Re: [PATCH] nouveau/gsp: fix NULL pointer dereference in r535 nvenc/ofs alloc

[Hongling Zeng]

  Hi Danilo,

Thank you for the feedback. You're right.

 After tracing through the call chain:
nvkm_gsp_rm_alloc_get()
    └─> r535_gsp_rpc_rm_alloc_get()
        └─> r535_gsp_rpc_get()
            └─> r535_gsp_cmdq_get()
                └─> kvzalloc()

 r535_gsp_cmdq_get() returns ERR_PTR(-ENOMEM)
  on allocation failure, not NULL. So NULL is never actually returned.

  I found a similar issue in sunrpc where IS_ERR_OR_NULL() is actively 
harmful -
  PTR_ERR(NULL) would return 0 (EOF), masking real errors. This 
confirms the pattern
  you identified.

  Should I submit a patch to clean up the IS_ERR_OR_NULL() checks in:
  - nvkm_gsp_rm_alloc_get() / nvkm_gsp_rm_alloc()
  - nvkm_gsp_rpc_rd()
  - All the callers

  Or would you prefer to handle this differently?

  Regards,
  Hongling


在 2026年05月26日 21:16, Danilo Krummrich 写道:
> On Tue May 26, 2026 at 3:47 AM CEST, Hongling Zeng wrote:
> > nvkm_gsp_rm_alloc_get() can return NULL as well as error pointers.
> > The current code only checks for error pointers with IS_ERR(), which
> > would lead to a NULL pointer dereference if NULL is returned.
> >
> > Fix by using IS_ERR_OR_NULL() instead of IS_ERR(), matching the
> > pattern used in nvkm_gsp_rm_alloc().
> There was a similar patch [1] a while ago for another callsite. I replied:
>
> 	Are we sure that this can ever return NULL in the first place? I know
> 	that nvkm_gsp_rm_alloc_get() internally checks for IS_ERR_OR_NULL(), but
> 	I couldn't find anything within the callchain that would actually return
> 	NULL.
> 	
> 	That said, I think IS_ERR_OR_NULL() checks are misleading.
>
> Is there a real case where NULL can be returned? If not, let's remove the
> IS_ERR_OR_NULL() throughout the whole chain instead.
>
> [1] https://lore.kernel.org/lkml/20260418071412.86022-1-sunliming@xxxxxxxxx/