From nobody Thu Apr 16 10:55:01 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 38CA229E11B for ; Sat, 28 Feb 2026 13:31:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772285514; cv=none; b=giDFFfez6/Q7/fNxCa06iJD4iIRAybi7YQz9dcACHiYDZxPpkWp7Pl3rMf9EdbX76tqzIVGtJjAIY8VdNXPYTos0Nga2U91ilBWrJ/whO4MrStiKGskK7lcIW8Y6gT2FekRDLnW5/0aYhbUb8NKIMXYk8o0g2Gsu7voFW8eTq9g= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772285514; c=relaxed/simple; bh=zUj3XAvyyDEUkQbrYraFuO7Ubvxr3Eaqj2si/UcoAg0=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=aJvoaKoPSjUZr9sF+1xjVBvZFTXNPlKfMoRc/88dJshT8gZ8Togw0p+HC2NcfO/otjsxvvsfnTQgfIS2I6dzSAZP5C5ajJsCp/1khQKEuF1kxCUSQfxsaDdngUsz5sx+QIG9PW9xZqVrjMyxecVLaQjuLZKjA3yUZSP8GqYs5/Q= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=WhX2YkOK; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=O2m4Veqw; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="WhX2YkOK"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="O2m4Veqw" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1772285512; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=1aKltuGD73YjisWVS6CLmrdjTwiXA9NrG9kYPekxkOw=; b=WhX2YkOKcJGMYlNmlcJ6LYnwirgE7fTO7Og2ZILQFkXsDtQVJgGJWxc//6T3kIRbcY7uyr z+pJ56lsz74GTtsQ5AixqxfhVxi5oMToDHoLQNTpiZS9Oh7C9akSH2V0yVTi61ZKU5dyo6 EdgS738k7zdquvERojiwn6BE1mzFYGM= Received: from mail-pj1-f71.google.com (mail-pj1-f71.google.com [209.85.216.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-86-6UiehKSxPjq1CDUxooqUbA-1; Sat, 28 Feb 2026 08:31:48 -0500 X-MC-Unique: 6UiehKSxPjq1CDUxooqUbA-1 X-Mimecast-MFC-AGG-ID: 6UiehKSxPjq1CDUxooqUbA_1772285508 Received: by mail-pj1-f71.google.com with SMTP id 98e67ed59e1d1-3597b55adebso248554a91.2 for ; Sat, 28 Feb 2026 05:31:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1772285508; x=1772890308; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=1aKltuGD73YjisWVS6CLmrdjTwiXA9NrG9kYPekxkOw=; b=O2m4VeqwB66vDJU2GCwHHUWxQ5iehUZNFCnlnSZp5jvqpdQgde/Wv7UytZLb6klVf7 AbkWdnG/xGCVYMq4r0RwC5cp9fSYnE+6X30tfrs7DMiqQY37/0FFgNUQpnJo7hOB1xs6 ulX673Zfn2Zv0DC2xomIZdC/29lx6YDaM8+DVWgziGWWfw9/iJhE9yqqJ3mb6AbGS3Oq bEl6GFNU8tyfumCIsDDvDOZQ6ZWb37fIcS1zlqM9iQZkSt1hSI0nX6vpRfV9VzMweY2m QkJ+tBCIxkjUno4V55UAvmm1iYSzvf5xuSwhIVhYctecXcJbejruuLIpM6njWDIEdABo TGpg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772285508; x=1772890308; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=1aKltuGD73YjisWVS6CLmrdjTwiXA9NrG9kYPekxkOw=; b=UWCLwmo/Yhd5O2QDTb3sj5YWMzi2nugbszxih4VH9tVJnWCIh2D8H/39dgVYG5xDlv 71paZPlXB7XqJLcutz28+b8+oaBVSNFpjJzLdd8/GLfdn8UUDHP39XSvHBuA9+C/yc8m yIJSDNwVNQhGqXeIncedMXWRHMF6n8otpf0k37fdDxLkXSupG1Q+gnyeH0mxMU/TlEV2 