lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20260108202330.1849-1-qikeyu2017@gmail.com>
Date: Fri,  9 Jan 2026 04:23:29 +0800
From: Kery Qi <qikeyu2017@...il.com>
To: harry.wentland@....com
Cc: linux-kernel@...r.kernel.org,
	Kery Qi <qikeyu2017@...il.com>
Subject: [PATCH] drm/amd/display: dcn21: fix NULL deref in abm immediate disable

dcn21_set_abm_immediate_disable() dereferenced pipe_ctx->stream_res.tg
unconditionally to read tg->inst. pipe_ctx->stream_res.tg may be NULL
on some paths, and the function can still be reached when abm_level is
non-zero, leading to a NULL pointer dereference (oops/DoS).

Fix this by requiring abm, tg and panel_cntl to be present before
accessing tg->inst and issuing ABM/panel operations.

This is similar to CVE-2024-26661.

Fixes: 474ac4a875ca ("drm/amd/display: Implement some asic specific abm call backs.")
Signed-off-by: Kery Qi <qikeyu2017@...il.com>
---
 .../amd/display/dc/hwss/dcn21/dcn21_hwseq.c   | 31 +++++++++++--------
 1 file changed, 18 insertions(+), 13 deletions(-)

diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dcn21/dcn21_hwseq.c b/drivers/gpu/drm/amd/display/dc/hwss/dcn21/dcn21_hwseq.c
index e2269211553c..66d5c18e9a9e 100644
--- a/drivers/gpu/drm/amd/display/dc/hwss/dcn21/dcn21_hwseq.c
+++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn21/dcn21_hwseq.c
@@ -179,7 +179,7 @@ static void dmub_abm_set_backlight(struct dc_context *dc, uint32_t backlight_pwm
 void dcn21_set_abm_immediate_disable(struct pipe_ctx *pipe_ctx)
 {
 	struct abm *abm = pipe_ctx->stream_res.abm;
-	uint32_t otg_inst = pipe_ctx->stream_res.tg->inst;
+	struct timing_generator *tg = pipe_ctx->stream_res.tg;
 	struct panel_cntl *panel_cntl = pipe_ctx->stream->link->panel_cntl;
 	struct dmcu *dmcu = pipe_ctx->stream->ctx->dc->res_pool->dmcu;
 
@@ -189,24 +189,29 @@ void dcn21_set_abm_immediate_disable(struct pipe_ctx *pipe_ctx)
 		return;
 	}
 
+	uint32_t otg_inst;
+
+	if (!abm || !tg || !panel_cntl)
+		return;
+
+	otg_inst = tg->inst;
+
 	if (dmcu) {
 		dce110_set_abm_immediate_disable(pipe_ctx);
 		return;
 	}
 
-	if (abm && panel_cntl) {
-		if (abm->funcs && abm->funcs->set_pipe_ex) {
-			abm->funcs->set_pipe_ex(abm, otg_inst, SET_ABM_PIPE_IMMEDIATELY_DISABLE,
-					panel_cntl->inst, panel_cntl->pwrseq_inst);
-		} else {
-			dcn21_dmub_abm_set_pipe(abm,
-						otg_inst,
-						SET_ABM_PIPE_IMMEDIATELY_DISABLE,
-						panel_cntl->inst,
-						panel_cntl->pwrseq_inst);
-		}
-		panel_cntl->funcs->store_backlight_level(panel_cntl);
+	if (abm->funcs && abm->funcs->set_pipe_ex) {
+		abm->funcs->set_pipe_ex(abm, otg_inst, SET_ABM_PIPE_IMMEDIATELY_DISABLE,
+				panel_cntl->inst, panel_cntl->pwrseq_inst);
+	} else {
+		dcn21_dmub_abm_set_pipe(abm,
+					otg_inst,
+					SET_ABM_PIPE_IMMEDIATELY_DISABLE,
+					panel_cntl->inst,
+					panel_cntl->pwrseq_inst);
 	}
+	panel_cntl->funcs->store_backlight_level(panel_cntl);
 }
 
 void dcn21_set_pipe(struct pipe_ctx *pipe_ctx)
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