Received: by 2002:a5d:9c59:0:0:0:0:0 with SMTP id 25csp2154637iof; Tue, 7 Jun 2022 21:34:46 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwmxo6eV/fsiBOcAQgKG+eyy9oxWbbfKvUbhT1eoVuaGd4+N4WeFLvLqKjwdjLQF8t5yNT1 X-Received: by 2002:a17:903:244b:b0:167:74f3:74aa with SMTP id l11-20020a170903244b00b0016774f374aamr15441909pls.67.1654662886262; Tue, 07 Jun 2022 21:34:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1654662886; cv=none; d=google.com; s=arc-20160816; b=UpfHp/s5o0hSNQ/vLPs97zoRlqNs5z9Na8w4OFRKm29iPwOMJZvyhNDAchZFu3qKce 8ykajl6XzCTFuaSWOqiv42cNsgxNH6KNfXsY6HqZpR5eJQoBdvJ7aF1nPX8+uiHdlPJZ iX++JW6VIM9gxGiBsRLyvR4uCgy9Wr++iVp4DuKnEiH3Vmx9KqvXIe8eg37TPM+INFC1 hj5k2RP5VSnuDJro2ltrG4QucoAV+gqcQUfR+w6FtuxQtc4S1OTp2NmjYYcOMn5XtPvp qxEYG+Wsuyb2U/L8E9xQfzGAsM/L1ZjErCy9ryXtDo8RAGOkW73UxAev2NsSegqy53Hd YPSQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=y5y6NjSmi4vqNolhs/3OAsTpEZyYjV2jFGt5ZHI2Qqo=; b=s8Xy8mRgPbLyMYXrOuxShIfeXw0NU3RG0MJuDyHdld6FUPHL1hrIQBINW3LtXlznlp gC6ack3b0CHjpgntd+LND7twBO+LPcz2SL9gAZTMxf56WzVze8rkI8zDjAFdDrMN9kjC WFGIvle82s/mL80cotzcq8TV64q041Xjz+nSesSNLhXi/DWIUy8QlC0AmtM0pqGL8g05 ZDeiq9J/DCSwGKhOWRk14S0oPMPSwt4GIWWulFYRTrrFzOxSmTh/qhwVHPYW39W8bccF 6VIVD5jpgjruIz7KELfP+zQ55x/yTx/CrlEvbKKHfYQbSSPHvXzj/TH5o0OUxPuNGIXU X0gQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Ap7mKn4E; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id e3-20020a636903000000b003fd29f96dc3si17725336pgc.839.2022.06.07.21.34.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Jun 2022 21:34:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Ap7mKn4E; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 1441B4305F1; Tue, 7 Jun 2022 21:03:14 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1381154AbiFGVri (ORCPT + 99 others); Tue, 7 Jun 2022 17:47:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49850 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1376818AbiFGUxP (ORCPT ); Tue, 7 Jun 2022 16:53:15 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B2DAC118010; Tue, 7 Jun 2022 11:43:45 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 8D0C6B81FE1; Tue, 7 Jun 2022 18:43:43 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E1042C34115; Tue, 7 Jun 2022 18:43:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1654627422; bh=Mfy3ytbbDKigbAx7RnPOWXW8wcLTxwl+MTXvB2B/5Hs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Ap7mKn4ErWuHM16KceF0QckdYGvCRcTEy70HMSstKOpa4ayZtTuM2lIfEHzb3HIsR 7dhema9JWKKklEHIeVZtc7rr4jW3JvaJFdwxwbfD/Qgj8Tfx/5AN/X17rsg1+v2cOT kv1G8DuTJbsvUrqvn4GbQDCvuhefAaSdFH5U2qtE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Xiaomeng Tong , Lyude Paul Subject: [PATCH 5.17 693/772] drm/nouveau/kms/nv50-: atom: fix an incorrect NULL check on list iterator Date: Tue, 7 Jun 2022 19:04:45 +0200 Message-Id: <20220607165009.473578541@linuxfoundation.org> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220607164948.980838585@linuxfoundation.org> References: <20220607164948.980838585@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Xiaomeng Tong commit 6ce4431c7ba7954c4fa6a96ce16ca1b2943e1a83 upstream. The bug is here: return encoder; The list iterator value 'encoder' will *always* be set and non-NULL by drm_for_each_encoder_mask(), so it is incorrect to assume that the iterator value will be NULL if the list is empty or no element found. Otherwise it will bypass some NULL checks and lead to invalid memory access passing the check. To fix this bug, just return 'encoder' when found, otherwise return NULL. Cc: stable@vger.kernel.org Fixes: 12885ecbfe62d ("drm/nouveau/kms/nvd9-: Add CRC support") Signed-off-by: Xiaomeng Tong Reviewed-by: Lyude Paul [Changed commit title] Signed-off-by: Lyude Paul Link: https://patchwork.freedesktop.org/patch/msgid/20220327073925.11121-1-xiam0nd.tong@gmail.com Signed-off-by: Greg Kroah-Hartman --- drivers/gpu/drm/nouveau/dispnv50/atom.h | 6 +++--- drivers/gpu/drm/nouveau/dispnv50/crc.c | 27 ++++++++++++++++++++++----- 2 files changed, 25 insertions(+), 8 deletions(-) --- a/drivers/gpu/drm/nouveau/dispnv50/atom.h +++ b/drivers/gpu/drm/nouveau/dispnv50/atom.h @@ -160,14 +160,14 @@ nv50_head_atom_get(struct drm_atomic_sta static inline struct drm_encoder * nv50_head_atom_get_encoder(struct nv50_head_atom *atom) { - struct drm_encoder *encoder = NULL; + struct drm_encoder *encoder; /* We only ever have a single encoder */ drm_for_each_encoder_mask(encoder, atom->state.crtc->dev, atom->state.encoder_mask) - break; + return encoder; - return encoder; + return NULL; } #define nv50_wndw_atom(p) container_of((p), struct nv50_wndw_atom, state) --- a/drivers/gpu/drm/nouveau/dispnv50/crc.c +++ b/drivers/gpu/drm/nouveau/dispnv50/crc.c @@ -390,9 +390,18 @@ void nv50_crc_atomic_check_outp(struct n struct nv50_head_atom *armh = nv50_head_atom(old_crtc_state); struct nv50_head_atom *asyh = nv50_head_atom(new_crtc_state); struct nv50_outp_atom *outp_atom; - struct nouveau_encoder *outp = - nv50_real_outp(nv50_head_atom_get_encoder(armh)); - struct drm_encoder *encoder = &outp->base.base; + struct nouveau_encoder *outp; + struct drm_encoder *encoder, *enc; + + enc = nv50_head_atom_get_encoder(armh); + if (!enc) + continue; + + outp = nv50_real_outp(enc); + if (!outp) + continue; + + encoder = &outp->base.base; if (!asyh->clr.crc) continue; @@ -443,8 +452,16 @@ void nv50_crc_atomic_set(struct nv50_hea struct drm_device *dev = crtc->dev; struct nv50_crc *crc = &head->crc; const struct nv50_crc_func *func = nv50_disp(dev)->core->func->crc; - struct nouveau_encoder *outp = - nv50_real_outp(nv50_head_atom_get_encoder(asyh)); + struct nouveau_encoder *outp; + struct drm_encoder *encoder; + + encoder = nv50_head_atom_get_encoder(asyh); + if (!encoder) + return; + + outp = nv50_real_outp(encoder); + if (!outp) + return; func->set_src(head, outp->or, nv50_crc_source_type(outp, asyh->crc.src), &crc->ctx[crc->ctx_idx]);