Received: by 2002:a5d:9c59:0:0:0:0:0 with SMTP id 25csp2184513iof;
        Tue, 7 Jun 2022 22:30:19 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJydOpNBVic55EzW1/nSkSB5iZ9CNY62sTmZYYYvLOD1+Ns8mrWJ6DEzO2vUXnsNq5+EDM10
X-Received: by 2002:aa7:8d47:0:b0:4f6:a7f9:1ead with SMTP id s7-20020aa78d47000000b004f6a7f91eadmr32725433pfe.42.1654666219756;
        Tue, 07 Jun 2022 22:30:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1654666219; cv=none;
        d=google.com; s=arc-20160816;
        b=SXdGdr84661fEiAlY/UkjchKc+ENXwiGrsHKBst3xqfr/aqbMJN+0FTUp+bFa1Pxbe
         nzIX7fXXY/e55pZnlmBH7LoHxJ9PdOHAIos+7a0wsneMUt9KBaRys4OCcb/G77AEBDuw
         xA0TagJEOP/0mIAoY00RAZLs1m0isBiB0+a0GN8NY9xlzZbdE0HJaLQccbE15tbkrwFt
         1ah6yEpFR2vfbsPc2Eu1WvKsDVHueNoxn33wQbYt86B/1EwvVNqPhGhkQmRSfocrKCMV
         jDOhFi7nvAyzXf9/3RnjpohsF/KhEAy4KH0+RbGrIqfBZ/DKOqVFargvp91rQdi/6UYN
         zH1w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=LUREpfRgy0lh+SBakz6jAVIO1eqRx1mDwRZAMRN8t1I=;
        b=Q8ScBPJ29IupAEc5KIg0euk1pjIr23Fnr+X7uWawuJiUWvD0Ag2sgWTfcHQDhcvsoz
         iXjQbYdsV2Xt1n/aap7KgzN1CoReyMvvKze8PBI2yNwA7aTcNj5GklHvnNxTSO5Ve5dv
         GzYhk/n58MPUiSazXge0QL7c7wdTO6ulFTpj2ILjNSj7Yb1XAMadperJ6aIWFIkIXj9o
         O16T5c55eygPfMQwnqjwjWDRuZonuaY46ARBj1TPiwx3piNukKexH6YKzs15/a4pp41X
         SJWcn8uBzIlKh2TE7lDN9MJhLp08wzRA6osPIjUO3kcAW9pMCmd1/sScgEeiyC3sqjmR
         wFNw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="XMVsQ/u6";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18])
        by mx.google.com with ESMTPS id t62-20020a638141000000b003db947d50fcsi26585211pgd.174.2022.06.07.22.30.19
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 07 Jun 2022 22:30:19 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="XMVsQ/u6";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id CCF6148A299;
	Tue,  7 Jun 2022 21:57:36 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1349380AbiFGSJR (ORCPT <rfc822;abrown110010@gmail.com>
        + 99 others); Tue, 7 Jun 2022 14:09:17 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41886 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1349037AbiFGRu1 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 7 Jun 2022 13:50:27 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DFCA1139AE4;
        Tue,  7 Jun 2022 10:37:42 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 94FBA61529;
        Tue,  7 Jun 2022 17:37:28 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id A3F02C385A5;
        Tue,  7 Jun 2022 17:37:27 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1654623448;
        bh=MLkY1OvX2VTXtWkd4B2hKU9SxPB0F0RJYdX5ADWhvgw=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=XMVsQ/u6i8Rn/k4yYXeOySuJ4G29v9mVVFZ4KtISPfvbQYX6MWfFwazRmGPQhZrN/
         TK0SuJSaF0H+I0n0SCOO+1XLaiq647zxANGVe/KJPdKE59tS/p0M5S20J6LOVu54Ic
         0DZu7U7oDKOYx/WEl8lPp5GV4pVdy7oZBjWx8p1M=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Xiaomeng Tong <xiam0nd.tong@gmail.com>,
        Lyude Paul <lyude@redhat.com>
Subject: [PATCH 5.10 380/452] drm/nouveau/clk: Fix an incorrect NULL check on list iterator
Date:   Tue,  7 Jun 2022 19:03:57 +0200
Message-Id: <20220607164919.889007817@linuxfoundation.org>
X-Mailer: git-send-email 2.36.1
In-Reply-To: <20220607164908.521895282@linuxfoundation.org>
References: <20220607164908.521895282@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Xiaomeng Tong <xiam0nd.tong@gmail.com>

commit 1c3b2a27def609473ed13b1cd668cb10deab49b4 upstream.

The bug is here:
	if (nvkm_cstate_valid(clk, cstate, max_volt, clk->temp))
		return cstate;

The list iterator value 'cstate' will *always* be set and non-NULL
by list_for_each_entry_from_reverse(), so it is incorrect to assume
that the iterator value will be unchanged if the list is empty or no
element is found (In fact, it will be a bogus pointer to an invalid
structure object containing the HEAD). Also it missed a NULL check
at callsite and may lead to invalid memory access after that.

To fix this bug, just return 'encoder' when found, otherwise return
NULL. And add the NULL check.

Cc: stable@vger.kernel.org
Fixes: 1f7f3d91ad38a ("drm/nouveau/clk: Respect voltage limits in nvkm_cstate_prog")
Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
Reviewed-by: Lyude Paul <lyude@redhat.com>
Signed-off-by: Lyude Paul <lyude@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20220327075824.11806-1-xiam0nd.tong@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/nouveau/nvkm/subdev/clk/base.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/nouveau/nvkm/subdev/clk/base.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/clk/base.c
@@ -135,10 +135,10 @@ nvkm_cstate_find_best(struct nvkm_clk *c
 
 	list_for_each_entry_from_reverse(cstate, &pstate->list, head) {
 		if (nvkm_cstate_valid(clk, cstate, max_volt, clk->temp))
-			break;
+			return cstate;
 	}
 
-	return cstate;
+	return NULL;
 }
 
 static struct nvkm_cstate *
@@ -169,6 +169,8 @@ nvkm_cstate_prog(struct nvkm_clk *clk, s
 	if (!list_empty(&pstate->list)) {
 		cstate = nvkm_cstate_get(clk, pstate, cstatei);
 		cstate = nvkm_cstate_find_best(clk, pstate, cstate);
+		if (!cstate)
+			return -EINVAL;
 	} else {
 		cstate = &pstate->base;
 	}