[PATCH v2] drm/amd/display:fix a Null pointer dereference vulnerability

[Mario Limonciello]

On 7/15/2025 5:44 AM, Krzysztof Kozlowski wrote:
> On 04/07/2025 05:16, jackysliu wrote:
>> From: jackysliu <Security at tencent.com>
>>
>> A null pointer dereference vulnerability exists in the AMD display driver's
>>   (DC module) cleanup function dc_destruct().
>>   When display control context (dc->ctx) construction fails
>>   (due to memory allocation failure), this pointer remains NULL.
>> During subsequent error handling when dc_destruct() is called,
>> there's no NULL check before dereferencing the perf_trace member
>>   (dc->ctx->perf_trace),
>>   causing a kernel null pointer dereference crash
>>
>> Signed-off-by: jackysliu <Security at tencent.com>
>> ---
>>   drivers/gpu/drm/amd/display/dc/core/dc.c | 20 ++++++++++++--------
>>   1 file changed, 12 insertions(+), 8 deletions(-)
> 
> You should disclose that you used some AI tool for that... and that
> other report(s) was really fake finding.  People should know you
> generated it with AI, so they could make informed decision whether to
> even allocate time here.
> 
> Best regards,
> Krzysztof

Failure paths are so rarely executed that it sometimes takes years or 
static analyzers to find and fix issues.

In this case I think it's a real problem.  During init the following 
sequence happens:

dc_create()
->dc_construct_ctx()

If dc_construct_ctx() fails then it jumps to a label that calls 
dc_destruct().  So if the context wasn't set up then yeah there could be 
a NULL pointer deref.

So to me this makes sense.

Reviewed-by: Mario Limonciello <mario.limonciello at amd.com>

Harry, do you agree?