From: Dmitry Baryshkov dmitry.baryshkov@linaro.org
stable inclusion from stable-v6.6.33 commit 186a82662d1393260a5411fc258d088508f31002 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA7D6V CVE: CVE-2024-38622
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit a65264833690d1280b901e3fe8e2825a44b3502c ]
In preparation to reworking IRQ indices, move irq_idx validation to a separate helper.
Reviewed-by: Marijn Suijten marijn.suijten@somainline.org Signed-off-by: Dmitry Baryshkov dmitry.baryshkov@linaro.org Patchwork: https://patchwork.freedesktop.org/patch/550929/ Link: https://lore.kernel.org/r/20230802100426.4184892-4-dmitry.baryshkov@linaro.o... Stable-dep-of: 530f272053a5 ("drm/msm/dpu: Add callback function pointer check before its call") Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: Rui Xiang rui.xiang@huawei.com --- .../gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c index 01a9ccfcd54b..81d03b6c67d1 100644 --- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c +++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c @@ -200,6 +200,12 @@ static const struct dpu_intr_reg dpu_intr_set_7xxx[] = { #define DPU_IRQ_REG(irq_idx) (irq_idx / 32) #define DPU_IRQ_MASK(irq_idx) (BIT(irq_idx % 32))
+static inline bool dpu_core_irq_is_valid(struct dpu_hw_intr *intr, + int irq_idx) +{ + return irq_idx >= 0 && irq_idx < intr->total_irqs; +} + /** * dpu_core_irq_callback_handler - dispatch core interrupts * @dpu_kms: Pointer to DPU's KMS structure @@ -291,7 +297,7 @@ static int dpu_hw_intr_enable_irq_locked(struct dpu_hw_intr *intr, int irq_idx) if (!intr) return -EINVAL;
- if (irq_idx < 0 || irq_idx >= intr->total_irqs) { + if (!dpu_core_irq_is_valid(intr, irq_idx)) { pr_err("invalid IRQ index: [%d]\n", irq_idx); return -EINVAL; } @@ -344,7 +350,7 @@ static int dpu_hw_intr_disable_irq_locked(struct dpu_hw_intr *intr, int irq_idx) if (!intr) return -EINVAL;
- if (irq_idx < 0 || irq_idx >= intr->total_irqs) { + if (!dpu_core_irq_is_valid(intr, irq_idx)) { pr_err("invalid IRQ index: [%d]\n", irq_idx); return -EINVAL; } @@ -429,13 +435,7 @@ u32 dpu_core_irq_read(struct dpu_kms *dpu_kms, int irq_idx) if (!intr) return 0;
- if (irq_idx < 0) { - DPU_ERROR("[%pS] invalid irq_idx=%d\n", - __builtin_return_address(0), irq_idx); - return 0; - } - - if (irq_idx < 0 || irq_idx >= intr->total_irqs) { + if (!dpu_core_irq_is_valid(intr, irq_idx)) { pr_err("invalid IRQ index: [%d]\n", irq_idx); return 0; } @@ -518,7 +518,7 @@ int dpu_core_irq_register_callback(struct dpu_kms *dpu_kms, int irq_idx, return -EINVAL; }
- if (irq_idx < 0 || irq_idx >= dpu_kms->hw_intr->total_irqs) { + if (!dpu_core_irq_is_valid(dpu_kms->hw_intr, irq_idx)) { DPU_ERROR("invalid IRQ index: [%d]\n", irq_idx); return -EINVAL; } @@ -555,7 +555,7 @@ int dpu_core_irq_unregister_callback(struct dpu_kms *dpu_kms, int irq_idx) unsigned long irq_flags; int ret;
- if (irq_idx < 0 || irq_idx >= dpu_kms->hw_intr->total_irqs) { + if (!dpu_core_irq_is_valid(dpu_kms->hw_intr, irq_idx)) { DPU_ERROR("invalid IRQ index: [%d]\n", irq_idx); return -EINVAL; }