diff mbox series

drm/msm/dpu: Add callback function pointer check before its call

Message ID 20240408085523.12231-1-amishin@t-argos.ru (mailing list archive)
State Not Applicable
Headers show
Series drm/msm/dpu: Add callback function pointer check before its call | expand

Commit Message

Aleksandr Mishin April 8, 2024, 8:55 a.m. UTC 
In dpu_core_irq_callback_handler() callback function pointer is compared to NULL,
but then callback function is unconditionally called by this pointer.
Fix this bug by adding conditional return.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: c929ac60b3ed ("drm/msm/dpu: allow just single IRQ callback")
Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
---
 drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Comments

Dmitry Baryshkov April 8, 2024, 9:03 a.m. UTC | #1 
On Mon, 8 Apr 2024 at 11:57, Aleksandr Mishin <amishin@t-argos.ru> wrote:
>
> In dpu_core_irq_callback_handler() callback function pointer is compared to NULL,
> but then callback function is unconditionally called by this pointer.
> Fix this bug by adding conditional return.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.

This should be converted to a proper Reported-by: trailer.

>
> Fixes: c929ac60b3ed ("drm/msm/dpu: allow just single IRQ callback")
> Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
> ---
>  drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c
> index 946dd0135dff..03a16fbd4c99 100644
> --- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c
> +++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c
> @@ -223,9 +223,11 @@ static void dpu_core_irq_callback_handler(struct dpu_kms *dpu_kms, unsigned int
>
>         VERB("IRQ=[%d, %d]\n", DPU_IRQ_REG(irq_idx), DPU_IRQ_BIT(irq_idx));
>
> -       if (!irq_entry->cb)
> +       if (!irq_entry->cb) {
>                 DRM_ERROR("no registered cb, IRQ=[%d, %d]\n",
>                           DPU_IRQ_REG(irq_idx), DPU_IRQ_BIT(irq_idx));
> +               return;
> +       }
>
>         atomic_inc(&irq_entry->count);
>
> --
> 2.30.2
>
>
Abhinav Kumar April 8, 2024, 4:51 p.m. UTC | #2 
On 4/8/2024 1:55 AM, Aleksandr Mishin wrote:
> In dpu_core_irq_callback_handler() callback function pointer is compared to NULL,
> but then callback function is unconditionally called by this pointer.
> Fix this bug by adding conditional return.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 

Yes , as dmitry wrote, this should be Reported-by.

But rest LGTM.

> Fixes: c929ac60b3ed ("drm/msm/dpu: allow just single IRQ callback")
> Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
> ---
>   drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c | 4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c
> index 946dd0135dff..03a16fbd4c99 100644
> --- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c
> +++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c
> @@ -223,9 +223,11 @@ static void dpu_core_irq_callback_handler(struct dpu_kms *dpu_kms, unsigned int
>   
>   	VERB("IRQ=[%d, %d]\n", DPU_IRQ_REG(irq_idx), DPU_IRQ_BIT(irq_idx));
>   
> -	if (!irq_entry->cb)
> +	if (!irq_entry->cb) {
>   		DRM_ERROR("no registered cb, IRQ=[%d, %d]\n",
>   			  DPU_IRQ_REG(irq_idx), DPU_IRQ_BIT(irq_idx));
> +		return;
> +	}
>   
>   	atomic_inc(&irq_entry->count);
>
Aleksandr Mishin April 10, 2024, 11:45 a.m. UTC | #3 
On 08.04.2024 19:51, Abhinav Kumar wrote:
> 
> 
> On 4/8/2024 1:55 AM, Aleksandr Mishin wrote:
>> In dpu_core_irq_callback_handler() callback function pointer is 
>> compared to NULL,
>> but then callback function is unconditionally called by this pointer.
>> Fix this bug by adding conditional return.
>>
>> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>>
> 
> Yes , as dmitry wrote, this should be Reported-by.
> 

It is an established practice for our project, you can find 700+ applied
patches with similar line:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/?qt=grep&q=linuxtesting.org

> But rest LGTM.
> 
>> Fixes: c929ac60b3ed ("drm/msm/dpu: allow just single IRQ callback")
>> Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
>> ---
>>   drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c | 4 +++-
>>   1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c 
>> b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c
>> index 946dd0135dff..03a16fbd4c99 100644
>> --- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c
>> +++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c
>> @@ -223,9 +223,11 @@ static void dpu_core_irq_callback_handler(struct 
>> dpu_kms *dpu_kms, unsigned int
>>       VERB("IRQ=[%d, %d]\n", DPU_IRQ_REG(irq_idx), DPU_IRQ_BIT(irq_idx));
>> -    if (!irq_entry->cb)
>> +    if (!irq_entry->cb) {
>>           DRM_ERROR("no registered cb, IRQ=[%d, %d]\n",
>>                 DPU_IRQ_REG(irq_idx), DPU_IRQ_BIT(irq_idx));
>> +        return;
>> +    }
>>       atomic_inc(&irq_entry->count);
Aleksandr Mishin April 10, 2024, 11:48 a.m. UTC | #4 
On 08.04.2024 12:03, Dmitry Baryshkov wrote:
> On Mon, 8 Apr 2024 at 11:57, Aleksandr Mishin <amishin@t-argos.ru> wrote:
>>
>> In dpu_core_irq_callback_handler() callback function pointer is compared to NULL,
>> but then callback function is unconditionally called by this pointer.
>> Fix this bug by adding conditional return.
>>
>> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> This should be converted to a proper Reported-by: trailer.
> 

