Received: by 10.223.185.116 with SMTP id b49csp4215658wrg;
        Tue, 13 Feb 2018 15:02:06 -0800 (PST)
X-Google-Smtp-Source: AH8x227pLzrTcL0kkbnvPx9m7kt2dG+TcDZZUBXj/rWqsDSpLD879GIh30niE5AjwHIAuaK0Mv6u
X-Received: by 2002:a17:902:8304:: with SMTP id bd4-v6mr2545428plb.123.1518562925908;
        Tue, 13 Feb 2018 15:02:05 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1518562925; cv=none;
        d=google.com; s=arc-20160816;
        b=B+s43rDteLsvF0O3jb/1q/hgD8h5HqomVckyTj0X7qOyB5ExuntCYHg2+Qpw3CzAEc
         iesCdE0vS4zrryJ6l4fWKljW8PGdH1UKWGDiAUxSL2du7c1dZx1RipIQ3l002YL5LONZ
         4+9uRS26KxIYcxJgC9i5I/qwlcZ5Gd5FpnOCx7Ljjsm8+4KgtTP52u/ryRG2c4fDYR5B
         JpUMqKELFbKpjJBjTfKgIE81EvotIcJJoAmeq3EeMl1c3NtgkVhCBAsq+I0+XMNswoN4
         pqvRYEoYqKEIrHqqUdlTsXrCQBS/yfJHYRvwHtG1KQ0xpCmd+ZJRVmi1Xp0d18ly/CUv
         c1nA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-disposition:mime-version
         :user-agent:in-reply-to:references:subject:cc:to:from:message-id
         :date:arc-authentication-results;
        bh=dLZqxaSpV+OrrMUyToKDwgVlHQgXAPOvEEUpapjkz7E=;
        b=iD+RpCACSW76rMCJZy6d7pjgMrAqpwwTbxjwkQpC+z8Ud4Op6N0eOGILhep+zlQc/l
         SvDA2EjGvndDwonKiFJH5qU3ur/DvwLrDne9ciLLgkRAqjMo0REcSG/pRlG3GAtSXGvf
         Ic3Gm0J8hNoKaUg8ONjJjlualCjS2EoKnWhmat+z6GZNesBkAHjYEGkMRyrEWlmsC27P
         h3Xe5I1oEPHkaqS7f5VoYB0262lyqkD9tuQmJpHmmsnsceDHzk4uPsn+TKaBtgXsoQkj
         KvNI3gife2Uocu9PQMyK8PHuhN5BNWJ/yIz9AvxL3YEOLZxAMnLfKT6mFkG97iMl4UUc
         F35A==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d63si1931426pgc.129.2018.02.13.15.01.46;
        Tue, 13 Feb 2018 15:02:05 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S966043AbeBMXAU (ORCPT <rfc822;hououinredflag@gmail.com>
        + 99 others); Tue, 13 Feb 2018 18:00:20 -0500
Received: from gateway20.websitewelcome.com ([192.185.60.19]:35210 "EHLO
        gateway20.websitewelcome.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S965942AbeBMXAT (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 13 Feb 2018 18:00:19 -0500
Received: from cm12.websitewelcome.com (cm12.websitewelcome.com [100.42.49.8])
        by gateway20.websitewelcome.com (Postfix) with ESMTP id 9618D400DEFA6
        for <linux-kernel@vger.kernel.org>; Tue, 13 Feb 2018 17:00:18 -0600 (CST)
Received: from gator4166.hostgator.com ([108.167.133.22])
        by cmsmtp with SMTP
        id ljYgecgxrzzFjljYgeF5ul; Tue, 13 Feb 2018 17:00:18 -0600
Received: from gator4166.hostgator.com ([108.167.133.22]:41284)
        by gator4166.hostgator.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128)
        (Exim 4.89_1)
        (envelope-from <garsilva@embeddedor.com>)
        id 1eljYf-002KlC-6W; Tue, 13 Feb 2018 17:00:17 -0600
Received: from 189.175.4.238 ([189.175.4.238]) by gator4166.hostgator.com
 (Horde Framework) with HTTPS; Tue, 13 Feb 2018 17:00:16 -0600
Date:   Tue, 13 Feb 2018 17:00:16 -0600
Message-ID: <20180213170016.Horde.7qPx7JtmDQaEzF86fCs1nxe@gator4166.hostgator.com>
From:   "Gustavo A. R. Silva" <garsilva@embeddedor.com>
To:     Ben Skeggs <bskeggs@redhat.com>
Cc:     David Airlie <airlied@linux.ie>, dri-devel@lists.freedesktop.org,
        nouveau@lists.freedesktop.org, linux-kernel@vger.kernel.org
Subject: Re: [drm-nouveau-mmu] question about potential NULL pointer
 dereference
References: <20180213094016.Horde.CGfpaa2rdOUHbXlCDH3u5ra@gator4166.hostgator.com>
 <CABDvA=kds=GtcXXe4BY-NzuYa0mt-vc2MQPGmNS-HGmxSBNLxA@mail.gmail.com>
In-Reply-To: <CABDvA=kds=GtcXXe4BY-NzuYa0mt-vc2MQPGmNS-HGmxSBNLxA@mail.gmail.com>
User-Agent: Horde Application Framework 5
Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes
MIME-Version: 1.0
Content-Disposition: inline
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator4166.hostgator.com
X-AntiAbuse: Original Domain - vger.kernel.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - embeddedor.com
X-BWhitelist: no
X-Source-IP: 108.167.133.22
X-Source-L: Yes
X-Exim-ID: 1eljYf-002KlC-6W
X-Source: 
X-Source-Args: 
X-Source-Dir: 
X-Source-Sender: gator4166.hostgator.com [108.167.133.22]:41284
X-Source-Auth: garsilva@embeddedor.com
X-Email-Count: 1
X-Source-Cap: Z3V6aWRpbmU7Z3V6aWRpbmU7Z2F0b3I0MTY2Lmhvc3RnYXRvci5jb20=
X-Local-Domain: yes
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


