Bug Summary

File:dev/pci/drm/amd/amdgpu/psp_v10_0.c
Warning:line 86, column 6
Access to field 'data' results in a dereference of a null pointer (loaded from field 'ta_fw')

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name psp_v10_0.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model static -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -ffreestanding -mcmodel=kernel -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -target-feature -sse2 -target-feature -sse -target-feature -3dnow -target-feature -mmx -target-feature +save-args -disable-red-zone -no-implicit-float -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/sys/arch/amd64/compile/GENERIC.MP/obj -nostdsysteminc -nobuiltininc -resource-dir /usr/local/lib/clang/13.0.0 -I /usr/src/sys -I /usr/src/sys/arch/amd64/compile/GENERIC.MP/obj -I /usr/src/sys/arch -I /usr/src/sys/dev/pci/drm/include -I /usr/src/sys/dev/pci/drm/include/uapi -I /usr/src/sys/dev/pci/drm/amd/include/asic_reg -I /usr/src/sys/dev/pci/drm/amd/include -I /usr/src/sys/dev/pci/drm/amd/amdgpu -I /usr/src/sys/dev/pci/drm/amd/display -I /usr/src/sys/dev/pci/drm/amd/display/include -I /usr/src/sys/dev/pci/drm/amd/display/dc -I /usr/src/sys/dev/pci/drm/amd/display/amdgpu_dm -I /usr/src/sys/dev/pci/drm/amd/pm/inc -I /usr/src/sys/dev/pci/drm/amd/pm/swsmu -I /usr/src/sys/dev/pci/drm/amd/pm/swsmu/smu11 -I /usr/src/sys/dev/pci/drm/amd/pm/swsmu/smu12 -I /usr/src/sys/dev/pci/drm/amd/pm/powerplay -I /usr/src/sys/dev/pci/drm/amd/pm/powerplay/hwmgr -I /usr/src/sys/dev/pci/drm/amd/pm/powerplay/smumgr -I /usr/src/sys/dev/pci/drm/amd/display/dc/inc -I /usr/src/sys/dev/pci/drm/amd/display/dc/inc/hw -I /usr/src/sys/dev/pci/drm/amd/display/dc/clk_mgr -I /usr/src/sys/dev/pci/drm/amd/display/modules/inc -I /usr/src/sys/dev/pci/drm/amd/display/modules/hdcp -I /usr/src/sys/dev/pci/drm/amd/display/dmub/inc -I /usr/src/sys/dev/pci/drm/i915 -D DDB -D DIAGNOSTIC -D KTRACE -D ACCOUNTING -D KMEMSTATS -D PTRACE -D POOL_DEBUG -D CRYPTO -D SYSVMSG -D SYSVSEM -D SYSVSHM -D UVM_SWAP_ENCRYPT -D FFS -D FFS2 -D FFS_SOFTUPDATES -D UFS_DIRHASH -D QUOTA -D EXT2FS -D MFS -D NFSCLIENT -D NFSSERVER -D CD9660 -D UDF -D MSDOSFS -D FIFO -D FUSE -D SOCKET_SPLICE -D TCP_ECN -D TCP_SIGNATURE -D INET6 -D IPSEC -D PPP_BSDCOMP -D PPP_DEFLATE -D PIPEX -D MROUTING -D MPLS -D BOOT_CONFIG -D USER_PCICONF -D APERTURE -D MTRR -D NTFS -D HIBERNATE -D PCIVERBOSE -D USBVERBOSE -D WSDISPLAY_COMPAT_USL -D WSDISPLAY_COMPAT_RAWKBD -D WSDISPLAY_DEFAULTSCREENS=6 -D X86EMU -D ONEWIREVERBOSE -D MULTIPROCESSOR -D MAXUSERS=80 -D _KERNEL -D CONFIG_DRM_AMD_DC_DCN3_0 -O2 -Wno-pointer-sign -Wno-address-of-packed-member -Wno-constant-conversion -Wno-unused-but-set-variable -Wno-gnu-folding-constant -fdebug-compilation-dir=/usr/src/sys/arch/amd64/compile/GENERIC.MP/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -o /usr/obj/sys/arch/amd64/compile/GENERIC.MP/scan-build/2022-01-12-131800-47421-1 -x c /usr/src/sys/dev/pci/drm/amd/amdgpu/psp_v10_0.c

/usr/src/sys/dev/pci/drm/amd/amdgpu/psp_v10_0.c

1/*
2 * Copyright 2016 Advanced Micro Devices, Inc.
