Re: [PATCH] nouveau/gsp: fix NULL pointer dereference in r535 nvenc/ofs alloc

[Hongling Zeng <zhongling0719@126.com>]

   Hi Danilo,

Thank you for the feedback. You're right.

  After tracing through the call chain:
nvkm_gsp_rm_alloc_get()
     └─> r535_gsp_rpc_rm_alloc_get()
         └─> r535_gsp_rpc_get()
             └─> r535_gsp_cmdq_get()
                 └─> kvzalloc()

  r535_gsp_cmdq_get() returns ERR_PTR(-ENOMEM)
   on allocation failure, not NULL. So NULL is never actually returned.

   I found a similar issue in sunrpc where IS_ERR_OR_NULL() is actively 
harmful -
   PTR_ERR(NULL) would return 0 (EOF), masking real errors. This 
confirms the pattern
   you identified.

   Should I submit a patch to clean up the IS_ERR_OR_NULL() checks in:
   - nvkm_gsp_rm_alloc_get() / nvkm_gsp_rm_alloc()
   - nvkm_gsp_rpc_rd()
   - All the callers

   Or would you prefer to handle this differently?

   Regards,
   Hongling


在 2026年05月26日 21:16, Danilo Krummrich 写道:
> On Tue May 26, 2026 at 3:47 AM CEST, Hongling Zeng wrote:
>> nvkm_gsp_rm_alloc_get() can return NULL as well as error pointers.
>> The current code only checks for error pointers with IS_ERR(), which
>> would lead to a NULL pointer dereference if NULL is returned.
>>
>> Fix by using IS_ERR_OR_NULL() instead of IS_ERR(), matching the
>> pattern used in nvkm_gsp_rm_alloc().
> There was a similar patch [1] a while ago for another callsite. I replied:
>
> 	Are we sure that this can ever return NULL in the first place? I know
> 	that nvkm_gsp_rm_alloc_get() internally checks for IS_ERR_OR_NULL(), but
> 	I couldn't find anything within the callchain that would actually return
> 	NULL.
> 	
> 	That said, I think IS_ERR_OR_NULL() checks are misleading.
>
> Is there a real case where NULL can be returned? If not, let's remove the
> IS_ERR_OR_NULL() throughout the whole chain instead.
>
> [1] https://lore.kernel.org/lkml/20260418071412.86022-1-sunliming@linux.dev/