[PATCH] drm/amd/display:fix a Null pointer dereference vulnerability

Thu, 03 Jul 2025 01:41:41 -0700 

A null pointer dereference vulnerability exists in the AMD display driver's
 (DC module) cleanup function dc_destruct().
 When display control context (dc->ctx) construction fails
 (due to memory allocation failure), this pointer remains NULL.
During subsequent error handling when dc_destruct() is called,
there's no NULL check before dereferencing the perf_trace member
 (dc->ctx->perf_trace),
 causing a kernel null pointer dereference crash

Signed-off-by: jackysliu <secur...@tencent.com>
---
 drivers/gpu/drm/amd/display/dc/core/dc.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c 
b/drivers/gpu/drm/amd/display/dc/core/dc.c
index 56d011a1323c..3bda0593f66f 100644
--- a/drivers/gpu/drm/amd/display/dc/core/dc.c
+++ b/drivers/gpu/drm/amd/display/dc/core/dc.c
@@ -934,6 +934,11 @@ static void dc_destruct(struct dc *dc)
        if (dc->link_srv)
                link_destroy_link_service(&dc->link_srv);
 
+       if (!dc->ctx) {
+               dm_error("%s: called with NULL ctx\n", __func__);
+               goto skip_ctx_cleanup;
+       }
+
        if (dc->ctx->gpio_service)
                dal_gpio_service_destroy(&dc->ctx->gpio_service);
 
@@ -946,6 +951,7 @@ static void dc_destruct(struct dc *dc)
        kfree(dc->ctx);
        dc->ctx = NULL;
 
+skip_ctx_cleanup:
        kfree(dc->bw_vbios);
        dc->bw_vbios = NULL;
 
-- 
2.43.5

Reply via email to