[PATCH] drm/amd/display:fix a Null pointer dereference vulnerability
Harry Wentland
harry.wentland at amd.com
Thu Jul 3 15:15:49 UTC 2025
On 2025-07-02 23:39, jackysliu wrote:
> A null pointer dereference vulnerability exists in the AMD display driver's
> (DC module) cleanup function dc_destruct().
> When display control context (dc->ctx) construction fails
> (due to memory allocation failure), this pointer remains NULL.
> During subsequent error handling when dc_destruct() is called,
> there's no NULL check before dereferencing the perf_trace member
> (dc->ctx->perf_trace),
> causing a kernel null pointer dereference crash
>
> Signed-off-by: jackysliu <Security at tencent.com>
Thanks for your patch.
Please run and fix this checkpatch.pl warning:
WARNING: From:/Signed-off-by: email address mismatch: 'From: jackysliu <1972843537 at qq.com>' != 'Signed-off-by: jackysliu <Security at tencent.com>'
> ---
> drivers/gpu/drm/amd/display/dc/core/dc.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c
> index 56d011a1323c..3bda0593f66f 100644
> --- a/drivers/gpu/drm/amd/display/dc/core/dc.c
> +++ b/drivers/gpu/drm/amd/display/dc/core/dc.c
> @@ -934,6 +934,11 @@ static void dc_destruct(struct dc *dc)
> if (dc->link_srv)
> link_destroy_link_service(&dc->link_srv);
>
> + if (!dc->ctx) {
> + dm_error("%s: called with NULL ctx\n", __func__);
> + goto skip_ctx_cleanup;
> + }
> +
I would prefer to simply wrap the dc->ctx->logger and dc->ctx bits
with if (!dc->ctx) and avoid the goto.
Harry
> if (dc->ctx->gpio_service)
> dal_gpio_service_destroy(&dc->ctx->gpio_service);
>
> @@ -946,6 +951,7 @@ static void dc_destruct(struct dc *dc)
> kfree(dc->ctx);
> dc->ctx = NULL;
>
> +skip_ctx_cleanup:
> kfree(dc->bw_vbios);
> dc->bw_vbios = NULL;
>
More information about the dri-devel
mailing list