From bdf2b26de6124a175d03092e89610f15ebc6a733 Mon Sep 17 00:00:00 2001 From: Stefan Wahren Date: Sun, 25 Apr 2021 12:50:53 +0200 Subject: [PATCH] staging: vchiq_arm: avoid crashing the kernel Using BUG_ON in a non-essential driver isn't recommend. So better trigger a stacktrace and bailout. Reviewed-by: Nicolas Saenz Julienne Signed-off-by: Stefan Wahren Link: https://lore.kernel.org/r/1619347863-16080-2-git-send-email-stefan.wahren@i2se.com Signed-off-by: Greg Kroah-Hartman --- .../vc04_services/interface/vchiq_arm/vchiq_arm.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c index e39897c..367fa3d 100644 --- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c +++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c @@ -602,7 +602,9 @@ service_callback(enum vchiq_reason reason, struct vchiq_header *header, DEBUG_TRACE(SERVICE_CALLBACK_LINE); service = handle_to_service(handle); - BUG_ON(!service); + if (WARN_ON(!service)) + return VCHIQ_SUCCESS; + user_service = (struct user_service *)service->base.userdata; instance = user_service->instance; @@ -918,8 +920,12 @@ static int vchiq_ioc_dequeue_message(struct vchiq_instance *instance, goto out; } - BUG_ON((int)(user_service->msg_insert - - user_service->msg_remove) < 0); + if (WARN_ON_ONCE((int)(user_service->msg_insert - + user_service->msg_remove) < 0)) { + spin_unlock(&msg_queue_spinlock); + ret = -EINVAL; + goto out; + } header = user_service->msg_queue[user_service->msg_remove & (MSG_QUEUE_SIZE - 1)]; @@ -1937,7 +1943,10 @@ static int vchiq_release(struct inode *inode, struct file *file) wait_for_completion(&service->remove_event); - BUG_ON(service->srvstate != VCHIQ_SRVSTATE_FREE); + if (WARN_ON(service->srvstate != VCHIQ_SRVSTATE_FREE)) { + unlock_service(service); + break; + } spin_lock(&msg_queue_spinlock); -- 2.7.4