Received: by 2002:a05:6512:2355:0:0:0:0 with SMTP id p21csp5521963lfu;
        Mon, 28 Mar 2022 15:55:33 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwdOGCWFgQjZ4WJ9izTNUcHVC/55wrv/uwbn6HYbbuhd+KDGMDQqGNSKQ6gIWRtl5KGFPhI
X-Received: by 2002:a54:439a:0:b0:2ef:9bf6:e702 with SMTP id u26-20020a54439a000000b002ef9bf6e702mr791078oiv.105.1648508133141;
        Mon, 28 Mar 2022 15:55:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1648508133; cv=none;
        d=google.com; s=arc-20160816;
        b=sr22LLnL21PHQ9PXpVDGvD4R49TzxynPMTD5igPodrLrEgRPDHFijh4SWFmojV/gff
         NNbgFRUgDympT1P0COkWCQ647SJ0aSD7cuvpWRCctJ3KvuIXgcxzp2oJtL76JT4uu4X8
         biFoUVYpDSOkDDB7NIufIBVNsAjj5NI6yOfzTwH1tIHhyzlLQ69N1HqsRobkObfSPx1b
         Syb7EBgfCzX6cA4ji6pEF+r4SKJ8p6iizMzXokszeMih19K5yVEBMhQJPY5zANC/TOB8
         yQ1yVOoJHGPj+ZbY9YsqnS/arNkM1Wrb+d8yfKsEnw0SWDLwn1Sc1j8hu1QMvqPs4ifb
         8d6A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:organization:references:in-reply-to:date:cc:to:from
         :subject:message-id:dkim-signature;
        bh=Ovb2abZLdPXIpDXoFNTL/ZfMzAu8x+Cb7oB/ww9JfYA=;
        b=skuLXhSbymbGXovNAFrHS0SM/LfUnSBH2TjrnmiYnDi2cZNHmQVELNLfJeyVHweVj2
         xOfYLruD2V/lyq+Y0Bd8k+jny4vDbPbHtdNmzLaOFMRCMUKqK+cXwrzizv3PPnIReZlU
         36n9bPIpn/0S/VG2qkLxbISUhBiXZkz183LqrqMEQ32aXCr1d+lejLIhXnzjEGXkj0ap
         wozfkPKPS12iC/D4XZjUWaNhzenZeFhcOse6e++5Ggd+L0EFpbdD30ibgE0i00zUDzB2
         MGhFw6Eum3Xd1wPsAqSmlFJqJkhqZTvsJ9Q3BT1tmAmT77a3PXMEO0UJvzI3bpaRAiGm
         u9Vg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=XWvlDsxq;
       spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19])
        by mx.google.com with ESMTPS id j13-20020a056808056d00b002ef0c347596si11907995oig.22.2022.03.28.15.55.32
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 28 Mar 2022 15:55:33 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=XWvlDsxq;
       spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id C2E83291B90;
	Mon, 28 Mar 2022 15:00:43 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229742AbiC1VWc (ORCPT <rfc822;2014014876lha@gmail.com>
        + 99 others); Mon, 28 Mar 2022 17:22:32 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58254 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229379AbiC1VWb (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 28 Mar 2022 17:22:31 -0400
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
        by lindbergh.monkeyblade.net (Postfix) with ESMTP id 00CCFE72A7
        for <linux-kernel@vger.kernel.org>; Mon, 28 Mar 2022 14:20:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1648502444;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:content-type:content-type:
         content-transfer-encoding:content-transfer-encoding:
         in-reply-to:in-reply-to:references:references;
        bh=Ovb2abZLdPXIpDXoFNTL/ZfMzAu8x+Cb7oB/ww9JfYA=;
        b=XWvlDsxq2zQIz2e26TNkOgTYSmEsWEdDuc8edZe3kxXhHjS+c5+mXmu3HB/cwC+wt0HrOr
        6HqaMAIOEz3+BFxZmrBop0/3rU3ntPWWZiYimp3b5YCotW82qUKFW0INNKAtTn1tEKxZd/
        5h98GGSaLMOKQwcCl4FXjFj0rRIc6Qg=
Received: from mail-qk1-f199.google.com (mail-qk1-f199.google.com
