struct net_device *dev = (struct net_device *)data;
    volatile struct Am79C960 *lance = (struct Am79C960*)dev->base_addr;
    struct ariadne_private *priv;
    int csr0, boguscnt;
    int handled = 0;

    if (dev == NULL) {
	printk(KERN_WARNING "ariadne_interrupt(): irq for unknown device.\n");
	return IRQ_NONE;
    }

....

as you can see, the  if (dev == NULL) -statement is AFTER the first usage of dev..

Restructuring the code maybe helps here:
static irqreturn_t ariadne_interrupt(int irq, void *data)
{
    struct net_device *dev = (struct net_device *)data;
    if (dev == NULL) {
	printk(KERN_WARNING "ariadne_interrupt(): irq for unknown device.\n");
	return IRQ_NONE;
    }
    volatile struct Am79C960 *lance = (struct Am79C960*)dev->base_addr;
    struct ariadne_private *priv;
    int csr0, boguscnt;
    int handled = 0;

....

Best regards

Ettl Martin
Comment 1 jinqiu 2011-02-25 02:21:20 UTC 
Created attachment 48962 [details]
A proposed patch generated automatically by tool R2Fix

Fix the bug by moving deference to pointer "dev" after NULL check.
This patch was generated automatically by the tool R2Fix.
Comment 2 Martin Ettl 2011-02-25 09:16:32 UTC 
Thanks for the fix!
What is this tool R2Fix? What does it do? 
Many thanks in advance.

Martin
Comment 3 jinqiu 2011-03-02 18:02:28 UTC 
R2Fix is our current project.
The goal of R2Fix is to generate patches automatically from initial bug reports.
Hope that it would help developers save their time.
And this is one of the patches R2Fix generated based on open bug reports.
Thanks. : )

Jinqiu
(In reply to comment #2)
> Thanks for the fix!
> What is this tool R2Fix? What does it do? 
> Many thanks in advance.
> 
> Martin
Comment 4 jinqiu 2012-03-06 23:22:32 UTC 
This bug has been fixed and commited in git.
commit id: 75c0fd93c7d42362134e74fd381072a7642fcc3d