If link->panel_cntl is NULL, the function dce110_edp_backlight_control
attempts to dereference it at line 1019, leading to a potential NULL
pointer dereference and a kernel crash.
This bug can manifest when the eDP panel is not correctly configured
or initialized during certain power or display state transitions,
leaving link->panel_cntl unset or NULL. In such cases, the dereference
of a NULL pointer can result in an immediate kernel panic or
system instability.
Add a NULL check for link->panel_cntl before using it. Ensure that
the function safely returns if link->panel_cntl is not properly set,
preventing any attempts to dereference a NULL pointer and avoiding
potential crashes.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 06ddcee49a35 ("drm/amd/display: Added multi instance support for panel
control")
Signed-off-by: Mikhail Arkhipov <m.arhi...@rosa.ru>
---
.../display/dc/dce110/dce110_hw_sequencer.c | 50 ++++++++++---------
1 file changed, 26 insertions(+), 24 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/dc/dce110/dce110_hw_sequencer.c
b/drivers/gpu/drm/amd/display/dc/dce110/dce110_hw_sequencer.c
index 508f5fe26848..1269628a4014 100644
--- a/drivers/gpu/drm/amd/display/dc/dce110/dce110_hw_sequencer.c
+++ b/drivers/gpu/drm/amd/display/dc/dce110/dce110_hw_sequencer.c
@@ -1016,32 +1016,34 @@ void dce110_edp_backlight_control(
*/
/* dc_service_sleep_in_milliseconds(50); */
/*edp 1.2*/
- panel_instance = link->panel_cntl->inst;
+ if (link->panel_cntl) {
+ panel_instance = link->panel_cntl->inst;
- if (cntl.action == TRANSMITTER_CONTROL_BACKLIGHT_ON) {
- if (!link->dc->config.edp_no_power_sequencing)
- /*
- * Sometimes, DP receiver chip power-controlled externally by an
- * Embedded Controller could be treated and used as eDP,
- * if it drives mobile display. In this case,
- * we shouldn't be doing power-sequencing, hence we can skip
- * waiting for T7-ready.
- */
- edp_receiver_ready_T7(link);
- else
- DC_LOG_DC("edp_receiver_ready_T7 skipped\n");
- }
+ if (cntl.action == TRANSMITTER_CONTROL_BACKLIGHT_ON) {
+ if (!link->dc->config.edp_no_power_sequencing)
+ /*
+ * Sometimes, DP receiver chip power-controlled
externally by an
+ * Embedded Controller could be treated and
used as eDP,
+ * if it drives mobile display. In this case,
+ * we shouldn't be doing power-sequencing,
hence we can skip
+ * waiting for T7-ready.
+ */
+ edp_receiver_ready_T7(link);
+ else
+ DC_LOG_DC("edp_receiver_ready_T7 skipped\n");
+ }
- if (ctx->dc->ctx->dmub_srv &&
- ctx->dc->debug.dmub_command_table) {
- if (cntl.action == TRANSMITTER_CONTROL_BACKLIGHT_ON)
- ctx->dc_bios->funcs->enable_lvtma_control(ctx->dc_bios,
- LVTMA_CONTROL_LCD_BLON,
- panel_instance);
- else
- ctx->dc_bios->funcs->enable_lvtma_control(ctx->dc_bios,
- LVTMA_CONTROL_LCD_BLOFF,
- panel_instance);
+ if (ctx->dc->ctx->dmub_srv &&
+ ctx->dc->debug.dmub_command_table) {
+ if (cntl.action == TRANSMITTER_CONTROL_BACKLIGHT_ON)
+
ctx->dc_bios->funcs->enable_lvtma_control(ctx->dc_bios,
+ LVTMA_CONTROL_LCD_BLON,
+ panel_instance);
+ else
+
ctx->dc_bios->funcs->enable_lvtma_control(ctx->dc_bios,
+ LVTMA_CONTROL_LCD_BLOFF,
+ panel_instance);
+ }
}
link_transmitter_control(ctx->dc_bios, &cntl);
--
2.39.3 (Apple Git-146)
