drm/mm: Fix NULL pointer dereference in allocator

While searching for first hole (get_first_hole) and next free hole
(get_next_hole) from rbtree, rb_first() and rb_next() functions may
return NULL pointer. A NULL pointer check can avoid the NULL pointer
dereference.

Change-Id: I21c918fff3ae995a9d8b2201030401d80ed1fd9e
Signed-off-by: Venkateswara Rao Tadikonda <vtadik@codeaurora.org>

1 files changed, 9 insertions, 2 deletions

diff --git a/drivers/gpu/drm/drm_mm.c b/drivers/gpu/drm/drm_mm.c
index 6e4dd62d4ed9..dbf263d3511b 100644
--- a/drivers/gpu/drm/drm_mm.c
+++ b/drivers/gpu/drm/drm_mm.c
@@ -541,6 +541,9 @@ static struct drm_mm_node *get_first_hole(const struct drm_mm *mm,
 	if (flags & DRM_MM_SEARCH_BOTTOM_UP) {
 		struct rb_node *node = rb_first(&mm->holes_tree);
 
+		if (!node)
+			return NULL;
+
 		return rb_entry(node, struct drm_mm_node, hole_node);
 	} else if (flags & DRM_MM_SEARCH_BELOW) {
 		return list_entry((mm)->hole_stack.prev,
@@ -555,8 +558,12 @@ static struct drm_mm_node *get_next_hole(struct drm_mm_node *entry,
 		enum drm_mm_search_flags flags)
 {
 	if (flags & DRM_MM_SEARCH_BOTTOM_UP) {
-		return rb_entry(rb_next(&entry->hole_node),
-				struct drm_mm_node, hole_node);
+		struct rb_node *node = rb_next(&entry->hole_node);
+
+		if (!node)
+			return NULL;
+
+		return rb_entry(node, struct drm_mm_node, hole_node);
 	} else if (flags & DRM_MM_SEARCH_BELOW) {
 		return list_entry(entry->hole_stack.prev,
 				struct drm_mm_node, hole_stack);