| Message ID | f71996d9-d1cb-45ea-a4b2-2dfc21312d8c@kili.mountain (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | nouveau/gsp/r535: Fix a NULL vs error pointer bug | expand |
On 11/8/23 08:40, Dan Carpenter wrote: > The r535_gsp_cmdq_get() function returns error pointers but this code > checks for NULL. Also we need to propagate the error pointer back to > the callers in r535_gsp_rpc_get(). Returning NULL will lead to a NULL > pointer dereference. > > Fixes: 176fdcbddfd2 ("drm/nouveau/gsp/r535: add support for booting GSP-RM") > Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Reviewed-by: Danilo Krummrich <dakr@redhat.com> > --- > drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c > index e31f9641114b..f8409e2f9fef 100644 > --- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c > +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c > @@ -689,8 +689,8 @@ r535_gsp_rpc_get(struct nvkm_gsp *gsp, u32 fn, u32 argc) > struct nvfw_gsp_rpc *rpc; > > rpc = r535_gsp_cmdq_get(gsp, ALIGN(sizeof(*rpc) + argc, sizeof(u64))); > - if (!rpc) > - return NULL; > + if (IS_ERR(rpc)) > + return ERR_CAST(rpc); > > rpc->header_version = 0x03000000; > rpc->signature = ('C' << 24) | ('P' << 16) | ('R' << 8) | 'V';
diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c index e31f9641114b..f8409e2f9fef 100644 --- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c @@ -689,8 +689,8 @@ r535_gsp_rpc_get(struct nvkm_gsp *gsp, u32 fn, u32 argc) struct nvfw_gsp_rpc *rpc; rpc = r535_gsp_cmdq_get(gsp, ALIGN(sizeof(*rpc) + argc, sizeof(u64))); - if (!rpc) - return NULL; + if (IS_ERR(rpc)) + return ERR_CAST(rpc); rpc->header_version = 0x03000000; rpc->signature = ('C' << 24) | ('P' << 16) | ('R' << 8) | 'V';
The r535_gsp_cmdq_get() function returns error pointers but this code checks for NULL. Also we need to propagate the error pointer back to the callers in r535_gsp_rpc_get(). Returning NULL will lead to a NULL pointer dereference. Fixes: 176fdcbddfd2 ("drm/nouveau/gsp/r535: add support for booting GSP-RM") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> --- drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)