* [block] question about potential null pointer dereference
@ 2017-05-23 21:52 Gustavo A. R. Silva
2017-05-24 11:34 ` Paolo Valente
0 siblings, 1 reply; 2+ messages in thread
From: Gustavo A. R. Silva @ 2017-05-23 21:52 UTC (permalink / raw)
To: Paolo Valente, Jens Axboe; +Cc: linux-block, linux-kernel
Hello everybody,
While looking into Coverity ID 1408828 I ran into the following piece
of code at block/bfq-wf2q.c:542:
542static struct rb_node *bfq_find_deepest(struct rb_node *node)
543{
544 struct rb_node *deepest;
545
546 if (!node->rb_right && !node->rb_left)
547 deepest = rb_parent(node);
548 else if (!node->rb_right)
549 deepest = node->rb_left;
550 else if (!node->rb_left)
551 deepest = node->rb_right;
552 else {
553 deepest = rb_next(node);
554 if (deepest->rb_right)
555 deepest = deepest->rb_right;
556 else if (rb_parent(deepest) != node)
557 deepest = rb_parent(deepest);
558 }
559
560 return deepest;
561}
The issue here is that there is a potential NULL pointer dereference
at line 554, in case function rb_next() returns NULL.
Maybe a patch like the following could be applied in order to avoid
any chance of a NULL pointer dereference:
index 8726ede..28d8b90 100644
--- a/block/bfq-wf2q.c
+++ b/block/bfq-wf2q.c
@@ -551,6 +551,8 @@ static struct rb_node *bfq_find_deepest(struct
rb_node *node)
deepest = node->rb_right;
else {
deepest = rb_next(node);
+ if (!deepest)
+ return NULL;
if (deepest->rb_right)
deepest = deepest->rb_right;
else if (rb_parent(deepest) != node)
What do you think?
I'd really appreciate any comment on this.
Thank you!
--
Gustavo A. R. Silva
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [block] question about potential null pointer dereference
2017-05-23 21:52 [block] question about potential null pointer dereference Gustavo A. R. Silva
@ 2017-05-24 11:34 ` Paolo Valente
0 siblings, 0 replies; 2+ messages in thread
From: Paolo Valente @ 2017-05-24 11:34 UTC (permalink / raw)
To: Gustavo A. R. Silva; +Cc: Jens Axboe, linux-block, linux-kernel
> Il giorno 23 mag 2017, alle ore 22:52, Gustavo A. R. Silva <garsilva@embeddedor.com> ha scritto:
>
>
> Hello everybody,
>
Hi
> While looking into Coverity ID 1408828 I ran into the following piece of code at block/bfq-wf2q.c:542:
>
> 542static struct rb_node *bfq_find_deepest(struct rb_node *node)
> 543{
> 544 struct rb_node *deepest;
> 545
> 546 if (!node->rb_right && !node->rb_left)
> 547 deepest = rb_parent(node);
> 548 else if (!node->rb_right)
> 549 deepest = node->rb_left;
> 550 else if (!node->rb_left)
> 551 deepest = node->rb_right;
> 552 else {
> 553 deepest = rb_next(node);
> 554 if (deepest->rb_right)
> 555 deepest = deepest->rb_right;
> 556 else if (rb_parent(deepest) != node)
> 557 deepest = rb_parent(deepest);
> 558 }
> 559
> 560 return deepest;
> 561}
>
> The issue here is that there is a potential NULL pointer dereference at line 554, in case function rb_next() returns NULL.
>
Can rb_next(node) return NULL, although node is guaranteed to have both
a left and a right child at line 554?
Thanks,
Paolo
> Maybe a patch like the following could be applied in order to avoid any chance of a NULL pointer dereference:
>
> index 8726ede..28d8b90 100644
> --- a/block/bfq-wf2q.c
> +++ b/block/bfq-wf2q.c
> @@ -551,6 +551,8 @@ static struct rb_node *bfq_find_deepest(struct rb_node *node)
> deepest = node->rb_right;
> else {
> deepest = rb_next(node);
> + if (!deepest)
> + return NULL;
> if (deepest->rb_right)
> deepest = deepest->rb_right;
> else if (rb_parent(deepest) != node)
>
> What do you think?
>
> I'd really appreciate any comment on this.
>
> Thank you!
> --
> Gustavo A. R. Silva
>
>
>
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-05-24 11:34 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-05-23 21:52 [block] question about potential null pointer dereference Gustavo A. R. Silva
2017-05-24 11:34 ` Paolo Valente
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).