Dan Carpenter
2025-Feb-17 07:31 UTC
[PATCH next] drm/nouveau: Fix error pointer dereference in r535_gsp_msgq_recv()
If "rpc" is an error pointer then return directly. Otherwise it leads
to an error pointer dereference.
Fixes: 50f290053d79 ("drm/nouveau: support handling the return of large GSP
message")
Signed-off-by: Dan Carpenter <dan.carpenter at linaro.org>
---
drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c
b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c
index 2075cad63805..db2602e88006 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c
@@ -348,6 +348,7 @@ r535_gsp_msgq_recv(struct nvkm_gsp *gsp, u32 gsp_rpc_len,
int *retries)
if (IS_ERR(buf)) {
kvfree(info.gsp_rpc_buf);
info.gsp_rpc_buf = NULL;
+ return buf;
}
if (expected <= max_rpc_size)
--
2.47.2
Zhi Wang
2025-Feb-17 14:56 UTC
[PATCH next] drm/nouveau: Fix error pointer dereference in r535_gsp_msgq_recv()
On Mon, 17 Feb 2025 10:31:21 +0300 Dan Carpenter <dan.carpenter at linaro.org> wrote: Thanks for catching this! Acked-by: Zhi Wang <zhiw at nvidia.com>> If "rpc" is an error pointer then return directly. Otherwise it leads > to an error pointer dereference. > > Fixes: 50f290053d79 ("drm/nouveau: support handling the return of large GSP message") > Signed-off-by: Dan Carpenter <dan.carpenter at linaro.org> > --- > drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c > index 2075cad63805..db2602e88006 100644 > --- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c > +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c > @@ -348,6 +348,7 @@ r535_gsp_msgq_recv(struct nvkm_gsp *gsp, u32 gsp_rpc_len, int *retries) > if (IS_ERR(buf)) { > kvfree(info.gsp_rpc_buf); > info.gsp_rpc_buf = NULL; > + return buf; > } > > if (expected <= max_rpc_size)
Danilo Krummrich
2025-Feb-19 14:02 UTC
[PATCH next] drm/nouveau: Fix error pointer dereference in r535_gsp_msgq_recv()
On Mon, Feb 17, 2025 at 10:31:21AM +0300, Dan Carpenter wrote:> If "rpc" is an error pointer then return directly. Otherwise it leads > to an error pointer dereference. > > Fixes: 50f290053d79 ("drm/nouveau: support handling the return of large GSP message") > Signed-off-by: Dan Carpenter <dan.carpenter at linaro.org>Applied to drm-misc-next, thanks!