From nobody Mon Jun 8 22:55:06 2026 Received: from mailgw.kylinos.cn (mailgw.kylinos.cn [124.126.103.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 91B602F87B for ; Tue, 26 May 2026 01:47:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=124.126.103.232 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779760053; cv=none; b=A7gpKAsuU/ZgGzWNPVMVvgPLkrc2qeQW/JQkldRZyGCRV1EYIsN2buVyv0bkq1uakzlPXLC0WE3pcBzvBntUIkyIUaaavrN7dqX9eQtKH0UroGhQox1mdxqG9WTJS5XLaEjk6Z1ydDAppyLqKEL0j2m+qaUV4unClCUKyntndQE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779760053; c=relaxed/simple; bh=lcLJFA/DeWxSRIjsMhKo68YaHb0wJq0boy344COfMdM=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=fno0PSi3HS4KHLhtcVy3xfN9XGWeHN7Q57Xghnf0arNSz2rmFBANMa4k8VVSa0IR2VtFe7HfEYnHchcnwfk+WaaJW6rPU7rDlFNaCtSoX4aIm3hfo4iZZmhOvRx7YMOOzKcJ0agOajb0CD5A98FPowf2wwIe6W6MarT+4dGx/2o= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=kylinos.cn; spf=pass smtp.mailfrom=kylinos.cn; arc=none smtp.client-ip=124.126.103.232 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=kylinos.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=kylinos.cn X-UUID: d8dd33c658a411f1aa26b74ffac11d73-20260526 X-CID-P-RULE: Release_Ham X-CID-O-INFO: VERSION:1.3.12,REQID:f2a4c120-bc7d-45c2-ad90-49a96698b607,IP:0,U RL:0,TC:0,Content:-5,EDM:0,RT:0,SF:0,FILE:0,BULK:0,RULE:Release_Ham,ACTION :release,TS:-5 X-CID-META: VersionHash:e7bac3a,CLOUDID:2f75ae6802a4740e16f1367a3d665be0,BulkI D:nil,BulkQuantity:0,Recheck:0,SF:102|850|865|898,TC:nil,Content:0|15|50,E DM:-3,IP:nil,URL:0,File:nil,RT:nil,Bulk:nil,QS:nil,BEC:nil,COL:0,OSI:0,OSA :0,AV:0,LES:1,SPR:NO,DKR:0,DKP:0,BRR:0,BRE:0,ARC:0 X-CID-BVR: 2,SSN|SDN X-CID-BAS: 2,SSN|SDN,0,_ X-CID-FACTOR: TF_CID_SPAM_SNR X-CID-RHF: D41D8CD98F00B204E9800998ECF8427E X-UUID: d8dd33c658a411f1aa26b74ffac11d73-20260526 X-User: zenghongling@kylinos.cn Received: from localhost.localdomain [(10.44.16.150)] by mailgw.kylinos.cn (envelope-from ) (Generic MTA with TLSv1.3 TLS_AES_256_GCM_SHA384 256/256) with ESMTP id 830269961; Tue, 26 May 2026 09:47:26 +0800 From: Hongling Zeng To: lyude@redhat.com, dakr@kernel.org, maarten.lankhorst@linux.intel.com, mripard@kernel.org, tzimmermann@suse.de, airlied@gmail.com, simona@ffwll.ch, airlied@redhat.com, ttabi@nvidia.com, bskeggs@nvidia.com, dri-devel@lists.freedesktop.org Cc: nouveau@lists.freedesktop.org, linux-kernel@vger.kernel.org, zhongling0719@126.com, Hongling Zeng Subject: [PATCH] nouveau/gsp: fix NULL pointer dereference in r535 nvenc/ofs alloc Date: Tue, 26 May 2026 09:47:21 +0800 Message-Id: <20260526014721.13299-1-zenghongling@kylinos.cn> X-Mailer: git-send-email 2.25.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" nvkm_gsp_rm_alloc_get() can return NULL as well as error pointers. The current code only checks for error pointers with IS_ERR(), which would lead to a NULL pointer dereference if NULL is returned. Fix by using IS_ERR_OR_NULL() instead of IS_ERR(), matching the pattern used in nvkm_gsp_rm_alloc(). Fixes: 7c2d25f1e408 ("drm/nouveau/gsp: add common code for engines/engine o= bjects") Signed-off-by: Hongling Zeng --- drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/nvenc.c | 4 ++-- drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/ofa.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/nvenc.c b/driv= ers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/nvenc.c index acb3ce8bb9de..a67cc65abfcf 100644 --- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/nvenc.c +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/nvenc.c @@ -30,8 +30,8 @@ r535_nvenc_alloc(struct nvkm_gsp_object *chan, u32 handle= , u32 class, int inst, NV_MSENC_ALLOCATION_PARAMETERS *args; =20 args =3D nvkm_gsp_rm_alloc_get(chan, handle, class, sizeof(*args), nvenc); - if (WARN_ON(IS_ERR(args))) - return PTR_ERR(args); + if (WARN_ON(IS_ERR_OR_NULL(args))) + return args ? PTR_ERR(args) : -EIO; =20 args->size =3D sizeof(*args); args->engineInstance =3D inst; diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/ofa.c b/driver= s/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/ofa.c index 2156808cba4f..6d3b554108f9 100644 --- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/ofa.c +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/ofa.c @@ -30,8 +30,8 @@ r535_ofa_alloc(struct nvkm_gsp_object *chan, u32 handle, = u32 class, int inst, NV_OFA_ALLOCATION_PARAMETERS *args; =20 args =3D nvkm_gsp_rm_alloc_get(chan, handle, class, sizeof(*args), ofa); - if (WARN_ON(IS_ERR(args))) - return PTR_ERR(args); + if (WARN_ON(IS_ERR_OR_NULL(args))) + return args ? PTR_ERR(args) : -EIO; =20 args->size =3D sizeof(*args); =20 --=20 2.25.1