This is a note to let you know that I've just added the patch titled drm/nouveau/clk: Fix an incorrect NULL check on list iterator to the 5.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: drm-nouveau-clk-fix-an-incorrect-null-check-on-list-iterator.patch and it can be found in the queue-5.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 1c3b2a27def609473ed13b1cd668cb10deab49b4 Mon Sep 17 00:00:00 2001 From: Xiaomeng Tong <xiam0nd.tong@xxxxxxxxx> Date: Sun, 27 Mar 2022 15:58:24 +0800 Subject: drm/nouveau/clk: Fix an incorrect NULL check on list iterator From: Xiaomeng Tong <xiam0nd.tong@xxxxxxxxx> commit 1c3b2a27def609473ed13b1cd668cb10deab49b4 upstream. The bug is here: if (nvkm_cstate_valid(clk, cstate, max_volt, clk->temp)) return cstate; The list iterator value 'cstate' will *always* be set and non-NULL by list_for_each_entry_from_reverse(), so it is incorrect to assume that the iterator value will be unchanged if the list is empty or no element is found (In fact, it will be a bogus pointer to an invalid structure object containing the HEAD). Also it missed a NULL check at callsite and may lead to invalid memory access after that. To fix this bug, just return 'encoder' when found, otherwise return NULL. And add the NULL check. Cc: stable@xxxxxxxxxxxxxxx Fixes: 1f7f3d91ad38a ("drm/nouveau/clk: Respect voltage limits in nvkm_cstate_prog") Signed-off-by: Xiaomeng Tong <xiam0nd.tong@xxxxxxxxx> Reviewed-by: Lyude Paul <lyude@xxxxxxxxxx> Signed-off-by: Lyude Paul <lyude@xxxxxxxxxx> Link: https://patchwork.freedesktop.org/patch/msgid/20220327075824.11806-1-xiam0nd.tong@xxxxxxxxx Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/gpu/drm/nouveau/nvkm/subdev/clk/base.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/drivers/gpu/drm/nouveau/nvkm/subdev/clk/base.c +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/clk/base.c @@ -135,10 +135,10 @@ nvkm_cstate_find_best(struct nvkm_clk *c list_for_each_entry_from_reverse(cstate, &pstate->list, head) { if (nvkm_cstate_valid(clk, cstate, max_volt, clk->temp)) - break; + return cstate; } - return cstate; + return NULL; } static struct nvkm_cstate * @@ -169,6 +169,8 @@ nvkm_cstate_prog(struct nvkm_clk *clk, s if (!list_empty(&pstate->list)) { cstate = nvkm_cstate_get(clk, pstate, cstatei); cstate = nvkm_cstate_find_best(clk, pstate, cstate); + if (!cstate) + return -EINVAL; } else { cstate = &pstate->base; } Patches currently in stable-queue which might be from xiam0nd.tong@xxxxxxxxx are queue-5.15/md-fix-an-incorrect-null-check-in-does_sb_need_changing.patch queue-5.15/scsi-dc395x-fix-a-missing-check-on-list-iterator.patch queue-5.15/drm-nouveau-clk-fix-an-incorrect-null-check-on-list-iterator.patch queue-5.15/media-uvcvideo-fix-missing-check-to-determine-if-ele.patch queue-5.15/md-fix-an-incorrect-null-check-in-md_reload_sb.patch queue-5.15/drm-nouveau-kms-nv50-atom-fix-an-incorrect-null-check-on-list-iterator.patch