3 *
4 * Permission is hereby granted, free of charge, to any person obtaining a
5 * copy of this software and associated documentation files (the "Software"),
6 * to deal in the Software without restriction, including without limitation
7 * the rights to use, copy, modify, merge, publish, distribute, sublicense,
8 * and/or sell copies of the Software, and to permit persons to whom the
9 * Software is furnished to do so, subject to the following conditions:
10 *
11 * The above copyright notice and this permission notice shall be included in
12 * all copies or substantial portions of the Software.
13 *
14 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
17 * THE COPYRIGHT HOLDER(S) OR AUTHOR(S) BE LIABLE FOR ANY CLAIM, DAMAGES OR
18 * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
19 * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
20 * OTHER DEALINGS IN THE SOFTWARE.
21 *
22 * Author: Huang Rui
23 *
24 */
25
26#include <linux/firmware.h>
27#include <linux/module.h>
28#include <linux/pci.h>
29
30#include "amdgpu.h"
31#include "amdgpu_psp.h"
32#include "amdgpu_ucode.h"
33#include "soc15_common.h"
34#include "psp_v10_0.h"
35
36#include "mp/mp_10_0_offset.h"
37#include "gc/gc_9_1_offset.h"
38#include "sdma0/sdma0_4_1_offset.h"
39
40MODULE_FIRMWARE("amdgpu/raven_asd.bin");
41MODULE_FIRMWARE("amdgpu/picasso_asd.bin");
42MODULE_FIRMWARE("amdgpu/raven2_asd.bin");
43MODULE_FIRMWARE("amdgpu/picasso_ta.bin");
44MODULE_FIRMWARE("amdgpu/raven2_ta.bin");
45MODULE_FIRMWARE("amdgpu/raven_ta.bin");
46
47static int psp_v10_0_init_microcode(struct psp_context *psp)
48{
49 struct amdgpu_device *adev = psp->adev;
50 const char *chip_name;
51 char fw_name[30];
52 int err = 0;
53 const struct ta_firmware_header_v1_0 *ta_hdr;
54 DRM_DEBUG("\n")__drm_dbg(DRM_UT_CORE, "\n");
55
56 switch (adev->asic_type) {
1
Control jumps to 'case CHIP_RAVEN:' at line 57
57 case CHIP_RAVEN:
58 if (adev->apu_flags & AMD_APU_IS_RAVEN2)
2
Assuming the condition is true
3
Taking true branch
59 chip_name = "raven2";
60 else if (adev->apu_flags & AMD_APU_IS_PICASSO)
61 chip_name = "picasso";
62 else
63 chip_name = "raven";
64 break;
4
Execution continues on line 68
65 default: BUG()do { panic("BUG at %s:%d", "/usr/src/sys/dev/pci/drm/amd/amdgpu/psp_v10_0.c"
, 65); } while (0)
;
66 }
67
68 err = psp_init_asd_microcode(psp, chip_name);
69 if (err)
5
Assuming 'err' is 0
6
Taking false branch
70 goto out;
71
72 snprintf(fw_name, sizeof(fw_name), "amdgpu/%s_ta.bin", chip_name);
73 err = request_firmware(&adev->psp.ta_fw, fw_name, adev->dev);
7
Calling 'request_firmware'
11
Returning from 'request_firmware'
74 if (err) {
12
Assuming 'err' is 0
13
Taking false branch
75 release_firmware(adev->psp.ta_fw);
76 adev->psp.ta_fw = NULL((void *)0);
77 dev_info(adev->dev,do { } while(0)
78 "psp v10.0: Failed to load firmware \"%s\"\n",do { } while(0)
79 fw_name)do { } while(0);
80 } else {
81 err = amdgpu_ucode_validate(adev->psp.ta_fw);