It is an established practice for our project, you can find 700+ applied
patches with similar line:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/?qt=grep&q=linuxtesting.org

>>
>> Fixes: c929ac60b3ed ("drm/msm/dpu: allow just single IRQ callback")
>> Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
>> ---
>>   drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c | 4 +++-
>>   1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c
>> index 946dd0135dff..03a16fbd4c99 100644
>> --- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c
>> +++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c
>> @@ -223,9 +223,11 @@ static void dpu_core_irq_callback_handler(struct dpu_kms *dpu_kms, unsigned int
>>
>>          VERB("IRQ=[%d, %d]\n", DPU_IRQ_REG(irq_idx), DPU_IRQ_BIT(irq_idx));
>>
>> -       if (!irq_entry->cb)
>> +       if (!irq_entry->cb) {
>>                  DRM_ERROR("no registered cb, IRQ=[%d, %d]\n",
>>                            DPU_IRQ_REG(irq_idx), DPU_IRQ_BIT(irq_idx));
>> +               return;
>> +       }
>>
>>          atomic_inc(&irq_entry->count);
>>
>> --
>> 2.30.2
>>
>>
> 
>
Dmitry Baryshkov April 10, 2024, 1:17 p.m. UTC | #5 
On Wed, 10 Apr 2024 at 14:53, Aleksandr Mishin <amishin@t-argos.ru> wrote:
> On 08.04.2024 12:03, Dmitry Baryshkov wrote:
> > On Mon, 8 Apr 2024 at 11:57, Aleksandr Mishin <amishin@t-argos.ru> wrote:
> >>
> >> In dpu_core_irq_callback_handler() callback function pointer is compared to NULL,
> >> but then callback function is unconditionally called by this pointer.
> >> Fix this bug by adding conditional return.
> >>
> >> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> >
> > This should be converted to a proper Reported-by: trailer.
> >
>
> It is an established practice for our project, you can find 700+ applied
> patches with similar line:
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/?qt=grep&q=linuxtesting.org

Is there any reason why your project doesn't follow established
guidelines? Compare this to other robots.

Anyway:

Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>

>
> >>
> >> Fixes: c929ac60b3ed ("drm/msm/dpu: allow just single IRQ callback")
> >> Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
> >> ---
> >>   drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c | 4 +++-
> >>   1 file changed, 3 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c
> >> index 946dd0135dff..03a16fbd4c99 100644
> >> --- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c
> >> +++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c
> >> @@ -223,9 +223,11 @@ static void dpu_core_irq_callback_handler(struct dpu_kms *dpu_kms, unsigned int
> >>
> >>          VERB("IRQ=[%d, %d]\n", DPU_IRQ_REG(irq_idx), DPU_IRQ_BIT(irq_idx));
> >>
> >> -       if (!irq_entry->cb)
> >> +       if (!irq_entry->cb) {
> >>                  DRM_ERROR("no registered cb, IRQ=[%d, %d]\n",
> >>                            DPU_IRQ_REG(irq_idx), DPU_IRQ_BIT(irq_idx));
> >> +               return;
> >> +       }
> >>
> >>          atomic_inc(&irq_entry->count);
> >>
> >> --
> >> 2.30.2
> >>
> >>
> >
> >
>
> --
> Kind regards
> Aleksandr
diff mbox series

Patch

diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c
index 946dd0135dff..03a16fbd4c99 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c
+++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c
@@ -223,9 +223,11 @@  static void dpu_core_irq_callback_handler(struct dpu_kms *dpu_kms, unsigned int
 
 	VERB("IRQ=[%d, %d]\n", DPU_IRQ_REG(irq_idx), DPU_IRQ_BIT(irq_idx));
 
-	if (!irq_entry->cb)
+	if (!irq_entry->cb) {
 		DRM_ERROR("no registered cb, IRQ=[%d, %d]\n",
 			  DPU_IRQ_REG(irq_idx), DPU_IRQ_BIT(irq_idx));
+		return;
+	}
 
 	atomic_inc(&irq_entry->count);