| Message ID | 3f1e7aaa-501a-44f1-8122-28e9efa0a33c@web.de (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [RESEND] video: au1100fb: Move a variable assignment behind a null pointer check in au1100fb_setmode() | expand |
Hello, On Sun, Mar 02, 2025 at 07:02:12PM +0100, Markus Elfring wrote: > From: Markus Elfring <elfring@users.sourceforge.net> > Date: Thu, 13 Apr 2023 21:35:36 +0200 > > The address of a data structure member was determined before > a corresponding null pointer check in the implementation of > the function “au1100fb_setmode”. > > Thus avoid the risk for undefined behaviour by moving the assignment > for the variable “info” behind the null pointer check. > > This issue was detected by using the Coccinelle software. > > Fixes: 3b495f2bb749 ("Au1100 FB driver uplift for 2.6.") > Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> Acked-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com> Should also get Cc: stable@vger.kernel.org to ensure this is backported to stable. Best regards Uwe
On Mon, Mar 03, 2025 at 10:19:06AM +0100, Uwe Kleine-König wrote: > Hello, > > On Sun, Mar 02, 2025 at 07:02:12PM +0100, Markus Elfring wrote: > > From: Markus Elfring <elfring@users.sourceforge.net> > > Date: Thu, 13 Apr 2023 21:35:36 +0200 > > > > The address of a data structure member was determined before > > a corresponding null pointer check in the implementation of > > the function “au1100fb_setmode”. > > > > Thus avoid the risk for undefined behaviour by moving the assignment > > for the variable “info” behind the null pointer check. > > > > This issue was detected by using the Coccinelle software. > > > > Fixes: 3b495f2bb749 ("Au1100 FB driver uplift for 2.6.") > > Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> > > Acked-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com> > > Should also get > > Cc: stable@vger.kernel.org > > to ensure this is backported to stable. It's not a bugfix, it's a cleanup. That's not a dereference, it's just pointer math. It shouldn't have a Fixes tag. Real bugs where we dereference a pointer and then check for NULL don't last long in the kernel. Most of the stuff Markus is sending is false positives like this. regards, dan carpenter
On Mon, Mar 03, 2025 at 01:08:29PM +0300, Dan Carpenter wrote: > Real bugs where we dereference a pointer and then check for NULL don't > last long in the kernel. Most of the stuff Markus is sending is false > positives like this. Maybe I was too optimistic. Here are the Smatch warnings from the Friday's linux-next. Common false positives are that the pointer can sometimes be NULL but there are other ways to determine without checking explicitly. For example, maybe the caller passes a flag which means it's non-NULL. regards, dan carpenter arch/arm64/kvm/../../../virt/kvm/kvm_main.c:1639 kvm_prepare_memory_region() warn: variable dereferenced before check 'new' (see line 1622) arch/x86/kernel/fpu/xstate.c:1567 fpstate_realloc() warn: variable dereferenced before check 'curfps' (see line 1546) arch/x86/kvm/../../../virt/kvm/kvm_main.c:1639 kvm_prepare_memory_region() warn: variable dereferenced before check 'new' (see line 1622) drivers/base/dd.c:696 really_probe() warn: variable dereferenced before check 'dev->bus' (see line 640) drivers/base/dd.c:720 really_probe() warn: variable dereferenced before check 'dev->bus' (see line 640) drivers/block/drbd/drbd_worker.c:588 make_resync_request() warn: variable dereferenced before check 'peer_device' (see line 587) drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm.c:12341 parse_edid_displayid_vrr() warn: variable dereferenced before check 'edid_ext' (see line 12337) drivers/gpu/drm/amd/amdgpu/../display/dc/clk_mgr/dcn21/rn_clk_mgr.c:775 rn_clk_mgr_construct() warn: variable dereferenced before check 'ctx->dc_bios->integrated_info' (see line 