[PATCH] dma-iommu: Add a check to avoid dereference null pointer in function iommu_dma_map_sg()
From: Xiang Chen <chenxiang66@hisilicon.com> The issue is reported by tool TscanCode, and it is possible to deference null pointer when prev is NULL which is the initial value. Signed-off-by: Xiang Chen <chenxiang66@hisilicon.com> --- drivers/iommu/dma-iommu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/iommu/dma-iommu.c b/drivers/iommu/dma-iommu.c index 4cb63b2..88a4f34 100644 --- a/drivers/iommu/dma-iommu.c +++ b/drivers/iommu/dma-iommu.c @@ -1042,7 +1042,7 @@ static int iommu_dma_map_sg(struct device *dev, struct scatterlist *sg, * iova_len == 0, thus we cannot dereference prev the first * time through here (i.e. before it has a meaningful value). */ - if (pad_len && pad_len < s_length - 1) { + if (prev && pad_len && pad_len < s_length - 1) { prev->length += pad_len; iova_len += pad_len; } -- 2.8.1
On 2021-05-21 04:05, chenxiang wrote:
From: Xiang Chen <chenxiang66@hisilicon.com>
The issue is reported by tool TscanCode, and it is possible to deference null pointer when prev is NULL which is the initial value.
No it isn't. This is literally explained in the comment visible in the diff context below... Robin.
Signed-off-by: Xiang Chen <chenxiang66@hisilicon.com> --- drivers/iommu/dma-iommu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iommu/dma-iommu.c b/drivers/iommu/dma-iommu.c index 4cb63b2..88a4f34 100644 --- a/drivers/iommu/dma-iommu.c +++ b/drivers/iommu/dma-iommu.c @@ -1042,7 +1042,7 @@ static int iommu_dma_map_sg(struct device *dev, struct scatterlist *sg, * iova_len == 0, thus we cannot dereference prev the first * time through here (i.e. before it has a meaningful value). */ - if (pad_len && pad_len < s_length - 1) { + if (prev && pad_len && pad_len < s_length - 1) { prev->length += pad_len; iova_len += pad_len; }
在 2021/5/21 18:36, Robin Murphy 写道:
On 2021-05-21 04:05, chenxiang wrote:
From: Xiang Chen <chenxiang66@hisilicon.com>
The issue is reported by tool TscanCode, and it is possible to deference null pointer when prev is NULL which is the initial value.
No it isn't. This is literally explained in the comment visible in the diff context below...
Robin.
ok, thanks
Signed-off-by: Xiang Chen <chenxiang66@hisilicon.com> --- drivers/iommu/dma-iommu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iommu/dma-iommu.c b/drivers/iommu/dma-iommu.c index 4cb63b2..88a4f34 100644 --- a/drivers/iommu/dma-iommu.c +++ b/drivers/iommu/dma-iommu.c @@ -1042,7 +1042,7 @@ static int iommu_dma_map_sg(struct device *dev, struct scatterlist *sg, * iova_len == 0, thus we cannot dereference prev the first * time through here (i.e. before it has a meaningful value). */ - if (pad_len && pad_len < s_length - 1) { + if (prev && pad_len && pad_len < s_length - 1) { prev->length += pad_len; iova_len += pad_len; }
.
participants (3)
-
chenxiang -
chenxiang (M)
-
Robin Murphy