diff options
| author | Jean-Sébastien Pédron <dumbbell@FreeBSD.org> | 2026-02-03 12:04:58 +0000 |
|---|---|---|
| committer | Jean-Sébastien Pédron <dumbbell@FreeBSD.org> | 2026-02-03 14:44:55 +0000 |
| commit | 465ba08bb53796b24dceca0d2ccde5a0e2630a2b (patch) | |
| tree | 0d27dfce64fb8409f4f2a9daf57f57c2fcb9d6ba | |
| parent | d70b9eb74fc4aa430bd2ff4bca37e6a9b6c8004f (diff) | |
vm_phys: Check `RB_FIND()` return value in case it is NULL
When trying to unregister a fictitious range in
`vm_phys_fictitious_unreg_range()`, the function checks the properties
of the looked up segment, but it does not check if a segment was found
in the first place.
This can happen with the amdgpu DRM driver which could call
`vm_phys_fictitious_unreg_range()` without a fictitious range registered
if the initialisation of the driver failed (for example because
firmwares are unavailable).
The code in the DRM driver was improved to avoid that, but
`vm_phys_fictitious_unreg_range()` should still check the return value
of `RB_FIND()` before trying to dereference the segment pointer and
panic with a page fault.
Reviewed by: emaste
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D55076
| -rw-r--r-- | sys/vm/vm_phys.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sys/vm/vm_phys.c b/sys/vm/vm_phys.c index ba16ae551093..1737020436c6 100644 --- a/sys/vm/vm_phys.c +++ b/sys/vm/vm_phys.c @@ -1213,7 +1213,7 @@ vm_phys_fictitious_unreg_range(vm_paddr_t start, vm_paddr_t end) rw_wlock(&vm_phys_fictitious_reg_lock); seg = RB_FIND(fict_tree, &vm_phys_fictitious_tree, &tmp); - if (seg->start != start || seg->end != end) { + if (seg == NULL || seg->start != start || seg->end != end) { rw_wunlock(&vm_phys_fictitious_reg_lock); panic( "Unregistering not registered fictitious range [%#jx:%#jx]", |