From: Xiang Chen chenxiang66@hisilicon.com
The issue is reported by tool TscanCode, and it is possible to deference null pointer when prev is NULL which is the initial value.
Signed-off-by: Xiang Chen chenxiang66@hisilicon.com --- drivers/iommu/dma-iommu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iommu/dma-iommu.c b/drivers/iommu/dma-iommu.c index 4cb63b2..88a4f34 100644 --- a/drivers/iommu/dma-iommu.c +++ b/drivers/iommu/dma-iommu.c @@ -1042,7 +1042,7 @@ static int iommu_dma_map_sg(struct device *dev, struct scatterlist *sg, * iova_len == 0, thus we cannot dereference prev the first * time through here (i.e. before it has a meaningful value). */ - if (pad_len && pad_len < s_length - 1) { + if (prev && pad_len && pad_len < s_length - 1) { prev->length += pad_len; iova_len += pad_len; }
On 2021-05-21 04:05, chenxiang wrote:
From: Xiang Chen chenxiang66@hisilicon.com
The issue is reported by tool TscanCode, and it is possible to deference null pointer when prev is NULL which is the initial value.
No it isn't. This is literally explained in the comment visible in the diff context below...
Robin.
Signed-off-by: Xiang Chen chenxiang66@hisilicon.com
drivers/iommu/dma-iommu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iommu/dma-iommu.c b/drivers/iommu/dma-iommu.c index 4cb63b2..88a4f34 100644 --- a/drivers/iommu/dma-iommu.c +++ b/drivers/iommu/dma-iommu.c @@ -1042,7 +1042,7 @@ static int iommu_dma_map_sg(struct device *dev, struct scatterlist *sg, * iova_len == 0, thus we cannot dereference prev the first * time through here (i.e. before it has a meaningful value). */
if (pad_len && pad_len < s_length - 1) {
}if (prev && pad_len && pad_len < s_length - 1) { prev->length += pad_len; iova_len += pad_len;
在 2021/5/21 18:36, Robin Murphy 写道:
On 2021-05-21 04:05, chenxiang wrote:
From: Xiang Chen chenxiang66@hisilicon.com
The issue is reported by tool TscanCode, and it is possible to deference null pointer when prev is NULL which is the initial value.
No it isn't. This is literally explained in the comment visible in the diff context below...
Robin.
ok, thanks
Signed-off-by: Xiang Chen chenxiang66@hisilicon.com
drivers/iommu/dma-iommu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iommu/dma-iommu.c b/drivers/iommu/dma-iommu.c index 4cb63b2..88a4f34 100644 --- a/drivers/iommu/dma-iommu.c +++ b/drivers/iommu/dma-iommu.c @@ -1042,7 +1042,7 @@ static int iommu_dma_map_sg(struct device *dev, struct scatterlist *sg, * iova_len == 0, thus we cannot dereference prev the first * time through here (i.e. before it has a meaningful value). */
if (pad_len && pad_len < s_length - 1) {
if (prev && pad_len && pad_len < s_length - 1) { prev->length += pad_len; iova_len += pad_len; }
.