From mboxrd@z Thu Jan 1 00:00:00 1970 From: Robert Hancock Subject: Re: BUG null dereference in drivers/ata/sata_mv.c Date: Mon, 14 Dec 2009 19:34:49 -0600 Message-ID: <4B26E7B9.3070103@gmail.com> References: <200912142051.34029.strakh@ispras.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Return-path: Received: from mail-yw0-f182.google.com ([209.85.211.182]:58191 "EHLO mail-yw0-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750719AbZLOBex (ORCPT ); Mon, 14 Dec 2009 20:34:53 -0500 In-Reply-To: <200912142051.34029.strakh@ispras.ru> Sender: linux-ide-owner@vger.kernel.org List-Id: linux-ide@vger.kernel.org To: Alexander Strakh Cc: Mark Lord , linux-ide@vger.kernel.org, "David S. Miller" , linux-kernel@vger.kernel.org On 12/14/2009 02:51 PM, Alexander Strakh wrote: > KERNEL_VERSION: 2.6.32 > SUBJECT: null dereference in function mv_unexpected_intr > DESCRIBE: > In ./drivers/ata/sata_mv.c in function mv_port_intr > > 1. If ap == NULL in line 2778, then we goto line 2779. > 2. In line 2779 function mv_unexpected_intr(ap, 0) is called. > 3. In line 2538 null dereference: "ap->link.eh_info" > > 2773 static void mv_port_intr(struct ata_port *ap, u32 port_cause) > 2774 { > ... > 2778 if (!ap || (ap->flags& ATA_FLAG_DISABLED)) { > 2779 mv_unexpected_intr(ap, 0); > 2780 return; > 2781 } > ... > 2809 } > > 2536 static void mv_unexpected_intr(struct ata_port *ap, int edma_was_enabled) > 2537 { > 2538 struct ata_eh_info *ehi =&ap->link.eh_info; > ... > 2555 } > > Found by Linux Device Drivers Verification Project (Svace Detector) I don't think it should be possible for ap to be null at the point the check is made. The null check could likely be removed.