Patch "drm/nouveau/kms/nv50-: atom: fix an incorrect NULL check on list iterator" has been added to the 5.18-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Mon, 06 Jun 2022 15:49:52 +0200

This is a note to let you know that I've just added the patch titled

    drm/nouveau/kms/nv50-: atom: fix an incorrect NULL check on list iterator

to the 5.18-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     drm-nouveau-kms-nv50-atom-fix-an-incorrect-null-check-on-list-iterator.patch
and it can be found in the queue-5.18 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 6ce4431c7ba7954c4fa6a96ce16ca1b2943e1a83 Mon Sep 17 00:00:00 2001
From: Xiaomeng Tong <xiam0nd.tong@xxxxxxxxx>
Date: Sun, 27 Mar 2022 15:39:25 +0800
Subject: drm/nouveau/kms/nv50-: atom: fix an incorrect NULL check on list iterator

From: Xiaomeng Tong <xiam0nd.tong@xxxxxxxxx>

commit 6ce4431c7ba7954c4fa6a96ce16ca1b2943e1a83 upstream.

The bug is here:
	return encoder;

The list iterator value 'encoder' will *always* be set and non-NULL
by drm_for_each_encoder_mask(), so it is incorrect to assume that the
iterator value will be NULL if the list is empty or no element found.
Otherwise it will bypass some NULL checks and lead to invalid memory
access passing the check.

To fix this bug, just return 'encoder' when found, otherwise return
NULL.

Cc: stable@xxxxxxxxxxxxxxx
Fixes: 12885ecbfe62d ("drm/nouveau/kms/nvd9-: Add CRC support")
Signed-off-by: Xiaomeng Tong <xiam0nd.tong@xxxxxxxxx>
Reviewed-by: Lyude Paul <lyude@xxxxxxxxxx>
[Changed commit title]
Signed-off-by: Lyude Paul <lyude@xxxxxxxxxx>
Link: https://patchwork.freedesktop.org/patch/msgid/20220327073925.11121-1-xiam0nd.tong@xxxxxxxxx
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 drivers/gpu/drm/nouveau/dispnv50/atom.h |    6 +++---
 drivers/gpu/drm/nouveau/dispnv50/crc.c  |   27 ++++++++++++++++++++++-----
 2 files changed, 25 insertions(+), 8 deletions(-)

--- a/drivers/gpu/drm/nouveau/dispnv50/atom.h
+++ b/drivers/gpu/drm/nouveau/dispnv50/atom.h
@@ -160,14 +160,14 @@ nv50_head_atom_get(struct drm_atomic_sta
 static inline struct drm_encoder *
 nv50_head_atom_get_encoder(struct nv50_head_atom *atom)
 {
-	struct drm_encoder *encoder = NULL;
+	struct drm_encoder *encoder;
 
 	/* We only ever have a single encoder */
 	drm_for_each_encoder_mask(encoder, atom->state.crtc->dev,
 				  atom->state.encoder_mask)
-		break;
+		return encoder;
 
-	return encoder;
+	return NULL;
 }
 
 #define nv50_wndw_atom(p) container_of((p), struct nv50_wndw_atom, state)
--- a/drivers/gpu/drm/nouveau/dispnv50/crc.c
+++ b/drivers/gpu/drm/nouveau/dispnv50/crc.c
@@ -390,9 +390,18 @@ void nv50_crc_atomic_check_outp(struct n
 		struct nv50_head_atom *armh = nv50_head_atom(old_crtc_state);
 		struct nv50_head_atom *asyh = nv50_head_atom(new_crtc_state);
 		struct nv50_outp_atom *outp_atom;
-		struct nouveau_encoder *outp =
-			nv50_real_outp(nv50_head_atom_get_encoder(armh));
-		struct drm_encoder *encoder = &outp->base.base;
+		struct nouveau_encoder *outp;
+		struct drm_encoder *encoder, *enc;
+
+		enc = nv50_head_atom_get_encoder(armh);
+		if (!enc)
+			continue;
+
+		outp = nv50_real_outp(enc);
+		if (!outp)
+			continue;
+
+		encoder = &outp->base.base;
 
 		if (!asyh->clr.crc)
 			continue;
@@ -443,8 +452,16 @@ void nv50_crc_atomic_set(struct nv50_hea
 	struct drm_device *dev = crtc->dev;
 	struct nv50_crc *crc = &head->crc;
 	const struct nv50_crc_func *func = nv50_disp(dev)->core->func->crc;
-	struct nouveau_encoder *outp =
-		nv50_real_outp(nv50_head_atom_get_encoder(asyh));
+	struct nouveau_encoder *outp;
+	struct drm_encoder *encoder;
+
+	encoder = nv50_head_atom_get_encoder(asyh);
+	if (!encoder)
+		return;
+
+	outp = nv50_real_outp(encoder);
+	if (!outp)
+		return;
 
 	func->set_src(head, outp->or, nv50_crc_source_type(outp, asyh->crc.src),
 		      &crc->ctx[crc->ctx_idx]);


Patches currently in stable-queue which might be from xiam0nd.tong@xxxxxxxxx are

queue-5.18/md-fix-an-incorrect-null-check-in-does_sb_need_changing.patch
queue-5.18/scsi-dc395x-fix-a-missing-check-on-list-iterator.patch
queue-5.18/drm-nouveau-clk-fix-an-incorrect-null-check-on-list-iterator.patch
queue-5.18/media-uvcvideo-fix-missing-check-to-determine-if-ele.patch
queue-5.18/md-fix-an-incorrect-null-check-in-md_reload_sb.patch
queue-5.18/drm-nouveau-kms-nv50-atom-fix-an-incorrect-null-check-on-list-iterator.patch