 [209.85.222.199]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-108-UZm2-OL6Maep0Ey4spWX0g-1; Mon, 28 Mar 2022 17:20:43 -0400
X-MC-Unique: UZm2-OL6Maep0Ey4spWX0g-1
Received: by mail-qk1-f199.google.com with SMTP id bj2-20020a05620a190200b005084968bb24so9234226qkb.23
        for <linux-kernel@vger.kernel.org>; Mon, 28 Mar 2022 14:20:43 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:message-id:subject:from:to:cc:date:in-reply-to
         :references:organization:user-agent:mime-version
         :content-transfer-encoding;
        bh=Ovb2abZLdPXIpDXoFNTL/ZfMzAu8x+Cb7oB/ww9JfYA=;
        b=3CgLKTjVk4XWnqB+fvAzwgg37T3wpM+VgV8gAq/ywonKLbPLDVKuo8xSYSMotDItKp
         x7zSV6N8jBjPlNFGKxhyxjpXAY6OD5AudLSQqmdZ6GPdvoOojDrOB5EItE46/DihQAY3
         t2/tASTeU4IDYfNccir8d87wCiLYegSAwLL/AZDd4KnGcrvBo7o9L379eXK7hzCx644p
         Q+lXccDTobD6+OW/iUb6rjvjweIwIdN4qANL6ZLx4A1vWiWXZyyezfSSiQGYTB5jdyEt
         ONS4OWGuXXAqb3XuLb7smEeATC9ctA++jWxq9O031Iq+igrCCUmCgdnmCSHJ7DseIY9g
         LG6g==
X-Gm-Message-State: AOAM530Hu7lpN6vN7E4ypwPNFJ2KxvkyVkazED4u+kga5j4D3Lr57JxM
        ZoPNmUneRno8MHyh0igOADDVtjQDqmR17ghktfK3oqbx/ypx+XB0/NCUePJtGNzQJumH7nwH1xH
        isMmo9p2p/HV+aBPpwwOC3pbN
X-Received: by 2002:ac8:7d84:0:b0:2e2:1ef6:94bb with SMTP id c4-20020ac87d84000000b002e21ef694bbmr24837159qtd.348.1648502442442;
        Mon, 28 Mar 2022 14:20:42 -0700 (PDT)
X-Received: by 2002:ac8:7d84:0:b0:2e2:1ef6:94bb with SMTP id c4-20020ac87d84000000b002e21ef694bbmr24837135qtd.348.1648502442222;
        Mon, 28 Mar 2022 14:20:42 -0700 (PDT)
Received: from [192.168.8.138] (pool-71-126-244-162.bstnma.fios.verizon.net. [71.126.244.162])
        by smtp.gmail.com with ESMTPSA id w17-20020ac857d1000000b002e19feda592sm13392465qta.85.2022.03.28.14.20.40
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 28 Mar 2022 14:20:41 -0700 (PDT)
Message-ID: <30057caf791dd789fe715715d1c1973994a91953.camel@redhat.com>
Subject: Re: [PATCH] dispnv50: atom: fix an incorrect NULL check on list
 iterator
From:   Lyude Paul <lyude@redhat.com>
To:     Xiaomeng Tong <xiam0nd.tong@gmail.com>, bskeggs@redhat.com,
        kherbst@redhat.com, airlied@linux.ie, daniel@ffwll.ch
Cc:     yangyingliang@huawei.com, contact@emersion.fr, airlied@gmail.com,
        dri-devel@lists.freedesktop.org, nouveau@lists.freedesktop.org,
        linux-kernel@vger.kernel.org, stable@vger.kernel.org
Date:   Mon, 28 Mar 2022 17:20:40 -0400
In-Reply-To: <20220327073925.11121-1-xiam0nd.tong@gmail.com>
References: <20220327073925.11121-1-xiam0nd.tong@gmail.com>
Organization: Red Hat Inc.
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.42.4 (3.42.4-2.DarkModeFix.fc35) 
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Reviewed-by: Lyude Paul <lyude@redhat.com>

Will push this to the appropriate repository shortly.

On Sun, 2022-03-27 at 15:39 +0800, Xiaomeng Tong wrote:
> The bug is here:
>         return encoder;
> 
> The list iterator value 'encoder' will *always* be set and non-NULL
> by drm_for_each_encoder_mask(), so it is incorrect to assume that the
> iterator value will be NULL if the list is empty or no element found.
