Re: Null dereference errors in the kernel

[Joshua Henderson <kernel_org@digitalpeer.com>]

Looked at the first 4.  These are valid errors.  Seems like a rather 
intelligent tool.  When will this tool be publicly available?

Thomas Dillig wrote:
> Hello,
>
> We are PhD students at Stanford University working on a static 
> analysis project called SATURN (http://glide.stanford.edu/saturn). We 
> have implemented a checker that finds potential null dereference 
> errors and ran our tool on the kernel version 2.6.17.1. We have 
> identified around 300 potential issues related to null errors, and 
> we've included 20 sample reports below. If you would be interested, we 
> can post all the issues we found. Also, we apologize in advance if we 
> aren't supposed to post these error reports here, and we are happy to 
> submit bug reports elsewhere if you tell us where to post these.
>
> Thanks,
> Thomas & Isil Dillig
>
>
>
> Error reports:
>
>
> [1]
> 790 drivers/video/modedb.c
> NULL dereference of variable "best"
There in 2.6.17.1.  Fixed in at least 2.6.18-rc1.
>
>
> [2]
> 6538 drivers/scsi/aic7xxx/aic7xxx_core.c
> Possible null dereference of variable "cur_column" checked for NULL at 
> (6531:drivers/scsi/aic7xxx/aic7xxx_core.c)
Looks possible in 2.6.18-rc1.
>
>
> [3]
> 46 sound/isa/sb/sb8_midi.c
> NULL dereference of variable "chip" (inside macro SBP() )
There in 2.6.17.1.  Fixed in at least 2.6.18-rc1.
>
>
> [4]
> 239 drivers/usb/misc/usblcd.c
> NULL dereference of variable "urb".
Definitely in 2.6.18-rc1.
>
>
> [5]
> 916 drivers/char/specialix.c
> Possible null dereference of "bp" checked for NULL at 
> (917:drivers/char/specialix.c). Dereferenced through call chain 
> (drivers/char/specialix.c:sx_get_port, drivers/char/specialix.c:sx_in)
>
>
> [6]
> 1196, 1201, 1204,... drivers/net/irda/donauboe.c
> Possible null dereference of variable "self" checked for NULL at 
> (1170:drivers/net/irda/donauboe.c)
>
>
> [7]
> 144 drivers/char/agp/ati-agp.c
> NULL dereference of variable "ati_generic_private.gatt_pages" in 
> function call (drivers/char/agp/ati-agp.c:ati_free_gatt_pages).
>
>
> [8]
> 816 net/decnet/dn_route.c
> Possible null dereference of variable "rt->u.dst.dev" checked for NULL 
> at (809:net/decnet/dn_route.c) and aliased as variable "dev".
>
>
> [9]
> 100 drivers/mtd/maps/ts5500_flash.c
> NULL dereference of variable of "mymtd" in function call (map_destroy).
>
>
> [10]
> 1092, 1093, 1115 drivers/net/bonding/bond_sysfs.c
> Possible null dereference of variable "slave" checked for NULL at 
> (1097:drivers/net/bonding/bond_sysfs.c), aliased as variable 
> "new_active".
>
>
> [11]
> 512, 513 fs/ntfs/attrib.c
> Possible null dereference of variable "ctx" checked for NULL at 
> (474:fs/ntfs/attrib.c).
>
>
> [12]
> 562, 563 drivers/ide/pci/pdc202xx_old.c
> Possible null dereference of variable "hwif" checked for NULL at 
> (565:drivers/ide/pci/pdc202xx_old.c).
>
>
> [13]
> 1176, 1180 drivers/char/isicom.c
> Possible null dereference of variable "tty" checked for NULL at 
> (1183:drivers/char/isicom.c).
>
>
> [14]
> 1230, 1232 drivers/scsi/tmscsim.c
> Possible null dereference of variable "psgl" checked for NULL at 
> (1249:drivers/scsi/tmscsim.c), aliased as "pcmd->request_buffer".
>
>
> [15]
> 680 drivers/net/3c505.c
> Possible null dereference  of variable "adapter->current_dma.skb" in 
> function call (include/linux/netdevice.h:dev_kfree_skb_irq) checked at 
> (688:drivers/net/3c505.c), aliased as variable "skb".
>
>
> [16]
> 965 drivers/net/tulip/dmfe.c
> NULL dereference of variable "skb".
>
>
> [17]
> 730 drivers/net/hamradio/6pack.c
> Possible null dereference of variable "sp" checked for NULL at 
> (733:drivers/net/hamradio/6pack.c).
>
>
> [18]
> 405 drivers/acpi/dispatcher/dswload.c
> Possible null dereference of variable "op->common.value.arg" checked 
> for NULL at (418:drivers/acpi/dispatcher/dswload.c).
>
> [19]
> 639 fs/cifs/readdir.c
> Possible null dereference of variable 
> "cifsFile->srch_inf.ntwrk_buf_start" in function call (smbCalcSize), 
> checked for NULL at (610:fs/cifs/readdir.c).
>
>
> [20]
> 197, 198 fs/ocfs2/aops.c
> Possible null dereference of variable "page" checked for NULL at 
> (201:fs/ocfs2/aops.c).
> -
> To unsubscribe from this list: send the line "unsubscribe 
> linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
>