From nobody Sun Feb 8 07:07:52 2026 Received: from mail-lf1-f49.google.com (mail-lf1-f49.google.com [209.85.167.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3540F2E7F25 for ; Thu, 8 Jan 2026 20:23:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.49 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767903834; cv=none; b=u+MOHd3pMLt+AXIT4vs6LdDaDkO6h/6ye1B9WVv9gmLADKfYf9DR3DxkP9b6MY+T2wFswAOpcxyxiFucwuDLD6P/RHHm1eaMP4XnIK4R2u9I/lPfmY7NyyQbaXmu47hewkUlt2Kl893PQRnf/G1ndWDfCH1MyT5xBERx8QeiHPI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767903834; c=relaxed/simple; bh=hRhyyvnVrgmORxj+XgV1NlSxtaGL5HOX7aOTr8icaCs=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=GYsHYe4C7b3OyEBTUCUQOee9S87iOITc/TMKtXSitgEP4Aweu69xB4K/QZIRIDKujZkVBml+J7rqEBnejjD3BTd2wMWl9uqin7ZBYXHk5XzjXVfXfvohtoszz5dRvq6ROC2w7tHrHM53PfFY4NtV6tCaZ62tqUcnNvetDbP5EIc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Yv6btNG1; arc=none smtp.client-ip=209.85.167.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Yv6btNG1" Received: by mail-lf1-f49.google.com with SMTP id 2adb3069b0e04-59431f57bf6so3983623e87.3 for ; Thu, 08 Jan 2026 12:23:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767903831; x=1768508631; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=jAIefN73wdvCmvJYzytslj2goAcJSxpm75nOuFcd7uQ=; b=Yv6btNG1rwOM/KAmeIm2PkWW5mOnXJb+AhehGYhTvGPLPR+dp/x66WyWhJSDxT5YvQ I0h2G6+S/kQ895vln2F8MQ9WUdZ5SHsHSk8Z+LJNPXskhdsN675R6N5OEfcgYBSbjtz8 2hi190KfXkriHGMWjtspXEb1n/gX1H3qIyVbiafS1dbA0TZGZwo/r43IUjDD90/2XbBq kDriPaCcRkx0BFx6FdkLTC5T3gQI16GevmDWIpdR/PG868NM1wXaL9Zw4wtaKFRdEsua QTqzhgJVynUq0eyLVSkROqewkhMLqsaOXYSkVp10AyTR6AEki91X8GjWJmlkqh84riXp ENPA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767903831; x=1768508631; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=jAIefN73wdvCmvJYzytslj2goAcJSxpm75nOuFcd7uQ=; b=WsBKHIN8bYaP08VSgbSlplVsZmsB61JmIi3CbPOSrZWf0zlD7+DLvT4BsTr6IMvYm0 wW8dt0Jhy5PUW9n2+T3zsghKB4RFbDXX5ITu4hFQQpEV7lLRP4ndzH73axaKtjO29YG5 x0xvA7YaoYr7PgSxO7SJvzTKwlYPgemRYyMzlLMuE+NEsycyhnbTapjVcdNZVxJkq9SG 5j/4fpDzaqrJgvDT+g9oyTvinfhIdp4jlwMX8B/zsi8BUJFSYH5E80T+uZwU5+EwKM/A bHHPYGV9HpLirxnq2mrOoxLD0Iu3oK2BXmdJUBHkwVSe+qtqdnoxQKwhst0G8D74mvEF Gy4g== X-Gm-Message-State: AOJu0YyAYta0jhaDcfQoAQXPG772TK0nBRg6Dn86OrTj1x4i4yvciKPa R676eWN6m54OcQ7SlqgqR0G7HuQVM4MiJs975Y2ZDmm8QxrpPp5d5BI= X-Gm-Gg: AY/fxX4kZjtsyG/OIUID95nJwzB9TcbQbnPj8lEhNjx+S9EgNAr6X//nKcgsO2AFnWZ IDE0d1oSur/jn5lL+cLR4CD5cR1Z4xoM/X/FtF1Jd65hL/gRzC1JUeTOUPYl66mU2cCEMNx8CTu cu0v/TxQ4lpk3XFojxXxUOqual0lB+dDbHlMFdX5uvT0F9Qddsu5GzSX1F+5RsZXB6Zxq/TLykz ly4axUmcR9IwwRJA/NagP1/14Aai0zI4sWZJshUPDca1dT8pMTASv4CjNDfUBWn5r99GeGOwDx4 2OCSdrzbNEg6/7q50UWWYG/HR10xj8Tq2SZttuZmEK/FIPDeQ7yYsoK2scZUKo/9sDTB1Ks5/tO BUIBbGhMJ4I1D6cW8IrNdLlM8gVqHewzZ+QOaITB0n/mdLgf+qW2MgL4iKDtwdPN6GRwP4R2yGZ TEYzFsjq4VvT2k X-Google-Smtp-Source: AGHT+IFxz5VzsrsYQrKi7ffCJkuRLtTJPpMjcobCoTWfJdg3v+TH/wA1fHRKBvZTPDwnLczZWrhw5Q== X-Received: by 2002:a05:6512:b8e:b0:59b:7c23:c637 with SMTP id 2adb3069b0e04-59b7c23c7d1mr379092e87.22.1767903831184; Thu, 08 Jan 2026 12:23:51 -0800 (PST) Received: from DESKTOP-BKIPFGN ([45.43.86.16]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-59b7868955fsm642270e87.2.2026.01.08.12.23.