Jean-Sébastien Pédron <dumbbell_at_FreeBSD.org> wrote on Date: Mon, 23 Jun 2025 21:54:28 UTC :
> The branch main has been updated by dumbbell: > > URL: > https://cgit.FreeBSD.org/src/commit/?id=81e6c0168d46b0f5d5d4c5d0405caca8da24c35e > > commit 81e6c0168d46b0f5d5d4c5d0405caca8da24c35e > Author: Jean-Sébastien Pédron <dumbb...@freebsd.org> > AuthorDate: 2025-06-18 20:32:13 +0000 > Commit: Jean-Sébastien Pédron <dumbb...@freebsd.org> > CommitDate: 2025-06-23 21:43:51 +0000 > > lindebugfs.c: Fix possible NULL dereference > > If `debugfs_destroy()` is called early as part of error handling during > initialzation, `pn->pn_data` is unset. "is unset": Is this wording intended to mean: A) pn->pn_data could hold most any bit pattern? (not previously initialized to a known-valid pointer value [including NULL as an example of known-valid]) vs. B) guaranteed to have been set to either NULL or to a valid non-NULL pointer value? > This led to a panic in that if > because `dm` is NULL. Was NULL actually the only possible value that should not be dereferenced? > Reviewed by: bz > Sponsored by: The FreeBSD Foundation > Differential Revision: https://reviews.freebsd.org/D50985 > --- > sys/compat/lindebugfs/lindebugfs.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/sys/compat/lindebugfs/lindebugfs.c > b/sys/compat/lindebugfs/lindebugfs.c > index 97f73e79fb6c..50f9377ffec3 100644 > --- a/sys/compat/lindebugfs/lindebugfs.c > +++ b/sys/compat/lindebugfs/lindebugfs.c > @@ -104,7 +104,7 @@ debugfs_destroy(PFS_DESTROY_ARGS) > struct dentry_meta *dm; > > dm = pn->pn_data; > - if (dm->dm_type == DM_SYMLINK) > + if (dm != NULL && dm->dm_type == DM_SYMLINK) The above code would be sufficient for (B) but would not be for (A). If the context is an example of (A), it would appear that the context needs to be changed to be an example of (B). In other words: the new if above would not be what needs to be changed. > free(dm->dm_data, M_DFSINT); > > free(dm, M_DFSINT); === Mark Millard marklmi at yahoo.com