82 if (err)
14
Assuming 'err' is 0
15
Taking false branch
83 goto out2;
84
85 ta_hdr = (const struct ta_firmware_header_v1_0 *)
86 adev->psp.ta_fw->data;
16
Access to field 'data' results in a dereference of a null pointer (loaded from field 'ta_fw')
87 adev->psp.ta_hdcp_ucode_version =
88 le32_to_cpu(ta_hdr->ta_hdcp_ucode_version)((__uint32_t)(ta_hdr->ta_hdcp_ucode_version));
89 adev->psp.ta_hdcp_ucode_size =
90 le32_to_cpu(ta_hdr->ta_hdcp_size_bytes)((__uint32_t)(ta_hdr->ta_hdcp_size_bytes));
91 adev->psp.ta_hdcp_start_addr =
92 (uint8_t *)ta_hdr +
93 le32_to_cpu(ta_hdr->header.ucode_array_offset_bytes)((__uint32_t)(ta_hdr->header.ucode_array_offset_bytes));
94
95 adev->psp.ta_fw_version = le32_to_cpu(ta_hdr->header.ucode_version)((__uint32_t)(ta_hdr->header.ucode_version));
96
97 adev->psp.ta_dtm_ucode_version =
98 le32_to_cpu(ta_hdr->ta_dtm_ucode_version)((__uint32_t)(ta_hdr->ta_dtm_ucode_version));
99 adev->psp.ta_dtm_ucode_size =
100 le32_to_cpu(ta_hdr->ta_dtm_size_bytes)((__uint32_t)(ta_hdr->ta_dtm_size_bytes));
101 adev->psp.ta_dtm_start_addr =
102 (uint8_t *)adev->psp.ta_hdcp_start_addr +
103 le32_to_cpu(ta_hdr->ta_dtm_offset_bytes)((__uint32_t)(ta_hdr->ta_dtm_offset_bytes));
104 }
105
106 return 0;
107
108out2:
109 release_firmware(adev->psp.ta_fw);
110 adev->psp.ta_fw = NULL((void *)0);
111out:
112 if (err) {
113 dev_err(adev->dev,printf("drm:pid%d:%s *ERROR* " "psp v10.0: Failed to load firmware \"%s\"\n"
, ({struct cpu_info *__ci; asm volatile("movq %%gs:%P1,%0" : "=r"
(__ci) :"n" (__builtin_offsetof(struct cpu_info, ci_self)));
__ci;})->ci_curproc->p_p->ps_pid, __func__ , fw_name
)
114 "psp v10.0: Failed to load firmware \"%s\"\n",printf("drm:pid%d:%s *ERROR* " "psp v10.0: Failed to load firmware \"%s\"\n"
, ({struct cpu_info *__ci; asm volatile("movq %%gs:%P1,%0" : "=r"
(__ci) :"n" (__builtin_offsetof(struct cpu_info, ci_self)));
__ci;})->ci_curproc->p_p->ps_pid, __func__ , fw_name
)
115 fw_name)printf("drm:pid%d:%s *ERROR* " "psp v10.0: Failed to load firmware \"%s\"\n"
, ({struct cpu_info *__ci; asm volatile("movq %%gs:%P1,%0" : "=r"
(__ci) :"n" (__builtin_offsetof(struct cpu_info, ci_self)));
__ci;})->ci_curproc->p_p->ps_pid, __func__ , fw_name
)
;
116 }
117
118 return err;
119}
120
121static int psp_v10_0_ring_init(struct psp_context *psp,
122 enum psp_ring_type ring_type)
123{
124 int ret = 0;
125 struct psp_ring *ring;
126 struct amdgpu_device *adev = psp->adev;
127
128 ring = &psp->km_ring;
129
130 ring->ring_type = ring_type;
131
132 /* allocate 4k Page of Local Frame Buffer memory for ring */
133 ring->ring_size = 0x1000;
134 ret = amdgpu_bo_create_kernel(adev, ring->ring_size, PAGE_SIZE(1 << 12),
135 AMDGPU_GEM_DOMAIN_VRAM0x4,
136 &adev->firmware.rbuf,
137 &ring->ring_mem_mc_addr,
138 (void **)&ring->ring_mem);
139 if (ret) {
140 ring->ring_size = 0;
141 return ret;
142 }
143
144 return 0;
145}
146
