Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues: - [High] A malformed GSP message size causes r535_gsp_msgq_recv() to return NULL, which propagates through nvkm_gsp_rpc_rd() and leads to a NULL pointer dereference in its callers. -- commit 604de241374540fdccd3d8af5fec3fe8ff826d71 Author: Hongling Zeng <[email protected]> nouveau/gsp: Cleanup IS_ERR_OR_NULL in nvkm_gsp_rpc_rd() This commit cleans up nvkm_gsp_rpc_rd() by replacing IS_ERR_OR_NULL() with IS_ERR(). The commit message notes that nvkm_gsp_rpc_push() expects a reply under the RECV policy and should return an error pointer rather than NULL if the RPC fails. > diff --git a/drivers/gpu/drm/nouveau/include/nvkm/subdev/gsp.h > b/drivers/gpu/drm/nouveau/include/nvkm/subdev/gsp.h > index 64fed208e4cf8..a061779e0107b 100644 > --- a/drivers/gpu/drm/nouveau/include/nvkm/subdev/gsp.h > +++ b/drivers/gpu/drm/nouveau/include/nvkm/subdev/gsp.h > @@ -293,7 +293,7 @@ nvkm_gsp_rpc_rd(struct nvkm_gsp *gsp, u32 fn, u32 argc) > { > void *argv = nvkm_gsp_rpc_get(gsp, fn, argc); > > - if (IS_ERR_OR_NULL(argv)) > + if (IS_ERR(argv)) > return argv; > > return nvkm_gsp_rpc_push(gsp, argv, NVKM_GSP_RPC_REPLY_RECV, argc); [Severity: High] This is a pre-existing issue, but does nvkm_gsp_rpc_push() strictly return an error pointer instead of NULL on failure under the RECV policy? If the GSP firmware returns an RPC message with an invalid length, r535_gsp_msgq_recv() triggers a WARN_ON and returns NULL: r535_gsp_msgq_recv() in drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/rpc.c: ... if (WARN_ON(rpc->length > max_rpc_size)) return NULL; ... This NULL propagates up through r535_gsp_msg_recv() and r535_gsp_rpc_handle_reply() to nvkm_gsp_rpc_push(), which is then returned directly by nvkm_gsp_rpc_rd() here. Since callers like r535_gsp_get_static_info() only check IS_ERR(), could this lead to a NULL pointer dereference? r535_gsp_get_static_info() in drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/gsp.c: ... rpc = nvkm_gsp_rpc_rd(gsp, NV_VGPU_MSG_FUNCTION_GET_GSP_STATIC_INFO, sizeof(*rpc)); if (IS_ERR(rpc)) return PTR_ERR(rpc); gsp->internal.client.object.client = &gsp->internal.client; gsp->internal.client.object.parent = NULL; gsp->internal.client.object.handle = rpc->hInternalClient; ... Similarly, does r535_gsp_rpc_rm_ctrl_push() mishandle this NULL? r535_gsp_rpc_rm_ctrl_push() in drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/ctrl.c: ... repv = nvkm_gsp_rpc_push(gsp, rpc, repc ? NVKM_GSP_RPC_REPLY_RECV : NVKM_GSP_RPC_REPLY_NOWAIT, repc); if (IS_ERR_OR_NULL(repv)) { *params = NULL; return PTR_ERR(repv); } ... If nvkm_gsp_rpc_push() returns NULL, PTR_ERR(repv) evaluates to 0 (success), which causes it to return success while passing a NULL pointer back to callers like r535_gsp_intr_get_table(). -- Sashiko AI review ยท https://sashiko.dev/#/patchset/[email protected]?part=5