TUYRNwuyWeABpA18a4MXmkaR3pLKJPBc4PsD7Zu/zZp8Bo61l2iHsXtgfzxcXjv6ywVR cSWZ2o0LpMbuNW/uRbJ2l5dkpv8XikgLgAqS31GNeUp2VFZGChgfbiw3asp16o3gsxj/ /8Yg== X-Forwarded-Encrypted: i=1; AJvYcCVn8ZESy+HeL0AXWbdcWrB1c7CffGy64TSjygZIAMWaZpc+LeWHUxupqSiVHE3JBhCJQ6eOfrW/eWmLwYc=@vger.kernel.org X-Gm-Message-State: AOJu0Yy4uHjv5vGErdVPBBoL5aD/GgWQpqpNKZJsq2z97gJyInHdbfKH hR21tn9TysBNG+Z3YuQZkHfYmV1kK6jcaACz8JMRWZwMQgWh2neK5s+Zu+YQn0Lqe/n0nwydhFN 1ctO8MGN8GjVbPZ9WoyM2R/5HiMQtw0H6aFijk0Z8FxmxQcqkOh09CGNzLmG279oXvQ== X-Gm-Gg: ATEYQzyAb5GHjYxYd0TKFUZ4xFsF4VUjeHRf7amvoWqIkHBnI4UvuNBTZVuQ6L3frPF SQnXWvZwSq1wghBfVn1l+oqtMu9WRdLLYvqPhmt0Xf89JyZqhaCHNms6R4bwGnbnB9LlxsMMV2G MvMaYorHhpGdR32j5mXhRIhoRDlkzdu5AtawXMC1G8X/d55ukmQ0PiYEHtdJFvQydu0JJK0x9Lo myhu7VrFrcrS2n7Wkpxw9hUAikR0hYUU728qy7a9X0/3wP41hmO7wmg/MxwS4OrHFJz+thb3dzn azCkwfEi5mPjPqDPHDCqKfAFwMtCgV2IvgorvH1fsTEptCKjFWtuZNVpAL2mytU6C6alpz6IPlt cmsNWt4x18o5BJEe8NFExZ709Xeb6RlZPiJw= X-Received: by 2002:a17:90b:544b:b0:354:bd08:480c with SMTP id 98e67ed59e1d1-35965d029fcmr5533349a91.30.1772285507832; Sat, 28 Feb 2026 05:31:47 -0800 (PST) X-Received: by 2002:a17:90b:544b:b0:354:bd08:480c with SMTP id 98e67ed59e1d1-35965d029fcmr5533334a91.30.1772285507391; Sat, 28 Feb 2026 05:31:47 -0800 (PST) Received: from localhost.localdomain.com ([209.132.188.88]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c70fa82dab1sm6844448a12.27.2026.02.28.05.31.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 28 Feb 2026 05:31:46 -0800 (PST) From: Tao Liu To: jani.nikula@linux.intel.com, rodrigo.vivi@intel.com, joonas.lahtinen@linux.intel.com, tursulin@ursulin.net, airlied@gmail.com, simona@ffwll.ch Cc: intel-gfx@lists.freedesktop.org, intel-xe@lists.freedesktop.org, dri-devel@lists.freedesktop.org, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, Tao Liu Subject: [PATCH] i915: Fix NULL pointer dereference in intel_dmc_update_dc6_allowed_count() Date: Sun, 1 Mar 2026 02:09:47 +1300 Message-ID: <20260228130946.50919-2-ltao@redhat.com> X-Mailer: git-send-email 2.47.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" There is a NULL pointer dereference issue noticed in i915 when 2nd kernel bootup during kdump. This will panic 2nd kernel and lead to no vmcore generation. The issue is observed in Meteorlake CPU(cpuid: 0xA06A2): BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI ... RIP: 0010:intel_dmc_update_dc6_allowed_count+0x16/0xa0 [i915] ... It is easy to locate the NULL pointer dereference by disassembly: 00000000001171e0 : 1171e0: f3 0f 1e fa endbr64 1171e4: e8 00 00 00 00 call 1171e9 1171e9: 41 55 push %r13 1171eb: 41 54 push %r12 1171ed: 55 push %rbp 1171ee: 53 push %rbx 1171ef: 4c 8b a7 