In function tmiofb_probe() at drivers/video/tmiofb.c:680, the call to platform_get_resource() at line 684, 685 and 686 may return a NULL pointer, thus variables ccr, lcr and vram may refer to NULL. So an invalid memory access may be triggered when variable vram is dereferenced at line 721, as there is no checking of variable vram against NULL. It's the same with variable lcr at line 725 and with variable ccr at line at line 731. The related code snippets in tmiofb_probe() are as following. tmiofb_probe() @@drivers/video/tmiofb.c:684 684 struct resource *ccr = platform_get_resource(dev, IORESOURCE_MEM, 1); 685 struct resource *lcr = platform_get_resource(dev, IORESOURCE_MEM, 0); 686 struct resource *vram = platform_get_resource(dev, IORESOURCE_MEM, 2); ... 721 info->fix.smem_start = vram->start; ... 725 info->fix.mmio_start = lcr->start; ... 731 par->ccr = ioremap(ccr->start, resource_size(ccr)); 732 if (!par->ccr) { 733 retval = -ENOMEM; 734 goto err_ioremap_ccr; 735 } Generally, the return value shall be checked against NULL before used. Like the folloing codes from file drivers/video/sm501fb.c. sm501fb_start() @@drivers/video/sm501fb.c:1533 1533 res = platform_get_resource(pdev, IORESOURCE_MEM, 0); 1534 if (res == NULL) { 1535 dev_err(dev, "no resource definition for registers\n"); 1536 ret = -ENOENT; 1537 goto err_release; 1538 } 1539 1540 info->regs_res = request_mem_region(res->start, 1541 resource_size(res), 1542 pdev->name); Thank you RUC_Soft_Sec
I am sorry to trouble, but I want to make sure whether this a real bug or a false positive. Thank you RUC_Soft_Sec
Its kind of a bug but it could only occur if the in kernel device create for the node was broken too. So not really a bug proper
A patch referencing this bug report has been merged in Linux v3.7-rc1: commit 40dc23aa82d51147a24f659a7c006ae4bb14009a Author: Alan Cox <alan@linux.intel.com> Date: Tue Jul 24 13:43:48 2012 +0100 tmiofb: missing NULL pointer checks