Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 03 Feb 2026 14:46:13 +0000
From:      Jean-=?utf-8?Q?S=C3=A9bast?==?utf-8?Q?ien P=C3=A9?=dron <dumbbell@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: 465ba08bb537 - main - vm_phys: Check `RB_FIND()` return value in case it is NULL
Message-ID:  <69820a35.3de54.5385aafc@gitrepo.freebsd.org>
index | next in thread | raw e-mail 

The branch main has been updated by dumbbell:

URL: https://cgit.FreeBSD.org/src/commit/?id=465ba08bb53796b24dceca0d2ccde5a0e2630a2b

commit 465ba08bb53796b24dceca0d2ccde5a0e2630a2b
Author:     Jean-Sébastien Pédron <dumbbell@FreeBSD.org>
AuthorDate: 2026-02-03 12:04:58 +0000
Commit:     Jean-Sébastien Pédron <dumbbell@FreeBSD.org>
CommitDate: 2026-02-03 14:44:55 +0000

    vm_phys: Check `RB_FIND()` return value in case it is NULL
    
    When trying to unregister a fictitious range in
    `vm_phys_fictitious_unreg_range()`, the function checks the properties
    of the looked up segment, but it does not check if a segment was found
    in the first place.
    
    This can happen with the amdgpu DRM driver which could call
    `vm_phys_fictitious_unreg_range()` without a fictitious range registered
    if the initialisation of the driver failed (for example because
    firmwares are unavailable).
    
    The code in the DRM driver was improved to avoid that, but
    `vm_phys_fictitious_unreg_range()` should still check the return value
    of `RB_FIND()` before trying to dereference the segment pointer and
    panic with a page fault.
    
    Reviewed by:    emaste
    Sponsored by:   The FreeBSD Foundation
    Differential Revision: https://reviews.freebsd.org/D55076
---
 sys/vm/vm_phys.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sys/vm/vm_phys.c b/sys/vm/vm_phys.c
index ba16ae551093..1737020436c6 100644
--- a/sys/vm/vm_phys.c
+++ b/sys/vm/vm_phys.c
@@ -1213,7 +1213,7 @@ vm_phys_fictitious_unreg_range(vm_paddr_t start, vm_paddr_t end)
 
 	rw_wlock(&vm_phys_fictitious_reg_lock);
 	seg = RB_FIND(fict_tree, &vm_phys_fictitious_tree, &tmp);
-	if (seg->start != start || seg->end != end) {
+	if (seg == NULL || seg->start != start || seg->end != end) {
 		rw_wunlock(&vm_phys_fictitious_reg_lock);
 		panic(
 		    "Unregistering not registered fictitious range [%#jx:%#jx]",
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69820a35.3de54.5385aafc>