From patchwork Tue Jul 31 15:28:26 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lyude Paul X-Patchwork-Id: 10550921 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 0E58E13B8 for ; Tue, 31 Jul 2018 15:28:38 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id F27452B136 for ; Tue, 31 Jul 2018 15:28:37 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E6BD32B142; Tue, 31 Jul 2018 15:28:37 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 994522B136 for ; Tue, 31 Jul 2018 15:28:37 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 8F4E16E1B7; Tue, 31 Jul 2018 15:28:34 +0000 (UTC) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by gabe.freedesktop.org (Postfix) with ESMTPS id 317A06E176; Tue, 31 Jul 2018 15:28:33 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 62FB87A7E5; Tue, 31 Jul 2018 15:28:32 +0000 (UTC) Received: from malachite.redhat.com (ovpn-121-83.rdu2.redhat.com [10.10.121.83]) by smtp.corp.redhat.com (Postfix) with ESMTP id DD8C92142F20; Tue, 31 Jul 2018 15:28:30 +0000 (UTC) From: Lyude Paul To: nouveau@lists.freedesktop.org Subject: [PATCH v3] drm/nouveau: Fix potential memory access error in debugfs_pstate_get/set() Date: Tue, 31 Jul 2018 11:28:26 -0400 Message-Id: <20180731152827.28573-1-lyude@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Tue, 31 Jul 2018 15:28:32 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Tue, 31 Jul 2018 15:28:32 +0000 (UTC) for IP:'10.11.54.6' DOMAIN:'int-mx06.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'lyude@redhat.com' RCPT:'' X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: David Airlie , linux-kernel@vger.kernel.org, Karol Herbst , dri-devel@lists.freedesktop.org, Ben Skeggs MIME-Version: 1.0 Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" X-Virus-Scanned: ClamAV using ClamSMTP nouveau_debugfs(drm) will never be NULL, because we're taking the value of the potentially null device pointer and adding to it so it isn't 0x0. So, check if drm is NULL instead. Signed-off-by: Lyude Paul Cc: Karol Herbst --- Changes since v2: - Also fix nouveau_debugfs_pstate_set() drivers/gpu/drm/nouveau/nouveau_debugfs.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/drivers/gpu/drm/nouveau/nouveau_debugfs.c b/drivers/gpu/drm/nouveau/nouveau_debugfs.c index 963a4dba8213..b7440b542cb2 100644 --- a/drivers/gpu/drm/nouveau/nouveau_debugfs.c +++ b/drivers/gpu/drm/nouveau/nouveau_debugfs.c @@ -50,13 +50,15 @@ static int nouveau_debugfs_pstate_get(struct seq_file *m, void *data) { struct drm_device *drm = m->private; - struct nouveau_debugfs *debugfs = nouveau_debugfs(drm); - struct nvif_object *ctrl = &debugfs->ctrl; + struct nouveau_debugfs *debugfs; + struct nvif_object *ctrl; struct nvif_control_pstate_info_v0 info = {}; int ret, i; - if (!debugfs) + if (!drm) return -ENODEV; + debugfs = nouveau_debugfs(drm); + ctrl = &debugfs->ctrl; ret = nvif_mthd(ctrl, NVIF_CONTROL_PSTATE_INFO, &info, sizeof(info)); if (ret) @@ -121,14 +123,16 @@ nouveau_debugfs_pstate_set(struct file *file, const char __user *ubuf, { struct seq_file *m = file->private_data; struct drm_device *drm = m->private; - struct nouveau_debugfs *debugfs = nouveau_debugfs(drm); - struct nvif_object *ctrl = &debugfs->ctrl; + struct nouveau_debugfs *debugfs; + struct nvif_object *ctrl; struct nvif_control_pstate_user_v0 args = { .pwrsrc = -EINVAL }; char buf[32] = {}, *tmp, *cur = buf; long value, ret; - if (!debugfs) + if (!drm) return -ENODEV; + debugfs = nouveau_debugfs(drm); + ctrl = &debugfs->ctrl; if (len >= sizeof(buf)) return -EINVAL;