Hello Chris Wilson,
Commit 52c0fdb25c7c ("drm/i915: Replace global breadcrumbs with
per-context interrupt tracking") from Jan 29, 2019 (linux-next),
leads to the following Smatch static checker warning:
drivers/gpu/drm/i915/selftests/i915_request.c:385
__igt_breadcrumbs_smoketest()
warn: 'rq' can also be NULL
drivers/gpu/drm/i915/selftests/i915_request.c
310 static void __igt_breadcrumbs_smoketest(struct kthread_work *work)
311 {
312 struct smoke_thread *thread = container_of(work,
typeof(*thread), work);
313 struct smoketest *t = thread->t;
314 const unsigned int max_batch = min(t->ncontexts, t->max_batch)
- 1;
315 const unsigned int total = 4 * t->ncontexts + 1;
316 unsigned int num_waits = 0, num_fences = 0;
317 struct i915_request **requests;
318 I915_RND_STATE(prng);
319 unsigned int *order;
320 int err = 0;
321
322 /*
323 * A very simple test to catch the most egregious of list
handling bugs.
324 *
325 * At its heart, we simply create oodles of requests running
across
326 * multiple kthreads and enable signaling on them, for the sole
purpose
327 * of stressing our breadcrumb handling. The only inspection we
do is
328 * that the fences were marked as signaled.
329 */
330
331 requests = kcalloc(total, sizeof(*requests), GFP_KERNEL);
332 if (!requests) {
333 thread->result = -ENOMEM;
334 return;
335 }
336
337 order = i915_random_order(total, &prng);
338 if (!order) {
339 err = -ENOMEM;
340 goto out_requests;
341 }
342
343 while (!READ_ONCE(thread->stop)) {
344 struct i915_sw_fence *submit, *wait;
345 unsigned int n, count;
346
347 submit = heap_fence_create(GFP_KERNEL);
348 if (!submit) {
349 err = -ENOMEM;
350 break;
351 }
352
353 wait = heap_fence_create(GFP_KERNEL);
354 if (!wait) {
355 i915_sw_fence_commit(submit);
356 heap_fence_put(submit);
357 err = -ENOMEM;
358 break;
359 }
360
361 i915_random_reorder(order, total, &prng);
362 count = 1 + i915_prandom_u32_max_state(max_batch,
&prng);
363
364 for (n = 0; n < count; n++) {
365 struct i915_gem_context *ctx =
366 t->contexts[order[n] % t->ncontexts];
367 struct i915_request *rq;
368 struct intel_context *ce;
369
370 ce = i915_gem_context_get_engine(ctx,
t->engine->legacy_idx);
371 GEM_BUG_ON(IS_ERR(ce));
372 rq = t->request_alloc(ce);
373 intel_context_put(ce);
374 if (IS_ERR(rq)) {
The __mock_request_alloc() function returns NULL on error.
375 err = PTR_ERR(rq);
376 count = n;
377 break;
378 }
379
380 err =
i915_sw_fence_await_sw_fence_gfp(&rq->submit,
381 submit,
382
GFP_KERNEL);
383
384 requests[n] = i915_request_get(rq);
--> 385 i915_request_add(rq);
^^
Leading to a NULL dereference.
386
387 if (err >= 0)
388 err =
i915_sw_fence_await_dma_fence(wait,
389
&rq->fence,
390 0,
regards,
dan carpenter