743) drivers/gpu/drm/amd/amdgpu/../display/dc/clk_mgr/dcn301/vg_clk_mgr.c:734 vg_clk_mgr_construct() warn: variable dereferenced before check 'ctx->dc_bios->integrated_info' (see line 720) drivers/gpu/drm/amd/amdgpu/../display/dc/clk_mgr/dcn314/dcn314_clk_mgr.c:899 dcn314_clk_mgr_construct() warn: variable dereferenced before check 'ctx->dc_bios->integrated_info' (see line 838) drivers/gpu/drm/amd/amdgpu/../display/dc/clk_mgr/dcn315/dcn315_clk_mgr.c:715 dcn315_clk_mgr_construct() warn: variable dereferenced before check 'ctx->dc_bios->integrated_info' (see line 654) drivers/gpu/drm/amd/amdgpu/../display/dc/clk_mgr/dcn316/dcn316_clk_mgr.c:655 dcn316_clk_mgr_construct() warn: variable dereferenced before check 'ctx->dc_bios->integrated_info' (see line 634) drivers/gpu/drm/amd/amdgpu/../display/dc/clk_mgr/dcn31/dcn31_clk_mgr.c:789 dcn31_clk_mgr_construct() warn: variable dereferenced before check 'ctx->dc_bios->integrated_info' (see line 728) drivers/gpu/drm/amd/amdgpu/../display/dc/clk_mgr/dcn35/dcn35_clk_mgr.c:1380 dcn35_clk_mgr_construct() warn: variable dereferenced before check 'ctx->dc_bios->integrated_info' (see line 1307) drivers/gpu/drm/i915/gem/i915_gem_shmem.c:174 shmem_sg_alloc_table() warn: variable dereferenced before check 'sg' (see line 163) drivers/gpu/drm/i915/gt/gen6_ppgtt.c:274 gen6_ppgtt_cleanup() warn: variable dereferenced before check 'ppgtt->base.pd' (see line 271) drivers/gpu/drm/i915/gt/intel_execlists_submission.c:3649 rcu_virtual_context_destroy() warn: variable dereferenced before check 've->base.sched_engine' (see line 3623) drivers/gpu/drm/nouveau/nouveau_dp.c:494 nouveau_dp_irq() warn: variable dereferenced before check 'outp' (see line 489) drivers/hid/hid-debug.c:3727 hid_debug_events_read() warn: variable dereferenced before check 'list->hdev' (see line 3713) drivers/net/ethernet/amd/pcnet32.c:1923 pcnet32_probe1() warn: variable dereferenced before check 'pdev' (see line 1843) drivers/net/ethernet/apm/xgene/xgene_enet_main.c:267 xgene_enet_tx_completion() warn: variable dereferenced before check 'skb' (see line 243) drivers/net/ethernet/natsemi/ns83820.c:884 rx_irq() warn: variable dereferenced before check 'skb' (see line 883) drivers/net/ethernet/pensando/ionic/ionic_txrx.c:205 ionic_rx_build_skb() warn: variable dereferenced before check 'buf_info->page' (see line 188) drivers/net/wireless/intel/iwlwifi/dvm/mac80211.c:1236 iwl_setup_interface() warn: variable dereferenced before check 'priv->lib->bt_params' (see line 1229) drivers/net/wireless/intel/iwlwifi/dvm/main.c:1114 iwl_init_drv() warn: variable dereferenced before check 'priv->lib->bt_params' (see line 1109) drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c:307 mt76_connac2_mac_tx_rate_val() warn: variable dereferenced before check 'conf' (see line 300) drivers/net/wireless/mediatek/mt76/mt7925/mac.c:851 mt7925_tx_check_aggr() warn: variable dereferenced before check 'sta' (see line 847) drivers/nvme/host/ioctl.c:173 nvme_map_user_request() warn: variable dereferenced before check 'bio' (see line 162) drivers/platform/mellanox/mlxreg-lc.c:903 mlxreg_lc_probe() warn: variable dereferenced before check 'data->notifier' (see line 828) drivers/scsi/aacraid/commsup.c:2344 aac_command_thread() warn: variable dereferenced before check 'dev->queues' (see line 2332) drivers/scsi/aic7xxx/aic79xx_osm.c:1837 ahd_done() warn: variable dereferenced before check 'cmd' (see line 1793) drivers/scsi/csiostor/csio_mb.c:932 csio_fcoe_vnp_alloc_init_mb() warn: variable dereferenced before check 'vnport_wwnn' (see line 929) drivers/scsi/ips.c:2560 ips_next() warn: variable dereferenced before check 'scb->scsi_cmd' (see line 2554) drivers/scsi/ips.c:2568 ips_next() warn: variable dereferenced before check 'scb->scsi_cmd' (see line 2554) drivers/scsi/ips.c:2593 ips_next() warn: variable dereferenced before check 