From nobody Tue Apr 7 02:34:28 2026 Received: from mail.nppct.ru (mail.nppct.ru [195.133.245.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7ED6C3DFC60 for ; Mon, 16 Mar 2026 18:42:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.133.245.4 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773686579; cv=none; b=GhtM2eL3R/oCQdfx0HplYUqh92T4823NWT62Pw9zUYcB0HvRxxpLXLOkDB/DPc+sOUouHEKhfII53ihUapJpIoTvs2wOpomnklVx10hLDfrCeRTbJlexiFlyC7wQEJF87f+gkHg9tlOrxWexubosi3NQM5ajoZtR1PiiInkSgo4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773686579; c=relaxed/simple; bh=3sBY4tW9sUTsq5I04TqNM0MDdmo2tDC1vEIhnJUCkOE=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=jvsUDA9ew6jmPDA7H8fjVXeZWxX2qcD5JtnXASQ2+B/LDYOzTad86FHE0p7wf3OvbIKatQ5fg4iA8X/7xW3aAP0EZtlFWE55oj8ux2NsDBMxZBQi2e0KHvpv8ENWFYyMilo4kQluGG1mbt/fo7uNQaXxLQfLyRfE7si118/SNiM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nppct.ru; spf=pass smtp.mailfrom=nppct.ru; dkim=pass (1024-bit key) header.d=nppct.ru header.i=@nppct.ru header.b=WEOmTW8w; arc=none smtp.client-ip=195.133.245.4 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nppct.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nppct.ru Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=nppct.ru header.i=@nppct.ru header.b="WEOmTW8w" Received: from mail.nppct.ru (localhost [127.0.0.1]) by mail.nppct.ru (Postfix) with ESMTP id B09B21C0F8E for ; Mon, 16 Mar 2026 21:42:47 +0300 (MSK) Authentication-Results: mail.nppct.ru (amavisd-new); dkim=pass (1024-bit key) reason="pass (just generated, assumed good)" header.d=nppct.ru DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nppct.ru; h= content-transfer-encoding:mime-version:x-mailer:message-id:date :date:subject:subject:to:from:from; s=dkim; t=1773686550; x= 1774550551; bh=3sBY4tW9sUTsq5I04TqNM0MDdmo2tDC1vEIhnJUCkOE=; b=W EOmTW8wz4XQv2m/+CXzziK+DNmUBAPgomyOVc+LmzAse1uQ0j8UpvljB79FOpv3X pIob8vRCVGWOMzyUrO0FpTpp4ZYJ17/PymS3QWOg+O+It5SJ+A4o2eaqB6Pf7gsk 0Uu3gFCypD2E+WCjZI3tBTLZaTaE6go8/hxbKD3HRQ= X-Virus-Scanned: Debian amavisd-new at mail.nppct.ru Received: from mail.nppct.ru ([127.0.0.1]) by mail.nppct.ru (mail.nppct.ru [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id DwxJGX8-q1Dh for ; Mon, 16 Mar 2026 21:42:30 +0300 (MSK) Received: from localhost.localdomain (unknown [87.249.24.51]) by mail.nppct.ru (Postfix) with ESMTPSA id 224FB1C0E83; Mon, 16 Mar 2026 21:41:59 +0300 (MSK) From: Alexey Nepomnyashih To: Lyude Paul Cc: Alexey Nepomnyashih , Danilo Krummrich , Maarten Lankhorst , Maxime Ripard , Thomas Zimmermann , David Airlie , Simona Vetter , Ben Skeggs , dri-devel@lists.freedesktop.org, nouveau@lists.freedesktop.org, linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org, stable@vger.kernel.org Subject: [PATCH v2] drm/nouveau/disp: Fix potential NULL pointer dereference in nouveau_dp_irq Date: Mon, 16 Mar 2026 18:41:41 +0000 Message-ID: <20260316184143.82894-1-sdl@nppct.ru> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The issue was discovered through static analysis after reviewing changes introduced by commit 773eb04d14a1 ("drm/nouveau/disp: expose conn event class"). Function nouveau_dp_irq() dereferences the encoder pointer before verifying that it is valid. The drm pointer is initialized using outp->base.base.dev prior to the NULL check: struct nouveau_drm *drm =3D nouveau_drm(outp->base.base.dev); If no encoder is associated with the connector, this leads to a NULL pointer dereference. Move the drm initialization after the NULL check. Fixes: 773eb04d14a1 ("drm/nouveau/disp: expose conn event class") Cc: stable@vger.kernel.org Signed-off-by: Alexey Nepomnyashih --- drivers/gpu/drm/nouveau/nouveau_dp.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/nouveau/nouveau_dp.c b/drivers/gpu/drm/nouveau= /nouveau_dp.c index 55691ec44aba..738802358d85 100644 --- a/drivers/gpu/drm/nouveau/nouveau_dp.c +++ b/drivers/gpu/drm/nouveau/nouveau_dp.c @@ -486,7 +486,7 @@ nouveau_dp_irq(struct work_struct *work) container_of(work, typeof(*nv_connector), irq_work); struct drm_connector *connector =3D &nv_connector->base; struct nouveau_encoder *outp =3D find_encoder(connector, DCB_OUTPUT_DP); - struct nouveau_drm *drm =3D nouveau_drm(outp->base.base.dev); + struct nouveau_drm *drm; struct nv50_mstm *mstm; u64 hpd =3D 0; int ret; @@ -494,6 +494,8 @@ nouveau_dp_irq(struct work_struct *work) if (!outp) return; =20 + drm =3D nouveau_drm(outp->base.base.dev); + mstm =3D outp->dp.mstm; NV_DEBUG(drm, "service %s\n", connector->name); =20 --=20 2.43.0