1. Patchew
  2. linux
  3. View series

[PATCH next] drm/nouveau: Fix error pointer dereference in r535_gsp_msgq_recv()

Dan Carpenter posted 1 patch 10 months ago 
drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c | 1 +
1 file changed, 1 insertion(+)
[PATCH next] drm/nouveau: Fix error pointer dereference in r535_gsp_msgq_recv()
Posted by Dan Carpenter 10 months ago 
If "rpc" is an error pointer then return directly.  Otherwise it leads
to an error pointer dereference.

Fixes: 50f290053d79 ("drm/nouveau: support handling the return of large GSP message")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
 drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c
index 2075cad63805..db2602e88006 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c
@@ -348,6 +348,7 @@ r535_gsp_msgq_recv(struct nvkm_gsp *gsp, u32 gsp_rpc_len, int *retries)
 	if (IS_ERR(buf)) {
 		kvfree(info.gsp_rpc_buf);
 		info.gsp_rpc_buf = NULL;
+		return buf;
 	}
 
 	if (expected <= max_rpc_size)
-- 
2.47.2
Re: [PATCH next] drm/nouveau: Fix error pointer dereference in r535_gsp_msgq_recv()
Posted by Danilo Krummrich 10 months ago 
On Mon, Feb 17, 2025 at 10:31:21AM +0300, Dan Carpenter wrote:
> If "rpc" is an error pointer then return directly.  Otherwise it leads
> to an error pointer dereference.
> 
> Fixes: 50f290053d79 ("drm/nouveau: support handling the return of large GSP message")
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

Applied to drm-misc-next, thanks!
Re: [PATCH next] drm/nouveau: Fix error pointer dereference in r535_gsp_msgq_recv()
Posted by Zhi Wang 10 months ago 
On Mon, 17 Feb 2025 10:31:21 +0300
Dan Carpenter <dan.carpenter@linaro.org> wrote:

Thanks for catching this!

Acked-by: Zhi Wang <zhiw@nvidia.com>

> If "rpc" is an error pointer then return directly.  Otherwise it leads
> to an error pointer dereference.
> 
> Fixes: 50f290053d79 ("drm/nouveau: support handling the return of large GSP message")
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
> ---
>  drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c
> index 2075cad63805..db2602e88006 100644
> --- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c
> +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c
> @@ -348,6 +348,7 @@ r535_gsp_msgq_recv(struct nvkm_gsp *gsp, u32 gsp_rpc_len, int *retries)
>  	if (IS_ERR(buf)) {
>  		kvfree(info.gsp_rpc_buf);
>  		info.gsp_rpc_buf = NULL;
> +		return buf;
>  	}
>  
>  	if (expected <= max_rpc_size)

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.