'scb->scsi_cmd' (see line 2554) drivers/scsi/libsas/sas_scsi_host.c:119 sas_scsi_task_done() warn: variable dereferenced before check 'sc' (see line 110) drivers/scsi/lpfc/lpfc_bsg.c:1332 lpfc_bsg_hba_get_event() warn: variable dereferenced before check 'evt_dat' (see line 1299) drivers/slimbus/qcom-ngd-ctrl.c:884 qcom_slim_ngd_xfer_msg() warn: variable dereferenced before check 'txn->msg' (see line 808) drivers/spi/spi-offload.c:186 spi_offload_trigger_get() warn: variable dereferenced before check 'trigger->ops' (see line 176) drivers/staging/media/atomisp/pci/isp/kernels/output/output_1.0/ia_css_output.host.c:58 ia_css_output_config() warn: variable dereferenced before check 'from->info' (see line 53) drivers/usb/gadget/udc/tegra-xudc.c:2681 tegra_xudc_handle_transfer_completion() warn: variable dereferenced before check 'ep->desc' (see line 2679) drivers/usb/musb/musb_core.c:964 musb_handle_intr_disconnect() warn: variable dereferenced before check 'musb->hcd' (see line 963) fs/bcachefs/journal.c:1187 __bch2_set_nr_journal_buckets() warn: variable dereferenced before check 'c' (see line 1184) fs/efs/inode.c:299 efs_map_block() warn: variable dereferenced before check 'bh' (see line 292) fs/efs/inode.c:304 efs_map_block() warn: variable dereferenced before check 'bh' (see line 292) fs/efs/inode.c:309 efs_map_block() warn: variable dereferenced before check 'bh' (see line 292) fs/nfs/write.c:808 nfs_inode_remove_request() warn: variable dereferenced before check 'folio' (see line 805) fs/ocfs2/dlm/dlmrecovery.c:1590 dlm_mig_lockres_worker() warn: variable dereferenced before check 'res' (see line 1563) fs/ocfs2/move_extents.c:322 ocfs2_defrag_extent() warn: variable dereferenced before check 'context->data_ac' (see line 279) fs/ocfs2/namei.c:1455 ocfs2_rename() warn: variable dereferenced before check 'newfe_bh' (see line 1452) fs/ocfs2/namei.c:1637 ocfs2_rename() warn: variable dereferenced before check 'old_dir_bh' (see line 1618) fs/smb/client/file.c:3085 cifs_oplock_break() warn: variable dereferenced before check 'inode' (see line 3056) lib/reed_solomon/decode_rs.c:315 decode_rs16() warn: variable dereferenced before check 'par' (see line 81) net/core/failover.c:85 failover_slave_register() warn: variable dereferenced before check 'fops' (see line 66) net/mpls/mpls_iptunnel.c:156 mpls_xmit() warn: variable dereferenced before check 'out_dev' (see line 56)
On Mon, Mar 03, 2025 at 01:08:29PM +0300, Dan Carpenter wrote: > On Mon, Mar 03, 2025 at 10:19:06AM +0100, Uwe Kleine-König wrote: > > Hello, > > > > On Sun, Mar 02, 2025 at 07:02:12PM +0100, Markus Elfring wrote: > > > From: Markus Elfring <elfring@users.sourceforge.net> > > > Date: Thu, 13 Apr 2023 21:35:36 +0200 > > > > > > The address of a data structure member was determined before > > > a corresponding null pointer check in the implementation of > > > the function “au1100fb_setmode”. > > > > > > Thus avoid the risk for undefined behaviour by moving the assignment > > > for the variable “info” behind the null pointer check. > > > > > > This issue was detected by using the Coccinelle software. > > > > > > Fixes: 3b495f2bb749 ("Au1100 FB driver uplift for 2.6.") > > > Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> > > > > Acked-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com> > > > > Should also get > > > > Cc: stable@vger.kernel.org > > > > to ensure this is backported to stable. > > It's not a bugfix, it's a cleanup. That's not a dereference, it's > just pointer math. It shouldn't have a Fixes tag. > > Real bugs where we dereference a pointer and then check for NULL don't > last long in the kernel. Most of the stuff Markus is sending is false > positives like this. I thought a compiler translating the code struct fb_info *info = &fbdev->info; if (!fbdev) return -EINVAL; is free (and expected) to just drop the if block. I wasn't aware that this only applies when the pointer is actually dereferenced. Testing that with arm-linux-gnueabihf-gcc 14.2.0 seems to confirm what you're saying. Thanks for letting me know. With that learned I agree that the Fixes tag should be dropped (and Cc: stable not added). Best regards Uwe
