[PATCH] drm: nouveau: fifo: ga100: fix null pointer dereferences

[PATCH] drm: nouveau: fifo: ga100: fix null pointer dereferences

[Akhilesh Patil]

Fix potential NULL pointer dereference in ga100_fifo_nonstall_allow()
and ga100_fifo_nonstall_block() when nvkm_runl_get() returns NULL.
Fix CVE-476 as reported by coverity tool (CID: 1660771)

Fixes: 55e1a5996085 ("drm/nouveau/fifo/ga100-: add per-runlist nonstall intr handling")
Addresses-Coverity-ID: 1660771
Signed-off-by: Akhilesh Patil <akhilesh@ee.iitb.ac.in>
---
 drivers/gpu/drm/nouveau/nvkm/engine/fifo/ga100.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/fifo/ga100.c b/drivers/gpu/drm/nouveau/nvkm/engine/fifo/ga100.c
index e74493a4569e..a441fb602f28 100644
--- a/drivers/gpu/drm/nouveau/nvkm/engine/fifo/ga100.c
+++ b/drivers/gpu/drm/nouveau/nvkm/engine/fifo/ga100.c
@@ -520,7 +520,9 @@ ga100_fifo_nonstall_block(struct nvkm_event *event, int type, int index)
 	struct nvkm_fifo *fifo = container_of(event, typeof(*fifo), nonstall.event);
 	struct nvkm_runl *runl = nvkm_runl_get(fifo, index, 0);
 
-	nvkm_inth_block(&runl->nonstall.inth);
+	WARN_ON(!runl);
+	if (runl)
+		nvkm_inth_block(&runl->nonstall.inth);
 }
 
 static void
@@ -529,7 +531,9 @@ ga100_fifo_nonstall_allow(struct nvkm_event *event, int type, int index)
 	struct nvkm_fifo *fifo = container_of(event, typeof(*fifo), nonstall.event);
 	struct nvkm_runl *runl = nvkm_runl_get(fifo, index, 0);
 
-	nvkm_inth_allow(&runl->nonstall.inth);
+	WARN_ON(!runl);
+	if (runl)
+		nvkm_inth_allow(&runl->nonstall.inth);
 }
 
 const struct nvkm_event_func
-- 
2.34.1

Re: [PATCH] drm: nouveau: fifo: ga100: fix null pointer dereferences

[Danilo Krummrich]

Hi Akhilesh,

On 8/9/25 10:00 AM, Akhilesh Patil wrote:
> Fix potential NULL pointer dereference in ga100_fifo_nonstall_allow()
> and ga100_fifo_nonstall_block() when nvkm_runl_get() returns NULL.
> Fix CVE-476 as reported by coverity tool (CID: 1660771)
> 
> Fixes: 55e1a5996085 ("drm/nouveau/fifo/ga100-: add per-runlist nonstall intr handling")
> Addresses-Coverity-ID: 1660771
> Signed-off-by: Akhilesh Patil <akhilesh@ee.iitb.ac.in>

Thanks for the patch.

> ---
>   drivers/gpu/drm/nouveau/nvkm/engine/fifo/ga100.c | 8 ++++++--
>   1 file changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/fifo/ga100.c b/drivers/gpu/drm/nouveau/nvkm/engine/fifo/ga100.c
> index e74493a4569e..a441fb602f28 100644
> --- a/drivers/gpu/drm/nouveau/nvkm/engine/fifo/ga100.c
> +++ b/drivers/gpu/drm/nouveau/nvkm/engine/fifo/ga100.c
> @@ -520,7 +520,9 @@ ga100_fifo_nonstall_block(struct nvkm_event *event, int type, int index)
>   	struct nvkm_fifo *fifo = container_of(event, typeof(*fifo), nonstall.event);
>   	struct nvkm_runl *runl = nvkm_runl_get(fifo, index, 0);
>   
> -	nvkm_inth_block(&runl->nonstall.inth);
> +	WARN_ON(!runl);

There's two potential cases here. Either nvkm_runl_get() may expectedly return
NULL in this context, or nvkm_runl_get() returning NULL would be a bug.

In the former case we should gracefully handle it, i.e. no WARN_ON() etc. In the
latter case, there is no need to check, otherwise we'd need to check every
pointer for NULL all the time.

In this case it should be the latter, so the code should be correct as is.

> +	if (runl)
> +		nvkm_inth_block(&runl->nonstall.inth);
>   }
>   
>   static void
> @@ -529,7 +531,9 @@ ga100_fifo_nonstall_allow(struct nvkm_event *event, int type, int index)
>   	struct nvkm_fifo *fifo = container_of(event, typeof(*fifo), nonstall.event);
>   	struct nvkm_runl *runl = nvkm_runl_get(fifo, index, 0);
>   
> -	nvkm_inth_allow(&runl->nonstall.inth);
> +	WARN_ON(!runl);
> +	if (runl)
> +		nvkm_inth_allow(&runl->nonstall.inth);
>   }
>   
>   const struct nvkm_event_func