On 2025-07-02 23:39, jackysliu wrote: > A null pointer dereference vulnerability exists in the AMD display driver's > (DC module) cleanup function dc_destruct(). > When display control context (dc->ctx) construction fails > (due to memory allocation failure), this pointer remains NULL. > During subsequent error handling when dc_destruct() is called, > there's no NULL check before dereferencing the perf_trace member > (dc->ctx->perf_trace), > causing a kernel null pointer dereference crash > > Signed-off-by: jackysliu <secur...@tencent.com>
Thanks for your patch. Please run and fix this checkpatch.pl warning: WARNING: From:/Signed-off-by: email address mismatch: 'From: jackysliu <1972843...@qq.com>' != 'Signed-off-by: jackysliu <secur...@tencent.com>' > --- > drivers/gpu/drm/amd/display/dc/core/dc.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c > b/drivers/gpu/drm/amd/display/dc/core/dc.c > index 56d011a1323c..3bda0593f66f 100644 > --- a/drivers/gpu/drm/amd/display/dc/core/dc.c > +++ b/drivers/gpu/drm/amd/display/dc/core/dc.c > @@ -934,6 +934,11 @@ static void dc_destruct(struct dc *dc) > if (dc->link_srv) > link_destroy_link_service(&dc->link_srv); > > + if (!dc->ctx) { > + dm_error("%s: called with NULL ctx\n", __func__); > + goto skip_ctx_cleanup; > + } > + I would prefer to simply wrap the dc->ctx->logger and dc->ctx bits with if (!dc->ctx) and avoid the goto. Harry > if (dc->ctx->gpio_service) > dal_gpio_service_destroy(&dc->ctx->gpio_service); > > @@ -946,6 +951,7 @@ static void dc_destruct(struct dc *dc) > kfree(dc->ctx); > dc->ctx = NULL; > > +skip_ctx_cleanup: > kfree(dc->bw_vbios); > dc->bw_vbios = NULL; >