> struct fb_info *info = &fbdev->info; > > if (!fbdev) > return -EINVAL; Is such a null pointer check still relevant for the discussed function implementation? Regards, Markus
On Mon, Mar 03, 2025 at 11:30:46AM +0100, Uwe Kleine-König wrote: > On Mon, Mar 03, 2025 at 01:08:29PM +0300, Dan Carpenter wrote: > > On Mon, Mar 03, 2025 at 10:19:06AM +0100, Uwe Kleine-König wrote: > > > Hello, > > > > > > On Sun, Mar 02, 2025 at 07:02:12PM +0100, Markus Elfring wrote: > > > > From: Markus Elfring <elfring@users.sourceforge.net> > > > > Date: Thu, 13 Apr 2023 21:35:36 +0200 > > > > > > > > The address of a data structure member was determined before > > > > a corresponding null pointer check in the implementation of > > > > the function “au1100fb_setmode”. > > > > > > > > Thus avoid the risk for undefined behaviour by moving the assignment > > > > for the variable “info” behind the null pointer check. > > > > > > > > This issue was detected by using the Coccinelle software. > > > > > > > > Fixes: 3b495f2bb749 ("Au1100 FB driver uplift for 2.6.") > > > > Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> > > > > > > Acked-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com> > > > > > > Should also get > > > > > > Cc: stable@vger.kernel.org > > > > > > to ensure this is backported to stable. > > > > It's not a bugfix, it's a cleanup. That's not a dereference, it's > > just pointer math. It shouldn't have a Fixes tag. > > > > Real bugs where we dereference a pointer and then check for NULL don't > > last long in the kernel. Most of the stuff Markus is sending is false > > positives like this. > > I thought a compiler translating the code > > struct fb_info *info = &fbdev->info; > > if (!fbdev) > return -EINVAL; > > is free (and expected) to just drop the if block. If you dereference a pointer then it doesn't make sense to have a NULL check after that because the kernel would already have crashed. In 2009, we had the famous tun.c bug where there was a dereference followed by a NULL check and the compiler deleted it as you say. And then, it turned out that you could remap the NULL pointer to and so the NULL dereference didn't lead to a crash and the missing NULL meant the kernel kept running happily. The remapped memory was full of function pointers to get root. We changed min_mmap_addr so that we can't remap the NULL pointer and we started using the -fno-delete-null-pointer-checks compiler option so that it wouldn't remove the NULL check even in places where it didn't make sense. We also started doing more static analysis. We've also tried to randomize where functions are in the memory so it's trickier to hardcode function pointers. A couple years later we had another bug where it turned out you could still remap NULL. I forget how the details. No one wrote an exploit and it wasn't publicized as much. Anyway, none of that applies here, because this is just pointer math. regards, dan carpenter
diff --git a/drivers/video/fbdev/au1100fb.c b/drivers/video/fbdev/au1100fb.c index cb317398e71a..fcb47b350bc9 100644 --- a/drivers/video/fbdev/au1100fb.c +++ b/drivers/video/fbdev/au1100fb.c @@ -137,13 +137,15 @@ static int au1100fb_fb_blank(int blank_mode, struct fb_info *fbi) */ int au1100fb_setmode(struct au1100fb_device *fbdev) { - struct fb_info *info = &fbdev->info; + struct fb_info *info; u32 words; int index; if (!fbdev) return -EINVAL; + info = &fbdev->info; + /* Update var-dependent FB info */ if (panel_is_active(fbdev->panel) || panel_is_color(fbdev->panel)) { if (info->var.bits_per_pixel <= 8) {