147static int psp_v10_0_ring_create(struct psp_context *psp,
148 enum psp_ring_type ring_type)
149{
150 int ret = 0;
151 unsigned int psp_ring_reg = 0;
152 struct psp_ring *ring = &psp->km_ring;
153 struct amdgpu_device *adev = psp->adev;
154
155 /* Write low address of the ring to C2PMSG_69 */
156 psp_ring_reg = lower_32_bits(ring->ring_mem_mc_addr)((u32)(ring->ring_mem_mc_addr));
157 WREG32_SOC15(MP0, 0, mmMP0_SMN_C2PMSG_69, psp_ring_reg)amdgpu_device_wreg(adev, ((adev->reg_offset[MP0_HWIP][0][0
] + 0x0085)), (psp_ring_reg), 0)
;
158 /* Write high address of the ring to C2PMSG_70 */
159 psp_ring_reg = upper_32_bits(ring->ring_mem_mc_addr)((u32)(((ring->ring_mem_mc_addr) >> 16) >> 16)
)
;
160 WREG32_SOC15(MP0, 0, mmMP0_SMN_C2PMSG_70, psp_ring_reg)amdgpu_device_wreg(adev, ((adev->reg_offset[MP0_HWIP][0][0
] + 0x0086)), (psp_ring_reg), 0)
;
161 /* Write size of ring to C2PMSG_71 */
162 psp_ring_reg = ring->ring_size;
163 WREG32_SOC15(MP0, 0, mmMP0_SMN_C2PMSG_71, psp_ring_reg)amdgpu_device_wreg(adev, ((adev->reg_offset[MP0_HWIP][0][0
] + 0x0087)), (psp_ring_reg), 0)
;
164 /* Write the ring initialization command to C2PMSG_64 */
165 psp_ring_reg = ring_type;
166 psp_ring_reg = psp_ring_reg << 16;
167 WREG32_SOC15(MP0, 0, mmMP0_SMN_C2PMSG_64, psp_ring_reg)amdgpu_device_wreg(adev, ((adev->reg_offset[MP0_HWIP][0][0
] + 0x0080)), (psp_ring_reg), 0)
;
168
169 /* There might be handshake issue with hardware which needs delay */
170 mdelay(20);
171
172 /* Wait for response flag (bit 31) in C2PMSG_64 */
173 ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, mmMP0_SMN_C2PMSG_64)(adev->reg_offset[MP0_HWIP][0][0] + 0x0080),
174 0x80000000, 0x8000FFFF, false0);
175
176 return ret;
177}
178
179static int psp_v10_0_ring_stop(struct psp_context *psp,
180 enum psp_ring_type ring_type)
181{
182 int ret = 0;
183 unsigned int psp_ring_reg = 0;
184 struct amdgpu_device *adev = psp->adev;
185
186 /* Write the ring destroy command to C2PMSG_64 */
187 psp_ring_reg = 3 << 16;
188 WREG32_SOC15(MP0, 0, mmMP0_SMN_C2PMSG_64, psp_ring_reg)amdgpu_device_wreg(adev, ((adev->reg_offset[MP0_HWIP][0][0
] + 0x0080)), (psp_ring_reg), 0)
;
189
190 /* There might be handshake issue with hardware which needs delay */
191 mdelay(20);
192
193 /* Wait for response flag (bit 31) in C2PMSG_64 */
194 ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, mmMP0_SMN_C2PMSG_64)(adev->reg_offset[MP0_HWIP][0][0] + 0x0080),
195 0x80000000, 0x80000000, false0);
196
197 return ret;
198}
199
200static int psp_v10_0_ring_destroy(struct psp_context *psp,
201 enum psp_ring_type ring_type)
202{
203 int ret = 0;
204 struct psp_ring *ring = &psp->km_ring;
205 struct amdgpu_device *adev = psp->adev;
206
207 ret = psp_v10_0_ring_stop(psp, ring_type);
208 if (ret)
209 DRM_ERROR("Fail to stop psp ring\n")__drm_err("Fail to stop psp ring\n");
210
211 amdgpu_bo_free_kernel(&adev->firmware.rbuf,
212 &ring->ring_mem_mc_addr,
213 (void **)&ring->ring_mem);
214
215 return ret;