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 08 Jan 2026 12:23:50 -0800 (PST) From: Kery Qi To: harry.wentland@amd.com Cc: linux-kernel@vger.kernel.org, Kery Qi Subject: [PATCH] drm/amd/display: dcn21: fix NULL deref in abm immediate disable Date: Fri, 9 Jan 2026 04:23:29 +0800 Message-ID: <20260108202330.1849-1-qikeyu2017@gmail.com> X-Mailer: git-send-email 2.50.1.windows.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" dcn21_set_abm_immediate_disable() dereferenced pipe_ctx->stream_res.tg unconditionally to read tg->inst. pipe_ctx->stream_res.tg may be NULL on some paths, and the function can still be reached when abm_level is non-zero, leading to a NULL pointer dereference (oops/DoS). Fix this by requiring abm, tg and panel_cntl to be present before accessing tg->inst and issuing ABM/panel operations. This is similar to CVE-2024-26661. Fixes: 474ac4a875ca ("drm/amd/display: Implement some asic specific abm cal= l backs.") Signed-off-by: Kery Qi --- .../amd/display/dc/hwss/dcn21/dcn21_hwseq.c | 31 +++++++++++-------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dcn21/dcn21_hwseq.c b/driv= ers/gpu/drm/amd/display/dc/hwss/dcn21/dcn21_hwseq.c index e2269211553c..66d5c18e9a9e 100644 --- a/drivers/gpu/drm/amd/display/dc/hwss/dcn21/dcn21_hwseq.c +++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn21/dcn21_hwseq.c @@ -179,7 +179,7 @@ static void dmub_abm_set_backlight(struct dc_context *d= c, uint32_t backlight_pwm void dcn21_set_abm_immediate_disable(struct pipe_ctx *pipe_ctx) { struct abm *abm =3D pipe_ctx->stream_res.abm; - uint32_t otg_inst =3D pipe_ctx->stream_res.tg->inst; + struct timing_generator *tg =3D pipe_ctx->stream_res.tg; struct panel_cntl *panel_cntl =3D pipe_ctx->stream->link->panel_cntl; struct dmcu *dmcu =3D pipe_ctx->stream->ctx->dc->res_pool->dmcu; =20 @@ -189,24 +189,29 @@ void dcn21_set_abm_immediate_disable(struct pipe_ctx = *pipe_ctx) return; } =20 + uint32_t otg_inst; + + if (!abm || !tg || !panel_cntl) + return; + + otg_inst =3D tg->inst; + if (dmcu) { dce110_set_abm_immediate_disable(pipe_ctx); return; } =20 - if (abm && panel_cntl) { - if (abm->funcs && abm->funcs->set_pipe_ex) { - abm->funcs->set_pipe_ex(abm, otg_inst, SET_ABM_PIPE_IMMEDIATELY_DISABLE, - panel_cntl->inst, panel_cntl->pwrseq_inst); - } else { - dcn21_dmub_abm_set_pipe(abm, - otg_inst, - SET_ABM_PIPE_IMMEDIATELY_DISABLE, - panel_cntl->inst, - panel_cntl->pwrseq_inst); - } - panel_cntl->funcs->store_backlight_level(panel_cntl); + if (abm->funcs && abm->funcs->set_pipe_ex) { + abm->funcs->set_pipe_ex(abm, otg_inst, SET_ABM_PIPE_IMMEDIATELY_DISABLE, + panel_cntl->inst, panel_cntl->pwrseq_inst); + } else { + dcn21_dmub_abm_set_pipe(abm, + otg_inst, + SET_ABM_PIPE_IMMEDIATELY_DISABLE, + panel_cntl->inst, + panel_cntl->pwrseq_inst); } + panel_cntl->funcs->store_backlight_level(panel_cntl); } =20 void dcn21_set_pipe(struct pipe_ctx *pipe_ctx) --=20 2.34.1