git: 465ba08bb537 - main - vm_phys: Check `RB_FIND()` return value in case it is NULL
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 03 Feb 2026 14:46:13 UTC
The branch main has been updated by dumbbell:
URL: https://cgit.FreeBSD.org/src/commit/?id=465ba08bb53796b24dceca0d2ccde5a0e2630a2b
commit 465ba08bb53796b24dceca0d2ccde5a0e2630a2b
Author: Jean-Sébastien Pédron <dumbbell@FreeBSD.org>
AuthorDate: 2026-02-03 12:04:58 +0000
Commit: Jean-Sébastien Pédron <dumbbell@FreeBSD.org>
CommitDate: 2026-02-03 14:44:55 +0000
vm_phys: Check `RB_FIND()` return value in case it is NULL
When trying to unregister a fictitious range in
`vm_phys_fictitious_unreg_range()`, the function checks the properties
of the looked up segment, but it does not check if a segment was found
in the first place.
This can happen with the amdgpu DRM driver which could call
`vm_phys_fictitious_unreg_range()` without a fictitious range registered
if the initialisation of the driver failed (for example because
firmwares are unavailable).
The code in the DRM driver was improved to avoid that, but
`vm_phys_fictitious_unreg_range()` should still check the return value
of `RB_FIND()` before trying to dereference the segment pointer and
panic with a page fault.
Reviewed by: emaste
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D55076
---
sys/vm/vm_phys.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys/vm/vm_phys.c b/sys/vm/vm_phys.c
index ba16ae551093..1737020436c6 100644
--- a/sys/vm/vm_phys.c
+++ b/sys/vm/vm_phys.c
@@ -1213,7 +1213,7 @@ vm_phys_fictitious_unreg_range(vm_paddr_t start, vm_paddr_t end)
rw_wlock(&vm_phys_fictitious_reg_lock);
seg = RB_FIND(fict_tree, &vm_phys_fictitious_tree, &tmp);
- if (seg->start != start || seg->end != end) {
+ if (seg == NULL || seg->start != start || seg->end != end) {
rw_wunlock(&vm_phys_fictitious_reg_lock);
panic(
"Unregistering not registered fictitious range [%#jx:%#jx]",