18 03 00 00 mov 0x318(%rdi),%r12 1171f6: 49 8b 2c 24 mov (%r12),%rbp To fix this, add a NULL pointer check before dereferencing. Signed-off-by: Tao Liu --- The issue doesn't happen in 1st kernel, but in 2nd kernel of kdump. I'm not an expert to i915 and unsure what lead to the NULL pointer. To help further analysis, here is the full stack: [ 8.608520] =20 [ 8.610652] gen9_set_dc_state.part.0+0x25d/0x2f0 [i915]=20 [ 8.616096] icl_display_core_init+0x2d/0x620 [i915]=20 [ 8.621266] intel_power_domains_init_hw+0x1b2/0x500 [i915]=20 [ 8.627047] intel_display_driver_probe_noirq+0x87/0x300 [i915]=20 [ 8.633188] i915_driver_probe+0x207/0x5d0 [i915]=20 [ 8.637977] ? drm_privacy_screen_get+0x198/0x1c0=20 [ 8.642832] local_pci_probe+0x41/0x90=20 [ 8.646646] pci_call_probe+0x58/0x160=20 [ 8.650458] ? pci_assign_irq+0x2f/0x160=20 [ 8.654447] ? pci_match_device+0xf8/0x120=20 [ 8.658522] pci_device_probe+0x95/0x140=20 [ 8.662582] call_driver_probe+0x27/0x110=20 [ 8.666570] really_probe+0xcc/0x2c0=20 [ 8.670190] __driver_probe_device+0x78/0x120=20 [ 8.674692] driver_probe_device+0x1f/0xa0=20 [ 8.678857] __driver_attach+0xfa/0x230=20 [ 8.682757] ? __pfx___driver_attach+0x10/0x10=20 [ 8.687185] bus_for_each_dev+0x8e/0xe0=20 [ 8.691159] bus_add_driver+0x11f/0x200=20 [ 8.694970] driver_register+0x72/0xd0=20 [ 8.698853] i915_init+0x26/0x90 [i915]=20 [ 8.702837] ? __pfx_i915_init+0x10/0x10 [i915]=20 [ 8.707433] do_one_initcall+0x5c/0x320=20 [ 8.711409] do_init_module+0x60/0x240=20 [ 8.715132] init_module_from_file+0xd6/0x130=20 [ 8.719634] idempotent_init_module+0x114/0x310=20 [ 8.724241] __x64_sys_finit_module+0x71/0xe0=20 [ 8.728671] do_syscall_64+0x11b/0x6d0=20 [ 8.732483] ? ksys_read+0x6b/0xe0=20 [ 8.735854] ? arch_exit_to_user_mode_prepare.isra.0+0xa2/0xd0=20 [ 8.741768] ? do_syscall_64+0x153/0x6d0=20 [ 8.745828] ? do_syscall_64+0x153/0x6d0=20 [ 8.749814] ? do_syscall_64+0x153/0x6d0=20 [ 8.753800] ? clear_bhb_loop+0x30/0x80=20 [ 8.757700] entry_SYSCALL_64_after_hwframe+0x76/0x7e=20 --- drivers/gpu/drm/i915/display/intel_dmc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/i915/display/intel_dmc.c b/drivers/gpu/drm/i91= 5/display/intel_dmc.c index 1006b060c3f3..fd2756badc0c 100644 --- a/drivers/gpu/drm/i915/display/intel_dmc.c +++ b/drivers/gpu/drm/i915/display/intel_dmc.c @@ -1578,7 +1578,7 @@ void intel_dmc_update_dc6_allowed_count(struct intel_= display *display, struct intel_dmc *dmc =3D display_to_dmc(display); u32 dc5_cur_count; =20 - if (DISPLAY_VER(dmc->display) < 14) + if (!dmc || DISPLAY_VER(dmc->display) < 14) return; =20 dc5_cur_count =3D intel_de_read(dmc->display, DG1_DMC_DEBUG_DC5_COUNT); --=20 2.47.0