The issue was discovered through static analysis after reviewing changes
introduced by commit 773eb04d14a1 ("drm/nouveau/disp: expose conn event
class"). Function nouveau_dp_irq() dereferences the encoder pointer before
verifying that it is valid. The drm pointer is initialized using
outp->base.base.dev prior to the NULL check:
struct nouveau_drm *drm = nouveau_drm(outp->base.base.dev);
If no encoder is associated with the connector, this leads to a
NULL pointer dereference.
Move the drm initialization after the NULL check.
Fixes: 773eb04d14a1 ("drm/nouveau/disp: expose conn event class")
Cc: [email protected]
Signed-off-by: Alexey Nepomnyashih <[email protected]>
---
drivers/gpu/drm/nouveau/nouveau_dp.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/nouveau/nouveau_dp.c
b/drivers/gpu/drm/nouveau/nouveau_dp.c
index 55691ec44aba..738802358d85 100644
--- a/drivers/gpu/drm/nouveau/nouveau_dp.c
+++ b/drivers/gpu/drm/nouveau/nouveau_dp.c
@@ -486,7 +486,7 @@ nouveau_dp_irq(struct work_struct *work)
container_of(work, typeof(*nv_connector), irq_work);
struct drm_connector *connector = &nv_connector->base;
struct nouveau_encoder *outp = find_encoder(connector, DCB_OUTPUT_DP);
- struct nouveau_drm *drm = nouveau_drm(outp->base.base.dev);
+ struct nouveau_drm *drm;
struct nv50_mstm *mstm;
u64 hpd = 0;
int ret;
@@ -494,6 +494,8 @@ nouveau_dp_irq(struct work_struct *work)
if (!outp)
return;
+ drm = nouveau_drm(outp->base.base.dev);
+
mstm = outp->dp.mstm;
NV_DEBUG(drm, "service %s\n", connector->name);
--
2.43.0
