Commit 2d373253 authored Jul 03, 2024 by Aleksandr Mishin Committed by Yongqiang Liu Jul 03, 2024

drm/msm/dpu: Add callback function pointer check before its call

stable inclusion
from stable-v6.6.33
commit 873f67699114452c2a996c4e10faac8ff860c241
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA7D6V
CVE: CVE-2024-38622

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=873f67699114452c2a996c4e10faac8ff860c241



--------------------------------

[ Upstream commit 530f272053a5e72243a9cb07bb1296af6c346002 ]

In dpu_core_irq_callback_handler() callback function pointer is compared to NULL,
but then callback function is unconditionally called by this pointer.
Fix this bug by adding conditional return.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: c929ac60 ("drm/msm/dpu: allow just single IRQ callback")
Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Patchwork: https://patchwork.freedesktop.org/patch/588237/
Link: https://lore.kernel.org/r/20240408085523.12231-1-amishin@t-argos.ru


Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Rui Xiang <rui.xiang@huawei.com>

parent dd49758f

drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -221,9 +221,11 @@ static void dpu_core_irq_callback_handler(struct dpu_kms *dpu_kms, int irq_idx)

		VERB("IRQ=[%d, %d]\n", DPU_IRQ_REG(irq_idx), DPU_IRQ_BIT(irq_idx));

		if (!irq_entry->cb)
		if (!irq_entry->cb) {
		DRM_ERROR("no registered cb, IRQ=[%d, %d]\n",
		DPU_IRQ_REG(irq_idx), DPU_IRQ_BIT(irq_idx));
		return;
		}

		atomic_inc(&irq_entry->count);