Received: by 10.223.185.116 with SMTP id b49csp3810731wrg; Tue, 13 Feb 2018 08:06:44 -0800 (PST) X-Google-Smtp-Source: AH8x226Gy7LW9HKwJhoxruedr8oar6oTDDuRYSRE+XtO16anHTBHLy38Blrsf+3t4kd8GVUDMH2v X-Received: by 10.98.17.15 with SMTP id z15mr1753975pfi.116.1518538004561; Tue, 13 Feb 2018 08:06:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518538004; cv=none; d=google.com; s=arc-20160816; b=w976sE+/gXiUj5iSd4Q58EBsRuMk/BMJ//urwu+nRoF8hNTkhkq1OyOfgEXxCRsnvA O1z5TqiDqZNBuWKlEUN/NacpO7zguCJlzRiAe1hSaV02n/VKVgvJzUb3GzOQIIEXV3Zf Q2WroP4A40L20yt8AAnQ40Mwu73kZA8/ErQvkSp/ZueJnpewXU2lroG7vbT1iFetqQ2o qqCOW7OtOACmcFOiYBcHIYO3VhOzF0rgQpF1W2UQfKYZC1R1A0JVpVChpcKT4nIh0S6R Oxd848R3k/gHJ/Oxo5fA8pd1LKBAUEId6qikyhSUr/9468YPePOlk+B0P/KJJQpVofcI CiIA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-disposition:mime-version :user-agent:subject:cc:to:from:message-id:date :arc-authentication-results; bh=X5YWwxIOC1jAd3sB2vUe9iX5NVtLjbUPHy2EbKXf1GA=; b=RLuDTm7HyoBq4gsozcII8M1ARKHta3lH4UVrlkf4Exn2/ObqpeQUFvy9Pe3vyPioXZ 6fFT9FDalNNg8zgyPB+oljsS+Ufv9yvOY9yLj88oca7qFpUWTP9VL+N3hJj/8qwg1iDd RfroHR3NigrtcRpKjtG/r/r8bG3cLnZb+CDV1E8YaeMUfbDsv9p3hJhx5eCvLyhOu3Xn 1+B2zn/Z58sMa3jXfKPpOkcHCTM1aDsKg8rpVV/JsNXrGGJkxSUogzHIrUdUIIbffmNq 51YhZEOPllLu2diyuH3dl3r0oUj01iDiMxMuTPymt+kxngLPA9u54Osuu1nA/woWT1LS ZNfA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 7-v6si1382500pll.775.2018.02.13.08.06.29; Tue, 13 Feb 2018 08:06:44 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934472AbeBMQFE (ORCPT + 99 others); Tue, 13 Feb 2018 11:05:04 -0500 Received: from gateway20.websitewelcome.com ([192.185.60.19]:28979 "EHLO gateway20.websitewelcome.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933774AbeBMQFD (ORCPT ); Tue, 13 Feb 2018 11:05:03 -0500 X-Greylist: delayed 1485 seconds by postgrey-1.27 at vger.kernel.org; Tue, 13 Feb 2018 11:05:03 EST Received: from cm15.websitewelcome.com (cm15.websitewelcome.com [100.42.49.9]) by gateway20.websitewelcome.com (Postfix) with ESMTP id 915CA400C2F1E for ; Tue, 13 Feb 2018 09:40:17 -0600 (CST) Received: from gator4166.hostgator.com ([108.167.133.22]) by cmsmtp with SMTP id lcgreGM53mzEzlcgreHv0h; Tue, 13 Feb 2018 09:40:17 -0600 Received: from gator4166.hostgator.com ([108.167.133.22]:35369) by gator4166.hostgator.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89_1) (envelope-from ) id 1elcgr-0001Ev-7b; Tue, 13 Feb 2018 09:40:17 -0600 Received: from 189.175.4.238 ([189.175.4.238]) by gator4166.hostgator.com (Horde Framework) with HTTPS; Tue, 13 Feb 2018 09:40:16 -0600 Date: Tue, 13 Feb 2018 09:40:16 -0600 Message-ID: <20180213094016.Horde.CGfpaa2rdOUHbXlCDH3u5ra@gator4166.hostgator.com> From: "Gustavo A. R. Silva" To: Ben Skeggs , David Airlie Cc: dri-devel@lists.freedesktop.org, nouveau@lists.freedesktop.org, linux-kernel@vger.kernel.org Subject: [drm-nouveau-mmu] question about potential NULL pointer dereference User-Agent: Horde Application Framework 5 Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes MIME-Version: 1.0 Content-Disposition: inline X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - gator4166.hostgator.com X-AntiAbuse: Original Domain - vger.kernel.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - embeddedor.com X-BWhitelist: no X-Source-IP: 108.167.133.22 X-Source-L: Yes X-Exim-ID: 1elcgr-0001Ev-7b X-Source: X-Source-Args: X-Source-Dir: X-Source-Sender: gator4166.hostgator.com [108.167.133.22]:35369 X-Source-Auth: garsilva@embeddedor.com X-Email-Count: 1 X-Source-Cap: Z3V6aWRpbmU7Z3V6aWRpbmU7Z2F0b3I0MTY2Lmhvc3RnYXRvci5jb20= X-Local-Domain: yes Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi all, While doing some static analysis I ran into the following piece of code at drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c:957: 957#define node(root, dir) ((root)->head.dir == &vmm->list) ? NULL : \ 958 list_entry((root)->head.dir, struct nvkm_vma, head) 959 960void 961nvkm_vmm_unmap_region(struct nvkm_vmm *vmm, struct nvkm_vma *vma) 962{ 963 struct nvkm_vma *next; 964 965 nvkm_memory_tags_put(vma->memory, vmm->mmu->subdev.device, &vma->tags); 966 nvkm_memory_unref(&vma->memory); 967 968 if (vma->part) { 969 struct nvkm_vma *prev = node(vma, prev); 970 if (!prev->memory) { 971 prev->size += vma->size; 972 rb_erase(&vma->tree, &vmm->root); 973 list_del(&vma->head); 974 kfree(vma); 975 vma = prev; 976 } 977 } 978 979 next = node(vma, next); 980 if (next && next->part) { 981 if (!next->memory) { 982 vma->size += next->size; 983 rb_erase(&next->tree, &vmm->root); 984 list_del(&next->head); 985 kfree(next); 986 } 987 } 988} The issue here is that in case _node_ returns NULL, _prev_ is not being null checked, hence there is a potential null pointer dereference at line 970. Notice that _next_ is being null checked at line 980, so I wonder if _prev_ should be checked the same as _next_. The fact that both _next_ and next->part are null checked, makes me wonder if in case _prev_ actually needs to be checked, there is another pointer contained into _prev_ to be validated as well? I'm sorry, this is not clear to me at this moment. I appreciate your feedback Thank you -- Gustavo