lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <20240915174050.78956-1-m.arhipov@rosa.ru>
Date: Sun, 15 Sep 2024 20:40:50 +0300
From: Mikhail Arkhipov <m.arhipov@...a.ru>
To: Harry Wentland <harry.wentland@....com>
Cc: Mikhail Arkhipov <m.arhipov@...a.ru>,
	Jake Wang <haonan.wang2@....com>,
	Leo Li <sunpeng.li@....com>,
	Rodrigo Siqueira <Rodrigo.Siqueira@....com>,
	Alex Deucher <alexander.deucher@....com>,
	Christian König <christian.koenig@....com>,
	"Pan, Xinhui" <Xinhui.Pan@....com>,
	David Airlie <airlied@...il.com>,
	Daniel Vetter <daniel@...ll.ch>,
	Wenjing Liu <wenjing.liu@....com>,
	Swapnil Patel <swapnil.patel@....com>,
	Sasha Levin <sashal@...nel.org>,
	amd-gfx@...ts.freedesktop.org,
	dri-devel@...ts.freedesktop.org,
	linux-kernel@...r.kernel.org,
	lvc-project@...uxtesting.org,
	lvc-patches@...uxtesting.org
Subject: [PATCH] drm/amd/display: Add NULL check for panel_cntl in dce110_edp_backlight_control

If link->panel_cntl is NULL, the function dce110_edp_backlight_control
attempts to dereference it at line 1019, leading to a potential NULL
pointer dereference and a kernel crash.

This bug can manifest when the eDP panel is not correctly configured
or initialized during certain power or display state transitions,
leaving link->panel_cntl unset or NULL. In such cases, the dereference
of a NULL pointer can result in an immediate kernel panic or
system instability.

Add a NULL check for link->panel_cntl before using it. Ensure that
the function safely returns if link->panel_cntl is not properly set,
preventing any attempts to dereference a NULL pointer and avoiding
potential crashes.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 06ddcee49a35 ("drm/amd/display: Added multi instance support for panel control")
Signed-off-by: Mikhail Arkhipov <m.arhipov@...a.ru>
---
 .../display/dc/dce110/dce110_hw_sequencer.c   | 50 ++++++++++---------
 1 file changed, 26 insertions(+), 24 deletions(-)

diff --git a/drivers/gpu/drm/amd/display/dc/dce110/dce110_hw_sequencer.c b/drivers/gpu/drm/amd/display/dc/dce110/dce110_hw_sequencer.c
index 508f5fe26848..1269628a4014 100644
--- a/drivers/gpu/drm/amd/display/dc/dce110/dce110_hw_sequencer.c
+++ b/drivers/gpu/drm/amd/display/dc/dce110/dce110_hw_sequencer.c
@@ -1016,32 +1016,34 @@ void dce110_edp_backlight_control(
 	 */
 	/* dc_service_sleep_in_milliseconds(50); */
 		/*edp 1.2*/
-	panel_instance = link->panel_cntl->inst;
+	if (link->panel_cntl) {
+		panel_instance = link->panel_cntl->inst;
 
-	if (cntl.action == TRANSMITTER_CONTROL_BACKLIGHT_ON) {
-		if (!link->dc->config.edp_no_power_sequencing)
-		/*
-		 * Sometimes, DP receiver chip power-controlled externally by an
-		 * Embedded Controller could be treated and used as eDP,
-		 * if it drives mobile display. In this case,
-		 * we shouldn't be doing power-sequencing, hence we can skip
-		 * waiting for T7-ready.
-		 */
-			edp_receiver_ready_T7(link);
-		else
-			DC_LOG_DC("edp_receiver_ready_T7 skipped\n");
-	}
+		if (cntl.action == TRANSMITTER_CONTROL_BACKLIGHT_ON) {
+			if (!link->dc->config.edp_no_power_sequencing)
+				/*
+				 * Sometimes, DP receiver chip power-controlled externally by an
+				 * Embedded Controller could be treated and used as eDP,
+				 * if it drives mobile display. In this case,
+				 * we shouldn't be doing power-sequencing, hence we can skip
+				 * waiting for T7-ready.
+				 */
+				edp_receiver_ready_T7(link);
+			else
+				DC_LOG_DC("edp_receiver_ready_T7 skipped\n");
+		}
 
-	if (ctx->dc->ctx->dmub_srv &&
-			ctx->dc->debug.dmub_command_table) {
-		if (cntl.action == TRANSMITTER_CONTROL_BACKLIGHT_ON)
-			ctx->dc_bios->funcs->enable_lvtma_control(ctx->dc_bios,
-					LVTMA_CONTROL_LCD_BLON,
-					panel_instance);
-		else
-			ctx->dc_bios->funcs->enable_lvtma_control(ctx->dc_bios,
-					LVTMA_CONTROL_LCD_BLOFF,
-					panel_instance);
+		if (ctx->dc->ctx->dmub_srv &&
+				ctx->dc->debug.dmub_command_table) {
+			if (cntl.action == TRANSMITTER_CONTROL_BACKLIGHT_ON)
+				ctx->dc_bios->funcs->enable_lvtma_control(ctx->dc_bios,
+						LVTMA_CONTROL_LCD_BLON,
+						panel_instance);
+			else
+				ctx->dc_bios->funcs->enable_lvtma_control(ctx->dc_bios,
+						LVTMA_CONTROL_LCD_BLOFF,
+						panel_instance);
+		}
 	}
 
 	link_transmitter_control(ctx->dc_bios, &cntl);
-- 
2.39.3 (Apple Git-146)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