| Message ID | b7052ac0-98e4-433b-ad58-f563bf51858c@stanley.mountain (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [next] drm/nouveau: Fix error pointer dereference in r535_gsp_msgq_recv() | expand |
On Mon, 17 Feb 2025 10:31:21 +0300 Dan Carpenter <dan.carpenter@linaro.org> wrote: Thanks for catching this! Acked-by: Zhi Wang <zhiw@nvidia.com> > If "rpc" is an error pointer then return directly. Otherwise it leads > to an error pointer dereference. > > Fixes: 50f290053d79 ("drm/nouveau: support handling the return of large GSP message") > Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> > --- > drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c > index 2075cad63805..db2602e88006 100644 > --- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c > +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c > @@ -348,6 +348,7 @@ r535_gsp_msgq_recv(struct nvkm_gsp *gsp, u32 gsp_rpc_len, int *retries) > if (IS_ERR(buf)) { > kvfree(info.gsp_rpc_buf); > info.gsp_rpc_buf = NULL; > + return buf; > } > > if (expected <= max_rpc_size)
On Mon, Feb 17, 2025 at 10:31:21AM +0300, Dan Carpenter wrote: > If "rpc" is an error pointer then return directly. Otherwise it leads > to an error pointer dereference. > > Fixes: 50f290053d79 ("drm/nouveau: support handling the return of large GSP message") > Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Applied to drm-misc-next, thanks!
diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c index 2075cad63805..db2602e88006 100644 --- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c @@ -348,6 +348,7 @@ r535_gsp_msgq_recv(struct nvkm_gsp *gsp, u32 gsp_rpc_len, int *retries) if (IS_ERR(buf)) { kvfree(info.gsp_rpc_buf); info.gsp_rpc_buf = NULL; + return buf; } if (expected <= max_rpc_size)
If "rpc" is an error pointer then return directly. Otherwise it leads to an error pointer dereference. Fixes: 50f290053d79 ("drm/nouveau: support handling the return of large GSP message") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> --- drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c | 1 + 1 file changed, 1 insertion(+)