[bug report] drm/msm: Add SDM845 DPU support

Dan Carpenter dan.carpenter at oracle.com
Fri Oct 1 12:28:38 UTC 2021 

Hello Jeykumar Sankaran,

The patch 25fdd5933e4c: "drm/msm: Add SDM845 DPU support" from Jun
27, 2018, leads to the following
Smatch static checker warning:

	drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c:1679 dpu_plane_init()
	warn: '&pdpu->mplane_list' not removed from list

drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c
    1567 struct drm_plane *dpu_plane_init(struct drm_device *dev,
    1568                 uint32_t pipe, enum drm_plane_type type,
    1569                 unsigned long possible_crtcs, u32 master_plane_id)
    1570 {
    1571         struct drm_plane *plane = NULL, *master_plane = NULL;
    1572         const uint32_t *format_list;
    1573         struct dpu_plane *pdpu;
    1574         struct msm_drm_private *priv = dev->dev_private;
    1575         struct dpu_kms *kms = to_dpu_kms(priv->kms);
    1576         int zpos_max = DPU_ZPOS_MAX;
    1577         uint32_t num_formats;
    1578         int ret = -EINVAL;
    1579 
    1580         /* create and zero local structure */
    1581         pdpu = kzalloc(sizeof(*pdpu), GFP_KERNEL);
    1582         if (!pdpu) {
    1583                 DPU_ERROR("[%u]failed to allocate local plane struct\n", pipe);
    1584                 ret = -ENOMEM;
    1585                 return ERR_PTR(ret);
    1586         }
    1587 
    1588         /* cache local stuff for later */
    1589         plane = &pdpu->base;
    1590         pdpu->pipe = pipe;
    1591         pdpu->is_virtual = (master_plane_id != 0);
    1592         INIT_LIST_HEAD(&pdpu->mplane_list);
    1593         master_plane = drm_plane_find(dev, NULL, master_plane_id);
    1594         if (master_plane) {
    1595                 struct dpu_plane *mpdpu = to_dpu_plane(master_plane);
    1596 
    1597                 list_add_tail(&pdpu->mplane_list, &mpdpu->mplane_list);
                                        ^^^^^^^^^^^^^^^^^
This is not removed from the list in the error handling code so it will
lead to a Use After Free.

    1598         }
    1599 
    1600         /* initialize underlying h/w driver */
    1601         pdpu->pipe_hw = dpu_hw_sspp_init(pipe, kms->mmio, kms->catalog,
    1602                                                         master_plane_id != 0);
    1603         if (IS_ERR(pdpu->pipe_hw)) {
    1604                 DPU_ERROR("[%u]SSPP init failed\n", pipe);
    1605                 ret = PTR_ERR(pdpu->pipe_hw);
    1606                 goto clean_plane;
    1607         } else if (!pdpu->pipe_hw->cap || !pdpu->pipe_hw->cap->sblk) {
    1608                 DPU_ERROR("[%u]SSPP init returned invalid cfg\n", pipe);
    1609                 goto clean_sspp;
    1610         }
    1611 
    1612         /* cache features mask for later */
    1613         pdpu->features = pdpu->pipe_hw->cap->features;
    1614         pdpu->pipe_sblk = pdpu->pipe_hw->cap->sblk;
    1615         if (!pdpu->pipe_sblk) {
    1616                 DPU_ERROR("[%u]invalid sblk\n", pipe);
    1617                 goto clean_sspp;
    1618         }
    1619 
    1620         if (pdpu->is_virtual) {
    1621                 format_list = pdpu->pipe_sblk->virt_format_list;
    1622                 num_formats = pdpu->pipe_sblk->virt_num_formats;
    1623         }
    1624         else {
    1625                 format_list = pdpu->pipe_sblk->format_list;
    1626                 num_formats = pdpu->pipe_sblk->num_formats;
    1627         }
    1628 
    1629         ret = drm_universal_plane_init(dev, plane, 0xff, &dpu_plane_funcs,
    1630                                 format_list, num_formats,
    1631                                 supported_format_modifiers, type, NULL);
    1632         if (ret)
    1633                 goto clean_sspp;
    1634 
    1635         pdpu->catalog = kms->catalog;
    1636 
    1637         if (kms->catalog->mixer_count &&
    1638                 kms->catalog->mixer[0].sblk->maxblendstages) {
    1639                 zpos_max = kms->catalog->mixer[0].sblk->maxblendstages - 1;
    1640                 if (zpos_max > DPU_STAGE_MAX - DPU_STAGE_0 - 1)
    1641                         zpos_max = DPU_STAGE_MAX - DPU_STAGE_0 - 1;
    1642         }
    1643 
    1644         ret = drm_plane_create_zpos_property(plane, 0, 0, zpos_max);
    1645         if (ret)
    1646                 DPU_ERROR("failed to install zpos property, rc = %d\n", ret);
    1647 
    1648         drm_plane_create_alpha_property(plane);
    1649         drm_plane_create_blend_mode_property(plane,
    1650                         BIT(DRM_MODE_BLEND_PIXEL_NONE) |
    1651                         BIT(DRM_MODE_BLEND_PREMULTI) |
    1652                         BIT(DRM_MODE_BLEND_COVERAGE));
    1653 
    1654         drm_plane_create_rotation_property(plane,
    1655                         DRM_MODE_ROTATE_0,
    1656                         DRM_MODE_ROTATE_0 |
    1657                         DRM_MODE_ROTATE_180 |
    1658                         DRM_MODE_REFLECT_X |
    1659                         DRM_MODE_REFLECT_Y);
    1660 
    1661         drm_plane_enable_fb_damage_clips(plane);
    1662 
    1663         /* success! finalize initialization */
    1664         drm_plane_helper_add(plane, &dpu_plane_helper_funcs);
    1665 
    1666         /* save user friendly pipe name for later */
    1667         snprintf(pdpu->pipe_name, DPU_NAME_SIZE, "plane%u", plane->base.id);
    1668 
    1669         mutex_init(&pdpu->lock);
    1670 
    1671         DPU_DEBUG("%s created for pipe:%u id:%u virtual:%u\n", pdpu->pipe_name,
    1672                                         pipe, plane->base.id, master_plane_id);
    1673         return plane;
    1674 
    1675 clean_sspp:
    1676         if (pdpu && pdpu->pipe_hw)
    1677                 dpu_hw_sspp_destroy(pdpu->pipe_hw);
    1678 clean_plane:
--> 1679         kfree(pdpu);
    1680         return ERR_PTR(ret);
    1681 }

regards,
dan carpenter

More information about the dri-devel mailing list