From: sashiko-bot@kernel.org
To: "Hongling Zeng" <zenghongling@kylinos.cn>
Cc: dri-devel@lists.freedesktop.org
Subject: Re: [PATCH v5 1/5] nouveau/gsp/rpc: Document RPC function return value contracts
Date: Mon, 22 Jun 2026 08:21:56 +0000 [thread overview]
Message-ID: <20260622082156.D2A1E1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260622081136.61695-2-zenghongling@kylinos.cn>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] RPC error path propagates NULL instead of ERR_PTR(), leading to silent failures and NULL pointer dereferences.
--
commit 79a7510afd6195ece62a51a8ba00ae15d75a0ac9
Author: Hongling Zeng <zenghongling@kylinos.cn>
nouveau/gsp/rpc: Document RPC function return value contracts
Add kernel-doc comments to document the return value semantics of
RPC functions in r535/rpc.c. This clarifies which functions can return
NULL, error pointers, or both.
> diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/rpc.c b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/rpc.c
> index 3ca3de8f43408..b4b2b5c00ab4e 100644
> --- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/rpc.c
> +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/rpc.c
[ ... ]
> @@ -283,6 +300,15 @@ r535_gsp_msgq_recv_one_elem(struct nvkm_gsp *gsp,
> return buf;
> }
>
> +/**
> + * r535_gsp_msgq_recv - Receive RPC message(s) from GSP queue
> + * @gsp: GSP device
> + * @gsp_rpc_len: Expected RPC length
> + * @retries: Retry counter
> + *
> + * Return: Pointer to received buffer on success, ERR_PTR() on error,
> + * or NULL if RPC length is invalid.
> + */
[Severity: High]
This is a pre-existing issue, but does documenting NULL as a valid return
for an invalid RPC length mask an existing bug in the error path?
Currently, r535_gsp_msgq_recv() returns NULL when the length is invalid:
if (WARN_ON(rpc->length > max_rpc_size))
return NULL;
This NULL propagates up through r535_gsp_msg_recv() and
r535_gsp_rpc_handle_reply() to callers like r535_gsp_get_static_info(),
which only checks for an error pointer:
rpc = nvkm_gsp_rpc_rd(gsp, NV_VGPU_MSG_FUNCTION_GET_GSP_STATIC_INFO, sizeof(*rpc));
if (IS_ERR(rpc))
return PTR_ERR(rpc);
gsp->internal.client.object.handle = rpc->hInternalClient;
Since IS_ERR(NULL) evaluates to false, this leads to an immediate NULL
pointer dereference.
In other cases like r535_gsp_rpc_rm_ctrl_push(), the error is silently
swallowed:
rpc = nvkm_gsp_rpc_push(gsp, rpc, NVKM_GSP_RPC_REPLY_RECV, repc);
if (IS_ERR_OR_NULL(rpc)) {
*params = NULL;
return PTR_ERR(rpc);
}
Because PTR_ERR(NULL) evaluates to 0, the function incorrectly returns
success on a failed RPC message.
Should r535_gsp_msgq_recv() be changed to return an error pointer like
ERR_PTR(-EIO) instead of NULL, and the documentation updated to reflect
that failure mode?
> static void *
> r535_gsp_msgq_recv(struct nvkm_gsp *gsp, u32 gsp_rpc_len, int *retries)
> {
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260622081136.61695-1-zenghongling@kylinos.cn?part=1
next prev parent reply other threads:[~2026-06-22 8:22 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-22 8:11 [PATCH v5 0/5] nouveau/gsp: Clean up IS_ERR vs IS_ERR_OR_NULL usage Hongling Zeng
2026-06-22 8:11 ` [PATCH v5 1/5] nouveau/gsp/rpc: Document RPC function return value contracts Hongling Zeng
2026-06-22 8:11 ` Hongling Zeng
2026-06-22 8:21 ` sashiko-bot [this message]
2026-06-22 8:11 ` Hongling Zeng
2026-06-22 9:18 ` sashiko-bot
2026-06-22 8:11 ` [PATCH v5 2/5] nouveau/gsp/rpc: Cleanup incorrect IS_ERR_OR_NULL in rpc.c Hongling Zeng
2026-06-22 9:22 ` sashiko-bot
2026-06-22 8:11 ` Hongling Zeng
2026-06-22 8:11 ` Hongling Zeng
2026-06-22 8:27 ` sashiko-bot
2026-06-22 8:11 ` [PATCH v5 3/5] nouveau/gsp/rm/alloc: Cleanup IS_ERR_OR_NULL usage Hongling Zeng
2026-06-22 9:19 ` sashiko-bot
2026-06-22 8:11 ` Hongling Zeng
2026-06-22 8:25 ` sashiko-bot
2026-06-22 8:11 ` [PATCH v5 4/5] nouveau/gsp/rm/bar: " Hongling Zeng
2026-06-22 8:23 ` sashiko-bot
2026-06-22 8:11 ` Hongling Zeng
2026-06-22 9:30 ` sashiko-bot
2026-06-22 8:11 ` [PATCH v5 5/5] nouveau/gsp: Cleanup IS_ERR_OR_NULL in nvkm_gsp_rpc_rd() Hongling Zeng
2026-06-22 8:11 ` Hongling Zeng
2026-06-22 8:36 ` sashiko-bot
2026-06-22 8:11 ` Hongling Zeng
2026-06-22 9:32 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260622082156.D2A1E1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=zenghongling@kylinos.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.