Patch "drm/msm/dpu: Add callback function pointer check before its call" has been added to the 6.9-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Mon, 3 Jun 2024 07:44:33 -0400

This is a note to let you know that I've just added the patch titled

    drm/msm/dpu: Add callback function pointer check before its call

to the 6.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     drm-msm-dpu-add-callback-function-pointer-check-befo.patch
and it can be found in the queue-6.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit a2cc71e1d0194b83712d75b96d8650f6f7065c54
Author: Aleksandr Mishin <amishin@xxxxxxxxxx>
Date:   Mon Apr 8 11:55:23 2024 +0300

    drm/msm/dpu: Add callback function pointer check before its call
    
    [ Upstream commit 530f272053a5e72243a9cb07bb1296af6c346002 ]
    
    In dpu_core_irq_callback_handler() callback function pointer is compared to NULL,
    but then callback function is unconditionally called by this pointer.
    Fix this bug by adding conditional return.
    
    Found by Linux Verification Center (linuxtesting.org) with SVACE.
    
    Fixes: c929ac60b3ed ("drm/msm/dpu: allow just single IRQ callback")
    Signed-off-by: Aleksandr Mishin <amishin@xxxxxxxxxx>
    Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@xxxxxxxxxx>
    Patchwork: https://patchwork.freedesktop.org/patch/588237/
    Link: https://lore.kernel.org/r/20240408085523.12231-1-amishin@xxxxxxxxxx
    Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c
index 6a0a74832fb64..b85881aab0478 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c
+++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c
@@ -223,9 +223,11 @@ static void dpu_core_irq_callback_handler(struct dpu_kms *dpu_kms, unsigned int
 
 	VERB("IRQ=[%d, %d]\n", DPU_IRQ_REG(irq_idx), DPU_IRQ_BIT(irq_idx));
 
-	if (!irq_entry->cb)
+	if (!irq_entry->cb) {
 		DRM_ERROR("no registered cb, IRQ=[%d, %d]\n",
 			  DPU_IRQ_REG(irq_idx), DPU_IRQ_BIT(irq_idx));
+		return;
+	}
 
 	atomic_inc(&irq_entry->count);
 







