[BUG] drm/amd/display: possible null-pointer dereference or redundant null check in amdgpu_dm.c
Tuo Li
islituo at gmail.com
Thu Oct 17 08:43:04 UTC 2024
Hello,
Our static analysis tool has identified a potential null-pointer dereference or
redundant null check related to the wait-completion synchronization mechanism in
amdgpu_dm.c in Linux 6.11.
Consider the following execution scenario:
dmub_aux_setconfig_callback() //731
if (adev->dm.dmub_notify) //734
complete(&adev->dm.dmub_aux_transfer_done); //737
The variable adev->dm.dmub_notify is checked by an if statement at Line 734,
which indicates that adev->dm.dmub_notify can NULL. Then, complete() is called
at Line 737 which wakes up the wait_for_completion().
Consider the wait_for_completion()
amdgpu_dm_process_dmub_aux_transfer_sync() //12271
p_notify = adev->dm.dmub_notify; //12278
wait_for_completion_timeout(&adev->dm.dmub_aux_transfer_done, ...); // 12287
if (p_notify->result != AUX_RET_SUCCESS) //12293
The value of adev->dm.dmub_notify is assigned to p_notify at Line 12278. If
adev->dm.dmub_notify at Line 734 is checked to be NULL, the value p_notify after
the wait_for_completion_timeout() at Line 12278 can also be NULL. However, it is
dereferenced at Line 12293 without rechecking, causing a possible null dereference.
In fact, dmub_aux_setconfig_callback() is registered only if
adev->dm.dmub_notify is checked to be not NULL:
adev->dm.dmub_notify = kzalloc(...); //2006
if (!adev->dm.dmub_notify) { //2007
......
goto error; //2009
} //2010
......
register_dmub_notify_callback(..., dmub_aux_setconfig_callback, ...) //2019
I am not sure if adev->dm.dmub_notify is assigned with NULL elsewhere. If not,
the if check at Line 734 can be redundant.
Any feedback would be appreciated, thanks!
Sincerely,
Tuo Li
More information about the dri-devel
mailing list