Quoting Ben Skeggs <bskeggs@redhat.com>:

> On Wed, Feb 14, 2018 at 1:40 AM, Gustavo A. R. Silva
> <garsilva@embeddedor.com> wrote:
>>
>> Hi all,
>>
>> While doing some static analysis I ran into the following piece of code at
>> drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c:957:
>>
>>  957#define node(root, dir) ((root)->head.dir == &vmm->list) ? NULL :
>> \
>>  958        list_entry((root)->head.dir, struct nvkm_vma, head)
>>  959
>>  960void
>>  961nvkm_vmm_unmap_region(struct nvkm_vmm *vmm, struct nvkm_vma *vma)
>>  962{
>>  963        struct nvkm_vma *next;
>>  964
>>  965        nvkm_memory_tags_put(vma->memory, vmm->mmu->subdev.device,
>> &vma->tags);
>>  966        nvkm_memory_unref(&vma->memory);
>>  967
>>  968        if (vma->part) {
>>  969                struct nvkm_vma *prev = node(vma, prev);
>>  970                if (!prev->memory) {
>>  971                        prev->size += vma->size;
>>  972                        rb_erase(&vma->tree, &vmm->root);
>>  973                        list_del(&vma->head);
>>  974                        kfree(vma);
>>  975                        vma = prev;
>>  976                }
>>  977        }
>>  978
>>  979        next = node(vma, next);
>>  980        if (next && next->part) {
>>  981                if (!next->memory) {
>>  982                        vma->size += next->size;
>>  983                        rb_erase(&next->tree, &vmm->root);
>>  984                        list_del(&next->head);
>>  985                        kfree(next);
>>  986                }
>>  987        }
>>  988}
>>
>> The issue here is that in case _node_ returns NULL, _prev_ is not being null
>> checked, hence there is a potential null pointer dereference at line 970.
>>
>> Notice that _next_ is being null checked at line 980, so I wonder if _prev_
>> should be checked the same as _next_.
>>
>> The fact that both _next_ and next->part are null checked, makes me wonder
>> if in case _prev_ actually needs to be checked, there is another pointer
>> contained into _prev_ to be validated as well? I'm sorry, this is not clear
>> to me at this moment.
> It's not checked because it can't happen.  If vma->part is set, there
> will be a previous node that it was split from.
>

I got it.

Thanks, Ben.
--
Gustavo