Since 'adev->dm.dc' in amdgpu_dm_fini() might turn out to be NULL
before the call to dc_enable_dmub_notifications(), check
beforehand to ensure there will not be a possible NULL-ptr-deref
there.
Also, since commit 1e88eb1b2c25 ("drm/amd/display: Drop
CONFIG_DRM_AMD_DC_HDCP") there are two separate checks for NULL in
'adev->dm.dc' before dc_deinit_callbacks() and dc_dmub_srv_destroy().
Clean up by combining them all under one 'if'.
Found by Linux Verification Center (linuxtesting.org) with static
analysis tool SVACE.
Fixes: 81927e2808be ("drm/amd/display: Support for DMUB AUX")
Signed-off-by: Nikita Zhandarovich <[email protected]>
---
.../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 16 +++++++---------
1 file changed, 7 insertions(+), 9 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
index d292f290cd6e..46ac3e6f42bb 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -1938,17 +1938,15 @@ static void amdgpu_dm_fini(struct amdgpu_device *adev)
adev->dm.hdcp_workqueue = NULL;
}
- if (adev->dm.dc)
+ if (adev->dm.dc) {
dc_deinit_callbacks(adev->dm.dc);
-
- if (adev->dm.dc)
dc_dmub_srv_destroy(&adev->dm.dc->ctx->dmub_srv);
-
- if (dc_enable_dmub_notifications(adev->dm.dc)) {
- kfree(adev->dm.dmub_notify);
- adev->dm.dmub_notify = NULL;
- destroy_workqueue(adev->dm.delayed_hpd_wq);
- adev->dm.delayed_hpd_wq = NULL;
+ if (dc_enable_dmub_notifications(adev->dm.dc)) {
+ kfree(adev->dm.dmub_notify);
+ adev->dm.dmub_notify = NULL;
+ destroy_workqueue(adev->dm.delayed_hpd_wq);
+ adev->dm.delayed_hpd_wq = NULL;
+ }
}
if (adev->dm.dmub_bo)
--
2.25.1
Applied. Thanks!
Alex
On Tue, Feb 6, 2024 at 11:51 AM Nikita Zhandarovich
<[email protected]> wrote:
>
> Since 'adev->dm.dc' in amdgpu_dm_fini() might turn out to be NULL
> before the call to dc_enable_dmub_notifications(), check
> beforehand to ensure there will not be a possible NULL-ptr-deref
> there.
>
> Also, since commit 1e88eb1b2c25 ("drm/amd/display: Drop
> CONFIG_DRM_AMD_DC_HDCP") there are two separate checks for NULL in
> 'adev->dm.dc' before dc_deinit_callbacks() and dc_dmub_srv_destroy().
> Clean up by combining them all under one 'if'.
>
> Found by Linux Verification Center (linuxtesting.org) with static
> analysis tool SVACE.
>
> Fixes: 81927e2808be ("drm/amd/display: Support for DMUB AUX")
> Signed-off-by: Nikita Zhandarovich <[email protected]>
> ---
> .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 16 +++++++---------
> 1 file changed, 7 insertions(+), 9 deletions(-)
>
> diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
> index d292f290cd6e..46ac3e6f42bb 100644
> --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
> +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
> @@ -1938,17 +1938,15 @@ static void amdgpu_dm_fini(struct amdgpu_device *adev)
> adev->dm.hdcp_workqueue = NULL;
> }
>
> - if (adev->dm.dc)
> + if (adev->dm.dc) {
> dc_deinit_callbacks(adev->dm.dc);
> -
> - if (adev->dm.dc)
> dc_dmub_srv_destroy(&adev->dm.dc->ctx->dmub_srv);
> -
> - if (dc_enable_dmub_notifications(adev->dm.dc)) {
> - kfree(adev->dm.dmub_notify);
> - adev->dm.dmub_notify = NULL;
> - destroy_workqueue(adev->dm.delayed_hpd_wq);
> - adev->dm.delayed_hpd_wq = NULL;
> + if (dc_enable_dmub_notifications(adev->dm.dc)) {
> + kfree(adev->dm.dmub_notify);
> + adev->dm.dmub_notify = NULL;
> + destroy_workqueue(adev->dm.delayed_hpd_wq);
> + adev->dm.delayed_hpd_wq = NULL;
> + }
> }
>
> if (adev->dm.dmub_bo)
> --
> 2.25.1
>