| Message ID | 20200910023858.43759-1-jingxiangfeng@huawei.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | drm/mm: prevent a potential null-pointer dereference | expand |
Am 10.09.20 um 04:38 schrieb Jing Xiangfeng: > The macro 'DECLARE_NEXT_HOLE_ADDR' may hit a potential null-pointer > dereference. So use 'entry' after checking it. I don't see a potential null-pointer dereference here. Where should that be? Christian. > > Fixes: 5fad79fd66ff ("drm/mm: cleanup and improve next_hole_*_addr()") > Signed-off-by: Jing Xiangfeng <jingxiangfeng@huawei.com> > --- > drivers/gpu/drm/drm_mm.c | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/drivers/gpu/drm/drm_mm.c b/drivers/gpu/drm/drm_mm.c > index a4a04d246135..6fcf70f71962 100644 > --- a/drivers/gpu/drm/drm_mm.c > +++ b/drivers/gpu/drm/drm_mm.c > @@ -392,11 +392,14 @@ first_hole(struct drm_mm *mm, > #define DECLARE_NEXT_HOLE_ADDR(name, first, last) \ > static struct drm_mm_node *name(struct drm_mm_node *entry, u64 size) \ > { \ > - struct rb_node *parent, *node = &entry->rb_hole_addr; \ > + struct rb_node *parent, *node; \ > \ > - if (!entry || RB_EMPTY_NODE(node)) \ > + if (!entry) \ > return NULL; \ > \ > + node = &entry->rb_hole_addr; \ > + if (RB_EMPTY_NODE(node)) \ > + return NULL; \ > if (usable_hole_addr(node->first, size)) { \ > node = node->first; \ > while (usable_hole_addr(node->last, size)) \
On 2020/9/10 16:58, Christian König wrote: > Am 10.09.20 um 04:38 schrieb Jing Xiangfeng: >> The macro 'DECLARE_NEXT_HOLE_ADDR' may hit a potential null-pointer >> dereference. So use 'entry' after checking it. > > I don't see a potential null-pointer dereference here. > > Where should that be? In current code,the "entry" pointer is checked after entry->rb_hole_addr. Thanks > > Christian. > >> >> Fixes: 5fad79fd66ff ("drm/mm: cleanup and improve next_hole_*_addr()") >> Signed-off-by: Jing Xiangfeng <jingxiangfeng@huawei.com> >> --- >> drivers/gpu/drm/drm_mm.c | 7 +++++-- >> 1 file changed, 5 insertions(+), 2 deletions(-) >> >> diff --git a/drivers/gpu/drm/drm_mm.c b/drivers/gpu/drm/drm_mm.c >> index a4a04d246135..6fcf70f71962 100644 >> --- a/drivers/gpu/drm/drm_mm.c >> +++ b/drivers/gpu/drm/drm_mm.c >> @@ -392,11 +392,14 @@ first_hole(struct drm_mm *mm, >> #define DECLARE_NEXT_HOLE_ADDR(name, first, last) \ >> static struct drm_mm_node *name(struct drm_mm_node *entry, u64 >> size) \ >> { \ >> - struct rb_node *parent, *node = &entry->rb_hole_addr; \ >> + struct rb_node *parent, *node; \ >> \ >> - if (!entry || RB_EMPTY_NODE(node)) \ >> + if (!entry) \ >> return NULL; \ >> \ >> + node = &entry->rb_hole_addr; \ >> + if (RB_EMPTY_NODE(node)) \ >> + return NULL; \ >> if (usable_hole_addr(node->first, size)) { \ >> node = node->first; \ >> while (usable_hole_addr(node->last, size)) \ > > . >
diff --git a/drivers/gpu/drm/drm_mm.c b/drivers/gpu/drm/drm_mm.c index a4a04d246135..6fcf70f71962 100644 --- a/drivers/gpu/drm/drm_mm.c +++ b/drivers/gpu/drm/drm_mm.c @@ -392,11 +392,14 @@ first_hole(struct drm_mm *mm, #define DECLARE_NEXT_HOLE_ADDR(name, first, last) \ static struct drm_mm_node *name(struct drm_mm_node *entry, u64 size) \ { \ - struct rb_node *parent, *node = &entry->rb_hole_addr; \ + struct rb_node *parent, *node; \ \ - if (!entry || RB_EMPTY_NODE(node)) \ + if (!entry) \ return NULL; \ \ + node = &entry->rb_hole_addr; \ + if (RB_EMPTY_NODE(node)) \ + return NULL; \ if (usable_hole_addr(node->first, size)) { \ node = node->first; \ while (usable_hole_addr(node->last, size)) \
The macro 'DECLARE_NEXT_HOLE_ADDR' may hit a potential null-pointer dereference. So use 'entry' after checking it. Fixes: 5fad79fd66ff ("drm/mm: cleanup and improve next_hole_*_addr()") Signed-off-by: Jing Xiangfeng <jingxiangfeng@huawei.com> --- drivers/gpu/drm/drm_mm.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)