From: Danilo Krummrich <dakr@kernel.org>
To: Akhilesh Patil <akhilesh@ee.iitb.ac.in>
Cc: lyude@redhat.com, airlied@gmail.com, simona@ffwll.ch,
bskeggs@redhat.com, kherbst@redhat.com,
dri-devel@lists.freedesktop.org, nouveau@lists.freedesktop.org,
linux-kernel@vger.kernel.org, akhileshpatilvnit@gmail.com,
skhan@linuxfoundation.org
Subject: Re: [PATCH] drm: nouveau: fifo: ga100: fix null pointer dereferences
Date: Sat, 9 Aug 2025 13:57:56 +0200 [thread overview]
Message-ID: <2cbb1df8-bb1c-4bae-8be0-c2ce2c7fa6fc@kernel.org> (raw)
In-Reply-To: <aJcACwrvcjCq78eH@bhairav-test.ee.iitb.ac.in>
Hi Akhilesh,
On 8/9/25 10:00 AM, Akhilesh Patil wrote:
> Fix potential NULL pointer dereference in ga100_fifo_nonstall_allow()
> and ga100_fifo_nonstall_block() when nvkm_runl_get() returns NULL.
> Fix CVE-476 as reported by coverity tool (CID: 1660771)
>
> Fixes: 55e1a5996085 ("drm/nouveau/fifo/ga100-: add per-runlist nonstall intr handling")
> Addresses-Coverity-ID: 1660771
> Signed-off-by: Akhilesh Patil <akhilesh@ee.iitb.ac.in>
Thanks for the patch.
> ---
> drivers/gpu/drm/nouveau/nvkm/engine/fifo/ga100.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/fifo/ga100.c b/drivers/gpu/drm/nouveau/nvkm/engine/fifo/ga100.c
> index e74493a4569e..a441fb602f28 100644
> --- a/drivers/gpu/drm/nouveau/nvkm/engine/fifo/ga100.c
> +++ b/drivers/gpu/drm/nouveau/nvkm/engine/fifo/ga100.c
> @@ -520,7 +520,9 @@ ga100_fifo_nonstall_block(struct nvkm_event *event, int type, int index)
> struct nvkm_fifo *fifo = container_of(event, typeof(*fifo), nonstall.event);
> struct nvkm_runl *runl = nvkm_runl_get(fifo, index, 0);
>
> - nvkm_inth_block(&runl->nonstall.inth);
> + WARN_ON(!runl);
There's two potential cases here. Either nvkm_runl_get() may expectedly return
NULL in this context, or nvkm_runl_get() returning NULL would be a bug.
In the former case we should gracefully handle it, i.e. no WARN_ON() etc. In the
latter case, there is no need to check, otherwise we'd need to check every
pointer for NULL all the time.
In this case it should be the latter, so the code should be correct as is.
> + if (runl)
> + nvkm_inth_block(&runl->nonstall.inth);
> }
>
> static void
> @@ -529,7 +531,9 @@ ga100_fifo_nonstall_allow(struct nvkm_event *event, int type, int index)
> struct nvkm_fifo *fifo = container_of(event, typeof(*fifo), nonstall.event);
> struct nvkm_runl *runl = nvkm_runl_get(fifo, index, 0);
>
> - nvkm_inth_allow(&runl->nonstall.inth);
> + WARN_ON(!runl);
> + if (runl)
> + nvkm_inth_allow(&runl->nonstall.inth);
> }
>
> const struct nvkm_event_func
prev parent reply other threads:[~2025-08-09 11:58 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-09 8:00 [PATCH] drm: nouveau: fifo: ga100: fix null pointer dereferences Akhilesh Patil
2025-08-09 11:57 ` Danilo Krummrich [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2cbb1df8-bb1c-4bae-8be0-c2ce2c7fa6fc@kernel.org \
--to=dakr@kernel.org \
--cc=airlied@gmail.com \
--cc=akhilesh@ee.iitb.ac.in \
--cc=akhileshpatilvnit@gmail.com \
--cc=bskeggs@redhat.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=kherbst@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=lyude@redhat.com \
--cc=nouveau@lists.freedesktop.org \
--cc=simona@ffwll.ch \
--cc=skhan@linuxfoundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.