tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

drm/amd/display: fix a Null pointer dereference vulnerability

[Why]
A null pointer dereference vulnerability exists in the AMD display driver's
(DC module) cleanup function dc_destruct().
When display control context (dc->ctx) construction fails
(due to memory allocation failure), this pointer remains NULL.
During subsequent error handling when dc_destruct() is called,
there's no NULL check before dereferencing the perf_trace member
(dc->ctx->perf_trace), causing a kernel null pointer dereference crash.

[How]
Check if dc->ctx is non-NULL before dereferencing.

Link: https://lore.kernel.org/r/tencent_54FF4252EDFB6533090A491A25EEF3EDBF06@qq.com
Co-developed-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
(Updated commit text and removed unnecessary error message)
Signed-off-by: Siyang Liu <Security@tencent.com>
Signed-off-by: Roman Li <roman.li@amd.com>
Reviewed-by: Alex Hung <alex.hung@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 9dd8e2ba268c636c240a918e0a31e6feaee19404)
Cc: stable@vger.kernel.org

authored by

Siyang Liu and committed by
Alex Deucher 1bcf63a4 3477c1b0

+10 -9
+10 -9
drivers/gpu/drm/amd/display/dc/core/dc.c
··· 938 938 if (dc->link_srv) 939 939 link_destroy_link_service(&dc->link_srv); 940 940 941 - if (dc->ctx->gpio_service) 942 - dal_gpio_service_destroy(&dc->ctx->gpio_service); 941 + if (dc->ctx) { 942 + if (dc->ctx->gpio_service) 943 + dal_gpio_service_destroy(&dc->ctx->gpio_service); 943 944 944 - if (dc->ctx->created_bios) 945 - dal_bios_parser_destroy(&dc->ctx->dc_bios); 945 + if (dc->ctx->created_bios) 946 + dal_bios_parser_destroy(&dc->ctx->dc_bios); 947 + kfree(dc->ctx->logger); 948 + dc_perf_trace_destroy(&dc->ctx->perf_trace); 946 949 947 - kfree(dc->ctx->logger); 948 - dc_perf_trace_destroy(&dc->ctx->perf_trace); 949 - 950 - kfree(dc->ctx); 951 - dc->ctx = NULL; 950 + kfree(dc->ctx); 951 + dc->ctx = NULL; 952 + } 952 953 953 954 kfree(dc->bw_vbios); 954 955 dc->bw_vbios = NULL;