Received: by 2002:a5d:9c59:0:0:0:0:0 with SMTP id 25csp2213577iof;
        Tue, 7 Jun 2022 23:24:42 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxOLpdp6BazKbC3vQgHHBs4V8CFR1ZeQZ3DGoMz6cTUrpstrixN2aw3C9LPwJF5q7uR+woj
X-Received: by 2002:a63:90ca:0:b0:3fc:8c61:c83d with SMTP id a193-20020a6390ca000000b003fc8c61c83dmr27585391pge.203.1654669482519;
        Tue, 07 Jun 2022 23:24:42 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1654669482; cv=none;
        d=google.com; s=arc-20160816;
        b=XtSPq9xtpUGcZ8r2K8kfOljjZIn5E45AXYdqqovmziTDCwai53s6MXGvcjPiorZOIa
         7xIkallUhBdQycvY3hKJABW2AqMwJrobfc9MqBWxezPqlt6Ay+/1ADbMTBOrCmTNdk+K
         Mj05VVVW73meZq2NybQQVA2D87yfMUE3brlKHner+G/MALRlDkH2N4ZHsZmdfTjFOyKc
         y53nNE/G+fbFNNY7t2fwdjarjIBuCCrVh/3M3/B4jioYAgQZjRf31oXNuR+Brh5X4ORe
         AuWrFvhe6QXKK2klmw996OLS2h1qQOB6i8RQIOOQWZ9uxzvBD7Z5VU0iTQe8DWxn8QZ4
         hFyg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=LUREpfRgy0lh+SBakz6jAVIO1eqRx1mDwRZAMRN8t1I=;
        b=yO4hzHyxpMeFQirM4Q0RQFdY42beKvK/NUDFc7JVCTHqWK4JN3kkEL0KS0cn3HO9mQ
         pdCouoCWD0HuW//Sj40XP8cgtHs/ZKgZVUaOvs+h3LY7YpcBnzLzyXOuTC1wrVjM+AA5
         oFtX1/U74zLN4Gwv2EwtplTttnJavLC5p/tDzasqapBQwOpfGNmREiWeh297NQNZBw3N
         KqaRvqs6brj/QF+nDx4rPMu51eHXqypbW9M+zLdbSqd/4DNVlqSr0rOsaHOjVwIiVx/y
         rEdQZ0obd8F7OpR4LUMiCiy25TNCT1FjcmJZRv601Kids0EwzuUfrRExfVoFN+s663rd
         sdFw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=J00rBA9i;
       spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19])
        by mx.google.com with ESMTPS id j8-20020a170903024800b001620bb377d2si33465640plh.535.2022.06.07.23.24.42
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 07 Jun 2022 23:24:42 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=J00rBA9i;
       spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id 76EE03563BA;
	Tue,  7 Jun 2022 22:47:41 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1377270AbiFHCE4 (ORCPT <rfc822;abrown110010@gmail.com>
        + 99 others); Tue, 7 Jun 2022 22:04:56 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33762 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1386353AbiFHAWP (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 7 Jun 2022 20:22:15 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8148719B6A5;
        Tue,  7 Jun 2022 12:22:09 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id 09FE7B82182;
        Tue,  7 Jun 2022 19:22:09 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6FF9EC385A2;
        Tue,  7 Jun 2022 19:22:07 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1654629727;
        bh=MLkY1OvX2VTXtWkd4B2hKU9SxPB0F0RJYdX5ADWhvgw=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=J00rBA9iTpC2qyCa9gN5d1164JNPVqKOL3u4R3ciCvxUD76f5Hu44HRI/ygzjqQI3
         /ZSXYL1yVDleg6pPFb5EkALD9sSLwSA5eA2Uhnr8mlaAf0QzjhkJNyDeYg8Cxi6kDA
         cKlw/bwPZTW2UoqhZwDv+d6lDiCvWCdw6PE3sE7Q=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Xiaomeng Tong <xiam0nd.tong@gmail.com>,
        Lyude Paul <lyude@redhat.com>
Subject: [PATCH 5.18 794/879] drm/nouveau/clk: Fix an incorrect NULL check on list iterator
Date:   Tue,  7 Jun 2022 19:05:12 +0200
Message-Id: <20220607165025.910136291@linuxfoundation.org>
X-Mailer: git-send-email 2.36.1
In-Reply-To: <20220607165002.659942637@linuxfoundation.org>
References: <20220607165002.659942637@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Xiaomeng Tong <xiam0nd.tong@gmail.com>

commit 1c3b2a27def609473ed13b1cd668cb10deab49b4 upstream.

The bug is here:
	if (nvkm_cstate_valid(clk, cstate, max_volt, clk->temp))
		return cstate;

The list iterator value 'cstate' will *always* be set and non-NULL
by list_for_each_entry_from_reverse(), so it is incorrect to assume
that the iterator value will be unchanged if the list is empty or no
element is found (In fact, it will be a bogus pointer to an invalid
structure object containing the HEAD). Also it missed a NULL check
at callsite and may lead to invalid memory access after that.

To fix this bug, just return 'encoder' when found, otherwise return
NULL. And add the NULL check.

Cc: stable@vger.kernel.org
Fixes: 1f7f3d91ad38a ("drm/nouveau/clk: Respect voltage limits in nvkm_cstate_prog")
Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
Reviewed-by: Lyude Paul <lyude@redhat.com>
Signed-off-by: Lyude Paul <lyude@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20220327075824.11806-1-xiam0nd.tong@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/nouveau/nvkm/subdev/clk/base.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/nouveau/nvkm/subdev/clk/base.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/clk/base.c
@@ -135,10 +135,10 @@ nvkm_cstate_find_best(struct nvkm_clk *c
 
 	list_for_each_entry_from_reverse(cstate, &pstate->list, head) {
 		if (nvkm_cstate_valid(clk, cstate, max_volt, clk->temp))
-			break;
+			return cstate;
 	}
 
-	return cstate;
+	return NULL;
 }
 
 static struct nvkm_cstate *
@@ -169,6 +169,8 @@ nvkm_cstate_prog(struct nvkm_clk *clk, s
 	if (!list_empty(&pstate->list)) {
 		cstate = nvkm_cstate_get(clk, pstate, cstatei);
 		cstate = nvkm_cstate_find_best(clk, pstate, cstate);
+		if (!cstate)
+			return -EINVAL;
 	} else {
 		cstate = &pstate->base;
 	}