Received: by 2002:a5d:9c59:0:0:0:0:0 with SMTP id 25csp2194891iof; Tue, 7 Jun 2022 22:50:24 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy34GuNSk18FUl+p+8gvNwDdexCl7D9aXoOVjh1YcGdOQa2DZ0iuM5ZEDtzo5ni5gwvqqVR X-Received: by 2002:a17:90a:5d04:b0:1df:91d7:5563 with SMTP id s4-20020a17090a5d0400b001df91d75563mr70870545pji.95.1654667423817; Tue, 07 Jun 2022 22:50:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1654667423; cv=none; d=google.com; s=arc-20160816; b=Y7g7p4RMzLEBp1OS4cv8HtWy3Vel079my1+KVbpnT35+n3PqJ5ZIriyMyiD0VjnH/I 0XSAsYpILu1SsUrswC7f8G4bo0NeH5lbbUYw9b9UsSaVM7TCKZ/VxB93EMLdBEDZ/CYm PfHEL0gYNb6PW+I4VGK7C2/amQENfQYxvh0xuW4z7EaIxKb5cbkBcwGvPN+TqxFVOSPd kMMYyzdQiNEqefvEt8nvarng4oGxQbow3sgKpOYJGDr2Ah2FzxPMyBSX4kVL1D+/7NBv OU1biMqhg7VVHF1hF/nHkANKXGRgnK90fyl4QUDbPwjXnBXfUw0ptEIKFB7z/WtUybwu a0pg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=y5y6NjSmi4vqNolhs/3OAsTpEZyYjV2jFGt5ZHI2Qqo=; b=w+1gK3nQlDoAVdhEiN/+AYypcmmWa6sRGtLpJ0Apq8JJj4JdSSsPuJjx2XLnw0jE7c sR5rb8Ocho4Yan1lJuVCLCBCyCt3WY7Ap7TQfkL95yWN/gsOhEY6a7h8S4ZKqrQkBgeQ +eVId0f0OQScqfT4nuL1STKj8htqMoqi6CGVfvOuZCszofWGVVKTn1CwaNP47hNGBfdc d2JeD9alAdpBpSbkLohmA4h3hX+OOyLdDPyS2KiY9M7GkPBFwAqpdYtN58GnnRh8c99A IHwERdEg97FovPIjWa6a+dS42XuE0Ubq1v5JlngzoAt7/te9TQ702erNHc+BMNtihorL qgcA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=wiPJY7w0; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id l22-20020a63f316000000b003fdbe8599fesi9322280pgh.749.2022.06.07.22.50.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Jun 2022 22:50:23 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=wiPJY7w0; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 6E5A74A4ABC; Tue, 7 Jun 2022 22:17:17 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1390939AbiFHAl6 (ORCPT + 99 others); Tue, 7 Jun 2022 20:41:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52868 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1382614AbiFGWVy (ORCPT ); Tue, 7 Jun 2022 18:21:54 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C2DF126C0DF; Tue, 7 Jun 2022 12:22:22 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 4D8566077B; Tue, 7 Jun 2022 19:22:11 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 50086C385A5; Tue, 7 Jun 2022 19:22:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1654629730; bh=Mfy3ytbbDKigbAx7RnPOWXW8wcLTxwl+MTXvB2B/5Hs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=wiPJY7w0tVg8yjxLDIiCO4WICmFQHqaZ8fWc/Ty9jJLg2V4ixnWEqz/w+pdXuVIsQ 6NlF/fORZjmihiFJSpPnJfAj9xGZejWgzS4k9JRjpP4Yco5r0jR8v4mf7hPD2v71Yt BKDDb/tTyd4hR2WYEiyvZH/z2t/CE8SNf+R+cZmE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Xiaomeng Tong , Lyude Paul Subject: [PATCH 5.18 795/879] drm/nouveau/kms/nv50-: atom: fix an incorrect NULL check on list iterator Date: Tue, 7 Jun 2022 19:05:13 +0200 Message-Id: <20220607165025.938481961@linuxfoundation.org> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220607165002.659942637@linuxfoundation.org> References: <20220607165002.659942637@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Xiaomeng Tong commit 6ce4431c7ba7954c4fa6a96ce16ca1b2943e1a83 upstream. The bug is here: return encoder; The list iterator value 'encoder' will *always* be set and non-NULL by drm_for_each_encoder_mask(), so it is incorrect to assume that the iterator value will be NULL if the list is empty or no element found. Otherwise it will bypass some NULL checks and lead to invalid memory access passing the check. To fix this bug, just return 'encoder' when found, otherwise return NULL. Cc: stable@vger.kernel.org Fixes: 12885ecbfe62d ("drm/nouveau/kms/nvd9-: Add CRC support") Signed-off-by: Xiaomeng Tong Reviewed-by: Lyude Paul [Changed commit title] Signed-off-by: Lyude Paul Link: https://patchwork.freedesktop.org/patch/msgid/20220327073925.11121-1-xiam0nd.tong@gmail.com Signed-off-by: Greg Kroah-Hartman --- drivers/gpu/drm/nouveau/dispnv50/atom.h | 6 +++--- drivers/gpu/drm/nouveau/dispnv50/crc.c | 27 ++++++++++++++++++++++----- 2 files changed, 25 insertions(+), 8 deletions(-) --- a/drivers/gpu/drm/nouveau/dispnv50/atom.h +++ b/drivers/gpu/drm/nouveau/dispnv50/atom.h @@ -160,14 +160,14 @@ nv50_head_atom_get(struct drm_atomic_sta static inline struct drm_encoder * nv50_head_atom_get_encoder(struct nv50_head_atom *atom) { - struct drm_encoder *encoder = NULL; + struct drm_encoder *encoder; /* We only ever have a single encoder */ drm_for_each_encoder_mask(encoder, atom->state.crtc->dev, atom->state.encoder_mask) - break; + return encoder; - return encoder; + return NULL; } #define nv50_wndw_atom(p) container_of((p), struct nv50_wndw_atom, state) --- a/drivers/gpu/drm/nouveau/dispnv50/crc.c +++ b/drivers/gpu/drm/nouveau/dispnv50/crc.c @@ -390,9 +390,18 @@ void nv50_crc_atomic_check_outp(struct n struct nv50_head_atom *armh = nv50_head_atom(old_crtc_state); struct nv50_head_atom *asyh = nv50_head_atom(new_crtc_state); struct nv50_outp_atom *outp_atom; - struct nouveau_encoder *outp = - nv50_real_outp(nv50_head_atom_get_encoder(armh)); - struct drm_encoder *encoder = &outp->base.base; + struct nouveau_encoder *outp; + struct drm_encoder *encoder, *enc; + + enc = nv50_head_atom_get_encoder(armh); + if (!enc) + continue; + + outp = nv50_real_outp(enc); + if (!outp) + continue; + + encoder = &outp->base.base; if (!asyh->clr.crc) continue; @@ -443,8 +452,16 @@ void nv50_crc_atomic_set(struct nv50_hea struct drm_device *dev = crtc->dev; struct nv50_crc *crc = &head->crc; const struct nv50_crc_func *func = nv50_disp(dev)->core->func->crc; - struct nouveau_encoder *outp = - nv50_real_outp(nv50_head_atom_get_encoder(asyh)); + struct nouveau_encoder *outp; + struct drm_encoder *encoder; + + encoder = nv50_head_atom_get_encoder(asyh); + if (!encoder) + return; + + outp = nv50_real_outp(encoder); + if (!outp) + return; func->set_src(head, outp->or, nv50_crc_source_type(outp, asyh->crc.src), &crc->ctx[crc->ctx_idx]);