[BUG] drm/amdgpu: possible null-pointer dereference in dce_vXX_0_afmt_setmode()

Tuo Li islituo at gmail.com
Tue Aug 10 09:28:07 UTC 2021


Hello,

Our static analysis tool finds some possible null-pointer dereferences 
in the amdgpu driver in Linux 5.14.0-rc3:

In dce_v10_0.c:
The variable encoder->crtc is checked in:
1591:    if (encoder->crtc)

This indicates that encoder->crtc can be NULL.
Then the function dce_v10_0_audio_set_dto() is called with the argument 
encoder:
1600:    ce_v10_0_audio_set_dto(encoder, mode->clock);

However, encoder->crtc is dereferenced in this function:
1545:    struct amdgpu_crtc *amdgpu_crtc = to_amdgpu_crtc(encoder->crtc);
1559:    tmp = REG_SET_FIELD(tmp, DCCG_AUDIO_DTO_SOURCE, 
DCCG_AUDIO_DTO0_SOURCE_SEL, amdgpu_crtc->crtc_id);

In dce_v11_0.c and dce_v8_0.c, situations are the same.

I am not quite sure whether these possible null-pointer dereferences are 
real and how to fix them if they are real.
Any feedback would be appreciated, thanks!

Reported-by: TOTE Robot <oslab at tsinghua.edu.cn>

Best wishes,
Tuo Li


More information about the amd-gfx mailing list