Received: by 10.223.185.116 with SMTP id b49csp4212879wrg; Tue, 13 Feb 2018 14:59:56 -0800 (PST) X-Google-Smtp-Source: AH8x2270RRKlrEiZwcrVag+8Ef9NIfSILjvwFs8yl5zepKVJgyJXFX64LwrKA+vKDkd3x4Y8zOh5 X-Received: by 2002:a17:902:2904:: with SMTP id g4-v6mr2479796plb.170.1518562796147; Tue, 13 Feb 2018 14:59:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518562796; cv=none; d=google.com; s=arc-20160816; b=OHFEqGC4ncSlOfYhfN0QKHf4++G/iuPoungB9KnHtjK3L0kQ1kZMSCPixnVZHbU7m+ /MDEdLpbvo8IJTPqt7ilZwtHLKT7hz8dvCKqZgFj67fAv7QM5/RWCmnT+KNdzyqoVyor gaRha3Njx3Bwt/NSFbvS5dJKBoHPqEbDUblKIo3YF2TDn1kpxCtyvqE75nrRO/3QtOD6 uZYI8r7VzxjCupj5n/wwZGWXsG9GvjguqvGFphkKAxfnEMdDFWjIc+PyuJaYDhDY2sIR xFYMpfzIe8CIrpKMmALin+oDSxy1mmuw7OKWcBdJ2One9f3aJUtL26KjQpt0sKvI/eu7 tkYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:arc-authentication-results; bh=KKVbFcZ8hguqDRm0Cq/GxDfaRK6lvpVUM9LhVjpZ8do=; b=UzBA448v9POCGLIT+hvtMox7VWXxgVxByROe1GYMwhmaXAaBRcCUkelyf9KPW/U0h2 cDRCnaLvsR9PyvZ2TjmtAUvK4wgA0ZNJ5fltlHrGfqUQqdzsyGmsSK7h7X1xwjgJ/8nV DQhYU1JVNLaCknwiy2r54Es2zL6csexm7cUwUP+3JbX1TlSj7dvGrs/UYyUuYHiq41mQ mHzrVabNWNz76fvma/aqRPQ9mrAYyax/OasgU6WFZHrRVPd55VOthkdR9M01TYmg78Rt maKxsne1GCR3bBBYV5HlEQBFREpFFNNX0tfOgo4b4pKapVoXE3XPp0SpmkBS1NhvyFJe 9ang== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q6-v6si1084145pli.790.2018.02.13.14.59.39; Tue, 13 Feb 2018 14:59:56 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S966074AbeBMW5y (ORCPT + 99 others); Tue, 13 Feb 2018 17:57:54 -0500 Received: from mail-oi0-f65.google.com ([209.85.218.65]:34952 "EHLO mail-oi0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S965942AbeBMW5x (ORCPT ); Tue, 13 Feb 2018 17:57:53 -0500 Received: by mail-oi0-f65.google.com with SMTP id e15so15149195oiy.2 for ; Tue, 13 Feb 2018 14:57:52 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=KKVbFcZ8hguqDRm0Cq/GxDfaRK6lvpVUM9LhVjpZ8do=; b=lklw4mDEqYc2+ruhqaT/4e+6yFh8XcH6c5XpYmGqMesGjw1q7h92LJ4vbv4A8MumCV itSkEljSdR0/blWeFCSg2gXESnbzW3r6yN2grugW9wNG982wtUTGsKKlomgmCFK8znXT 3ZTqwdEboz/7fTch5Xh39Hj9aEtlO8DKlsRvmhhMegb6K6eY2eZwKUR6rc9YuppyJkpI Inw2bzAtcQSdX994jlzpDCtDFL73OwOVkUGOrvjqRVMcxMeJKuvYlf2K2uJ64WHnHYUS iOW6oXwTa19bWMgGaghhmWEPER5zqp+Klfh6/14bllKQNM3PWD20JE+Ud0YxjQPZBzXp HxeQ== X-Gm-Message-State: APf1xPCPwQPk5CwOT+E0dKIOC0gibMFIHSu4Z9KlyLDdx2gfDkVcr9XQ gLHF2dQUtojzAm49qTU8hT1OneFf4ol5jiwRQjFH1Q== X-Received: by 10.202.97.2 with SMTP id v2mr1910997oib.17.1518562672442; Tue, 13 Feb 2018 14:57:52 -0800 (PST) MIME-Version: 1.0 Received: by 10.168.54.10 with HTTP; Tue, 13 Feb 2018 14:57:51 -0800 (PST) In-Reply-To: <20180213094016.Horde.CGfpaa2rdOUHbXlCDH3u5ra@gator4166.hostgator.com> References: <20180213094016.Horde.CGfpaa2rdOUHbXlCDH3u5ra@gator4166.hostgator.com> From: Ben Skeggs Date: Wed, 14 Feb 2018 08:57:51 +1000 Message-ID: Subject: Re: [drm-nouveau-mmu] question about potential NULL pointer dereference To: "Gustavo A. R. Silva" Cc: David Airlie , dri-devel@lists.freedesktop.org, nouveau@lists.freedesktop.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Feb 14, 2018 at 1:40 AM, Gustavo A. R. Silva wrote: > > Hi all, > > While doing some static analysis I ran into the following piece of code at > drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c:957: > > 957#define node(root, dir) ((root)->head.dir == &vmm->list) ? NULL : > \ > 958 list_entry((root)->head.dir, struct nvkm_vma, head) > 959 > 960void > 961nvkm_vmm_unmap_region(struct nvkm_vmm *vmm, struct nvkm_vma *vma) > 962{ > 963 struct nvkm_vma *next; > 964 > 965 nvkm_memory_tags_put(vma->memory, vmm->mmu->subdev.device, > &vma->tags); > 966 nvkm_memory_unref(&vma->memory); > 967 > 968 if (vma->part) { > 969 struct nvkm_vma *prev = node(vma, prev); > 970 if (!prev->memory) { > 971 prev->size += vma->size; > 972 rb_erase(&vma->tree, &vmm->root); > 973 list_del(&vma->head); > 974 kfree(vma); > 975 vma = prev; > 976 } > 977 } > 978 > 979 next = node(vma, next); > 980 if (next && next->part) { > 981 if (!next->memory) { > 982 vma->size += next->size; > 983 rb_erase(&next->tree, &vmm->root); > 984 list_del(&next->head); > 985 kfree(next); > 986 } > 987 } > 988} > > The issue here is that in case _node_ returns NULL, _prev_ is not being null > checked, hence there is a potential null pointer dereference at line 970. > > Notice that _next_ is being null checked at line 980, so I wonder if _prev_ > should be checked the same as _next_. > > The fact that both _next_ and next->part are null checked, makes me wonder > if in case _prev_ actually needs to be checked, there is another pointer > contained into _prev_ to be validated as well? I'm sorry, this is not clear > to me at this moment. It's not checked because it can't happen. If vma->part is set, there will be a previous node that it was split from. Ben. > > I appreciate your feedback > Thank you > -- > Gustavo > > > > > >