> Otherwise it will bypass some NULL checks and lead to invalid memory
> access passing the check.
> 
> To fix this bug, just return 'encoder' when found, otherwise return
> NULL.
> 
> Cc: stable@vger.kernel.org
> Fixes: 12885ecbfe62d ("drm/nouveau/kms/nvd9-: Add CRC support")
> Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
> ---
>  drivers/gpu/drm/nouveau/dispnv50/atom.h |  6 +++---
>  drivers/gpu/drm/nouveau/dispnv50/crc.c  | 27 ++++++++++++++++++++-----
>  2 files changed, 25 insertions(+), 8 deletions(-)
> (also 
> diff --git a/drivers/gpu/drm/nouveau/dispnv50/atom.h
> b/drivers/gpu/drm/nouveau/dispnv50/atom.h
> index 3d82b3c67dec..93f8f4f64578 100644
> --- a/drivers/gpu/drm/nouveau/dispnv50/atom.h
> +++ b/drivers/gpu/drm/nouveau/dispnv50/atom.h
> @@ -160,14 +160,14 @@ nv50_head_atom_get(struct drm_atomic_state *state,
> struct drm_crtc *crtc)
>  static inline struct drm_encoder *
>  nv50_head_atom_get_encoder(struct nv50_head_atom *atom)
>  {
> -       struct drm_encoder *encoder = NULL;
> +       struct drm_encoder *encoder;
>  
>         /* We only ever have a single encoder */
>         drm_for_each_encoder_mask(encoder, atom->state.crtc->dev,
>                                   atom->state.encoder_mask)
> -               break;
> +               return encoder;
>  
> -       return encoder;
> +       return NULL;
>  }
>  
>  #define nv50_wndw_atom(p) container_of((p), struct nv50_wndw_atom, state)
> diff --git a/drivers/gpu/drm/nouveau/dispnv50/crc.c
> b/drivers/gpu/drm/nouveau/dispnv50/crc.c
> index 29428e770f14..b834e8a9ae77 100644
> --- a/drivers/gpu/drm/nouveau/dispnv50/crc.c
> +++ b/drivers/gpu/drm/nouveau/dispnv50/crc.c
> @@ -390,9 +390,18 @@ void nv50_crc_atomic_check_outp(struct nv50_atom *atom)
>                 struct nv50_head_atom *armh =
> nv50_head_atom(old_crtc_state);
>                 struct nv50_head_atom *asyh =
> nv50_head_atom(new_crtc_state);
>                 struct nv50_outp_atom *outp_atom;
> -               struct nouveau_encoder *outp =
> -                       nv50_real_outp(nv50_head_atom_get_encoder(armh));
> -               struct drm_encoder *encoder = &outp->base.base;
> +               struct nouveau_encoder *outp;
> +               struct drm_encoder *encoder, *enc;
> +
> +               enc = nv50_head_atom_get_encoder(armh);
> +               if (!enc)
> +                       continue;
> +
> +               outp = nv50_real_outp(enc);
> +               if (!outp)
> +                       continue;
> +
> +               encoder = &outp->base.base;
>  
>                 if (!asyh->clr.crc)
>                         continue;
> @@ -443,8 +452,16 @@ void nv50_crc_atomic_set(struct nv50_head *head,
>         struct drm_device *dev = crtc->dev;
>         struct nv50_crc *crc = &head->crc;
>         const struct nv50_crc_func *func = nv50_disp(dev)->core->func->crc;
> -       struct nouveau_encoder *outp =
> -               nv50_real_outp(nv50_head_atom_get_encoder(asyh));
> +       struct nouveau_encoder *outp;
> +       struct drm_encoder *encoder;
> +
> +       encoder = nv50_head_atom_get_encoder(asyh);
> +       if (!encoder)
> +               return;
> +
> +       outp = nv50_real_outp(encoder);
> +       if (!outp)
> +               return;
>  
>         func->set_src(head, outp->or, nv50_crc_source_type(outp, asyh-
> >crc.src),
>                       &crc->ctx[crc->ctx_idx]);

-- 
Cheers,
 Lyude Paul (she/her)
 Software Engineer at Red Hat