[PATCH next] drm/nouveau: Fix error pointer dereference in r535_gsp_msgq_recv()

Mon Feb 17 14:56:33 UTC 2025

On Mon, 17 Feb 2025 10:31:21 +0300
Dan Carpenter <dan.carpenter at linaro.org> wrote:

Thanks for catching this!

Acked-by: Zhi Wang <zhiw at nvidia.com>

> If "rpc" is an error pointer then return directly.  Otherwise it leads
> to an error pointer dereference.
> 
> Fixes: 50f290053d79 ("drm/nouveau: support handling the return of large GSP message")
> Signed-off-by: Dan Carpenter <dan.carpenter at linaro.org>
> ---
>  drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c
> index 2075cad63805..db2602e88006 100644
> --- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c
> +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c
> @@ -348,6 +348,7 @@ r535_gsp_msgq_recv(struct nvkm_gsp *gsp, u32 gsp_rpc_len, int *retries)
>  	if (IS_ERR(buf)) {
>  		kvfree(info.gsp_rpc_buf);
>  		info.gsp_rpc_buf = NULL;
> +		return buf;
>  	}
>  
>  	if (expected <= max_rpc_size)