Re: [PATCH next] drm/nouveau: Fix error pointer dereference in r535_gsp_msgq_recv()
From: Zhi Wang
Date: Mon Feb 17 2025 - 09:59:02 EST
On Mon, 17 Feb 2025 10:31:21 +0300
Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote:
Thanks for catching this!
Acked-by: Zhi Wang <zhiw@xxxxxxxxxx>
> If "rpc" is an error pointer then return directly. Otherwise it leads
> to an error pointer dereference.
>
> Fixes: 50f290053d79 ("drm/nouveau: support handling the return of large GSP message")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> ---
> drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c
> index 2075cad63805..db2602e88006 100644
> --- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c
> +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c
> @@ -348,6 +348,7 @@ r535_gsp_msgq_recv(struct nvkm_gsp *gsp, u32 gsp_rpc_len, int *retries)
> if (IS_ERR(buf)) {
> kvfree(info.gsp_rpc_buf);
> info.gsp_rpc_buf = NULL;
> + return buf;
> }
>
> if (expected <= max_rpc_size)