[Nouveau] [drm-nouveau-mmu] question about potential NULL pointer dereference
Gustavo A. R. Silva
garsilva at embeddedor.com
Tue Feb 13 15:40:16 UTC 2018
Hi all,
While doing some static analysis I ran into the following piece of
code at drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c:957:
957#define node(root, dir) ((root)->head.dir == &vmm->list) ? NULL :
\
958 list_entry((root)->head.dir, struct nvkm_vma, head)
959
960void
961nvkm_vmm_unmap_region(struct nvkm_vmm *vmm, struct nvkm_vma *vma)
962{
963 struct nvkm_vma *next;
964
965 nvkm_memory_tags_put(vma->memory,
vmm->mmu->subdev.device, &vma->tags);
966 nvkm_memory_unref(&vma->memory);
967
968 if (vma->part) {
969 struct nvkm_vma *prev = node(vma, prev);
970 if (!prev->memory) {
971 prev->size += vma->size;
972 rb_erase(&vma->tree, &vmm->root);
973 list_del(&vma->head);
974 kfree(vma);
975 vma = prev;
976 }
977 }
978
979 next = node(vma, next);
980 if (next && next->part) {
981 if (!next->memory) {
982 vma->size += next->size;
983 rb_erase(&next->tree, &vmm->root);
984 list_del(&next->head);
985 kfree(next);
986 }
987 }
988}
The issue here is that in case _node_ returns NULL, _prev_ is not
being null checked, hence there is a potential null pointer
dereference at line 970.
Notice that _next_ is being null checked at line 980, so I wonder if
_prev_ should be checked the same as _next_.
The fact that both _next_ and next->part are null checked, makes me
wonder if in case _prev_ actually needs to be checked, there is
another pointer contained into _prev_ to be validated as well? I'm
sorry, this is not clear to me at this moment.
I appreciate your feedback
Thank you
--
Gustavo
More information about the Nouveau
mailing list