Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b7d6c8db authored Mar 10, 2017 by Alexandre Courbot Committed by Dave Airlie Mar 17, 2017

drm/nouveau/secboot: fix NULL pointer dereference



The msgqueue pointer validity should be checked by its owner, not by the
msgqueue code itself to avoid this situation.

Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
Reported-by: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: Dave Airlie <airlied@redhat.com>

parent aa7fc0ca

drivers/gpu/drm/nouveau/nvkm/engine/sec2/base.c

+7 −0

Original line number	Diff line number	Diff line
		@@ -59,6 +59,13 @@ static void
		nvkm_sec2_recv(struct work_struct *work)
		{
		struct nvkm_sec2 sec2 = container_of(work, typeof(sec2), work);

		if (!sec2->queue) {
		nvkm_warn(&sec2->engine.subdev,
		"recv function called while no firmware set!\n");
		return;
		}

		nvkm_msgqueue_recv(sec2->queue);
		}

drivers/gpu/drm/nouveau/nvkm/falcon/msgqueue.c

+2 −3

Original line number	Diff line number	Diff line
		@@ -510,11 +510,10 @@ nvkm_msgqueue_del(struct nvkm_msgqueue **queue)
		void
		nvkm_msgqueue_recv(struct nvkm_msgqueue *queue)
		{
		if (!queue \|\| !queue->func \|\| !queue->func->recv) {
		if (!queue->func \|\| !queue->func->recv) {
		const struct nvkm_subdev *subdev = queue->falcon->owner;

		nvkm_warn(subdev,
		"cmdqueue recv function called while no firmware set!\n");
		nvkm_warn(subdev, "missing msgqueue recv function\n");
		return;
		}

drivers/gpu/drm/nouveau/nvkm/subdev/pmu/gm20b.c

+6 −0

Original line number	Diff line number	Diff line
		@@ -27,6 +27,12 @@
		static void
		gm20b_pmu_recv(struct nvkm_pmu *pmu)
		{
		if (!pmu->queue) {
		nvkm_warn(&pmu->subdev,
		"recv function called while no firmware set!\n");
		return;
		}

		nvkm_msgqueue_recv(pmu->queue);
		}