Adrian Bunk noticed the following Coverity report:
> Commit
e7f260a276f2c9184fe753732d834b1f6fbe9f17
> (x86: PAT use reserve free memtype in mmap of /dev/mem)
> added the following gem to arch/x86/mm/pat.c:
>
> <-- snip -->
>
> ...
> int phys_mem_access_prot_allowed(struct file *file, unsigned long pfn,
> unsigned long size, pgprot_t *vma_prot)
> {
> u64 offset = ((u64) pfn) << PAGE_SHIFT;
> unsigned long flags = _PAGE_CACHE_UC_MINUS;
> unsigned long ret_flags;
> ...
> ... (nothing that touches ret_flags)
> ...
> if (flags != _PAGE_CACHE_UC_MINUS) {
> retval = reserve_memtype(offset, offset + size, flags, NULL);
> } else {
> retval = reserve_memtype(offset, offset + size, -1, &ret_flags);
> }
>
> if (retval < 0)
> return 0;
>
> flags = ret_flags;
>
> if (pfn <= max_pfn_mapped &&
> ioremap_change_attr((unsigned long)__va(offset), size, flags) < 0) {
> free_memtype(offset, offset + size);
> printk(KERN_INFO
> "%s:%d /dev/mem ioremap_change_attr failed %s for %Lx-%Lx\n",
> current->comm, current->pid,
> cattr_name(flags),
> offset, offset + size);
> return 0;
> }
>
> *vma_prot = __pgprot((pgprot_val(*vma_prot) & ~_PAGE_CACHE_MASK) |
> flags);
> return 1;
> }
>
> <-- snip -->
>
> If (flags != _PAGE_CACHE_UC_MINUS) we pass garbage from the stack to
> ioremap_change_attr() and/or __pgprot().
>
> Spotted by the Coverity checker.
the fix simplifies the code as we get rid of the 'ret_flags'
complication.
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
{
u64 offset = ((u64) pfn) << PAGE_SHIFT;
unsigned long flags = _PAGE_CACHE_UC_MINUS;
- unsigned long ret_flags;
int retval;
if (!range_is_allowed(pfn, size))
if (flags != _PAGE_CACHE_UC_MINUS) {
retval = reserve_memtype(offset, offset + size, flags, NULL);
} else {
- retval = reserve_memtype(offset, offset + size, -1, &ret_flags);
+ retval = reserve_memtype(offset, offset + size, -1, &flags);
}
if (retval < 0)
return 0;
- flags = ret_flags;
-
if (pfn <= max_pfn_mapped &&
ioremap_change_attr((unsigned long)__va(offset), size, flags) < 0) {
free_memtype(offset, offset + size);