Web lists-archives.com

Re: [drm-nouveau-mmu] question about potential NULL pointer dereference

Quoting Ben Skeggs <bskeggs@xxxxxxxxxx>:

On Wed, Feb 14, 2018 at 1:40 AM, Gustavo A. R. Silva
<garsilva@xxxxxxxxxxxxxx> wrote:

Hi all,

While doing some static analysis I ran into the following piece of code at

 957#define node(root, dir) ((root)->head.dir == &vmm->list) ? NULL :
 958        list_entry((root)->head.dir, struct nvkm_vma, head)
 961nvkm_vmm_unmap_region(struct nvkm_vmm *vmm, struct nvkm_vma *vma)
 963        struct nvkm_vma *next;
 965        nvkm_memory_tags_put(vma->memory, vmm->mmu->subdev.device,
 966        nvkm_memory_unref(&vma->memory);
 968        if (vma->part) {
 969                struct nvkm_vma *prev = node(vma, prev);
 970                if (!prev->memory) {
 971                        prev->size += vma->size;
 972                        rb_erase(&vma->tree, &vmm->root);
 973                        list_del(&vma->head);
 974                        kfree(vma);
 975                        vma = prev;
 976                }
 977        }
 979        next = node(vma, next);
 980        if (next && next->part) {
 981                if (!next->memory) {
 982                        vma->size += next->size;
 983                        rb_erase(&next->tree, &vmm->root);
 984                        list_del(&next->head);
 985                        kfree(next);
 986                }
 987        }

The issue here is that in case _node_ returns NULL, _prev_ is not being null
checked, hence there is a potential null pointer dereference at line 970.

Notice that _next_ is being null checked at line 980, so I wonder if _prev_
should be checked the same as _next_.

The fact that both _next_ and next->part are null checked, makes me wonder
if in case _prev_ actually needs to be checked, there is another pointer
contained into _prev_ to be validated as well? I'm sorry, this is not clear
to me at this moment.
It's not checked because it can't happen.  If vma->part is set, there
will be a previous node that it was split from.

I got it.

Thanks, Ben.