Faults in Linux: Not checking for Null before dereferencing

As part of my project, while reading the reports, I came to know about bugs of type which were not checking for null before derefencing.  There were many in the versions 2.4.x and 2.6.x. I was also required to list FPs (false positives) by Coccinelle. This post will be about, what I found for the case of NULL return values are tested before being derferenced or not?

You can view the complete report as a PDF here and as a HTML file here.

Why dereferencing null is a bug?

  • It is undefined, which means anything can happen.

Have a look at what Robert Love says about this.

Types I studied?

It was only one as, a case that checks that NULL return values are tested before being derferenced.

What did I found?

Basically most of the bugs were for when memory is allocated and it may return null instead of a pointer to the memory allocated, and the objp is not checked for null before being used or before derefencing. We should check objp, before use, if we are allocating memory into it, as it may return null.

Most of the FPs were where  GFP_KERNEL or GFP_NOIO or GFP_NOFS are used. But fail is not possible with these. I’ll be writing a separate blog post on them.

Example Bug?

Have a look at this, here memory is allocated using alloc_tt_driver in serial_driver. But it is not being checked for Null before being used at line 220 as serial_driver->owner. A Bug!

Example FP?

Have a look at this, here Null is not possible. You can find more in the report linked above.

#bugs, #c, #coccinelle, #foss-2, #fossopw, #null-return-values