Re: [PATCH v5 4/5] nouveau/gsp/rm/bar: Cleanup IS_ERR_OR_NULL usage

Mon, 22 Jun 2026 01:23:45 -0700 

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) 
to consider:

Pre-existing issues:
- [High] Leak of the original RPC message buffer `msg` in error paths of 
`r535_gsp_rpc_push()` when `payload_size > max_payload_size`.
--

commit c9821a8788c2a50e0c5a5dcb65a00cbd271b7c0b
Author: Hongling Zeng <[email protected]>

nouveau/gsp/rm/bar: Cleanup IS_ERR_OR_NULL usage

r535_bar_bar2_update_pde() calls nvkm_gsp_rpc_get() which never
returns NULL, only valid pointers or error pointers. Clean up by
using IS_ERR() instead, matching the actual return value contract.

> diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/bar.c 
> b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/bar.c
> index fae08ac3b18c7..9cd68f8622d36 100644
> --- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/bar.c
> +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/bar.c
> @@ -55,7 +55,7 @@ r535_bar_bar2_update_pde(struct nvkm_gsp *gsp, u8 
> page_shift, u64 pdbe)
>       rpc_update_bar_pde_v15_00 *rpc;
>  
>       rpc = nvkm_gsp_rpc_get(gsp, NV_VGPU_MSG_FUNCTION_UPDATE_BAR_PDE, 
> sizeof(*rpc));
> -     if (WARN_ON(IS_ERR_OR_NULL(rpc)))
> +     if (WARN_ON(IS_ERR(rpc)))
>               return -EIO;

[Severity: High]
This is a pre-existing issue, but does r535_gsp_rpc_push() leak the original
RPC message buffer msg on error paths when payload_size > max_payload_size?

In drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/rpc.c:r535_gsp_rpc_push(),
when the message is chunked, kvfree(msg) is called on the success path:

                next = r535_gsp_rpc_get(gsp, fn, max_payload_size);
                if (IS_ERR(next)) {
                        repv = next;
                        goto done;
                }
...
                repv = r535_gsp_rpc_handle_reply(gsp, fn, policy, payload_size +
                                                 sizeof(*rpc));
                if (!IS_ERR(repv))
                        kvfree(msg);
        }
...
done:
        mutex_unlock(&gsp->cmdq.mutex);
        return repv;

If r535_gsp_rpc_get() fails, it jumps to done and returns without freeing
msg. Similarly, if r535_gsp_rpc_handle_reply() returns an error pointer,
msg is not freed because kvfree(msg) is guarded by !IS_ERR(repv).

Since these allocations can be large, can this cause a resource leak if the
RPC communications fail under load?

-- 
Sashiko AI review ยท 
https://sashiko.dev/#/patchset/[email protected]?part=4

Reply via email to