[PATCH] nouveau/gsp: fix NULL pointer dereference in r535 nvenc/ofs alloc
From: Hongling Zeng
Date: Mon May 25 2026 - 21:47:43 EST
nvkm_gsp_rm_alloc_get() can return NULL as well as error pointers.
The current code only checks for error pointers with IS_ERR(), which
would lead to a NULL pointer dereference if NULL is returned.
Fix by using IS_ERR_OR_NULL() instead of IS_ERR(), matching the
pattern used in nvkm_gsp_rm_alloc().
Fixes: 7c2d25f1e408 ("drm/nouveau/gsp: add common code for engines/engine objects")
Signed-off-by: Hongling Zeng <zenghongling@xxxxxxxxxx>
---
drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/nvenc.c | 4 ++--
drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/ofa.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/nvenc.c b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/nvenc.c
index acb3ce8bb9de..a67cc65abfcf 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/nvenc.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/nvenc.c
@@ -30,8 +30,8 @@ r535_nvenc_alloc(struct nvkm_gsp_object *chan, u32 handle, u32 class, int inst,
NV_MSENC_ALLOCATION_PARAMETERS *args;
args = nvkm_gsp_rm_alloc_get(chan, handle, class, sizeof(*args), nvenc);
- if (WARN_ON(IS_ERR(args)))
- return PTR_ERR(args);
+ if (WARN_ON(IS_ERR_OR_NULL(args)))
+ return args ? PTR_ERR(args) : -EIO;
args->size = sizeof(*args);
args->engineInstance = inst;
diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/ofa.c b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/ofa.c
index 2156808cba4f..6d3b554108f9 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/ofa.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/ofa.c
@@ -30,8 +30,8 @@ r535_ofa_alloc(struct nvkm_gsp_object *chan, u32 handle, u32 class, int inst,
NV_OFA_ALLOCATION_PARAMETERS *args;
args = nvkm_gsp_rm_alloc_get(chan, handle, class, sizeof(*args), ofa);
- if (WARN_ON(IS_ERR(args)))
- return PTR_ERR(args);
+ if (WARN_ON(IS_ERR_OR_NULL(args)))
+ return args ? PTR_ERR(args) : -EIO;
args->size = sizeof(*args);
--
2.25.1