216}
217
218static int psp_v10_0_mode1_reset(struct psp_context *psp)
219{
220 DRM_INFO("psp mode 1 reset not supported now! \n")printk("\0016" "[" "drm" "] " "psp mode 1 reset not supported now! \n"
)
;
221 return -EINVAL22;
222}
223
224static uint32_t psp_v10_0_ring_get_wptr(struct psp_context *psp)
225{
226 struct amdgpu_device *adev = psp->adev;
227
228 return RREG32_SOC15(MP0, 0, mmMP0_SMN_C2PMSG_67)amdgpu_device_rreg(adev, (adev->reg_offset[MP0_HWIP][0][0]
+ 0x0083), 0)
;
229}
230
231static void psp_v10_0_ring_set_wptr(struct psp_context *psp, uint32_t value)
232{
233 struct amdgpu_device *adev = psp->adev;
234
235 WREG32_SOC15(MP0, 0, mmMP0_SMN_C2PMSG_67, value)amdgpu_device_wreg(adev, ((adev->reg_offset[MP0_HWIP][0][0
] + 0x0083)), (value), 0)
;
236}
237
238static const struct psp_funcs psp_v10_0_funcs = {
239 .init_microcode = psp_v10_0_init_microcode,
240 .ring_init = psp_v10_0_ring_init,
241 .ring_create = psp_v10_0_ring_create,
242 .ring_stop = psp_v10_0_ring_stop,
243 .ring_destroy = psp_v10_0_ring_destroy,
244 .mode1_reset = psp_v10_0_mode1_reset,
245 .ring_get_wptr = psp_v10_0_ring_get_wptr,
246 .ring_set_wptr = psp_v10_0_ring_set_wptr,
247};
248
249void psp_v10_0_set_psp_funcs(struct psp_context *psp)
250{
251 psp->funcs = &psp_v10_0_funcs;
252}

/usr/src/sys/dev/pci/drm/include/linux/firmware.h

1/* Public domain. */
2
3#ifndef _LINUX_FIRMWARE_H
4#define _LINUX_FIRMWARE_H
5
6#include <sys/types.h>
7#include <sys/malloc.h>
8#include <sys/device.h>
9#include <linux/types.h>
10#include <linux/gfp.h>
11
12#ifndef __DECONST
13#define __DECONST(type, var)((type)(__uintptr_t)(const void *)(var)) ((type)(__uintptr_t)(const void *)(var))
14#endif
15
16struct firmware {
17 size_t size;
18 const u8 *data;
19};
20
21static inline int
22request_firmware(const struct firmware **fw, const char *name,
23 struct device *device)
24{
25 int r;
26 struct firmware *f = malloc(sizeof(struct firmware), M_DRM145,
27 M_WAITOK0x0001 | M_ZERO0x0008);
28 r = loadfirmware(name, __DECONST(u_char **, &f->data)((u_char **)(__uintptr_t)(const void *)(&f->data)), &f->size);
29 if (r != 0) {
8
Assuming 'r' is not equal to 0
9
Taking true branch
30 free(f, M_DRM145, sizeof(struct firmware));
31 *fw = NULL((void *)0);
10
Null pointer value stored to field 'ta_fw'
32 return -r;
33 } else {
34 *fw = f;
35 return 0;
36 }
37}
38
39static inline int
40request_firmware_direct(const struct firmware **fw, const char *name,
41 struct device *device)
42{
43 return request_firmware(fw, name, device);
44}
45
46#define request_firmware_nowait(a, b, c, d, e, f, g)-22 -EINVAL22
47
48static inline void
49release_firmware(const struct firmware *fw)
50{
51 if (fw)
52 free(__DECONST(u_char *, fw->data)((u_char *)(__uintptr_t)(const void *)(fw->data)), M_DEVBUF2, fw->size);
53 free(__DECONST(struct firmware *, fw)((struct firmware *)(__uintptr_t)(const void *)(fw)), M_DRM145, sizeof(*fw));
54}
55
56#endif