[PATCH] drm/amd/display: guard NULL manual-trigger callback in cursor programming

Thu, 05 Feb 2026 17:25:13 -0800 

From: Vitaly Prosyak <[email protected]>

KASAN reports a NULL instruction fetch (RIP=0x0) from
dc_stream_program_cursor_position():

  BUG: kernel NULL pointer dereference, address: 0000000000000000
  RIP: 0010:0x0
  Call Trace:
    dc_stream_program_cursor_position+0x344/0x920 [amdgpu]
    amdgpu_dm_atomic_commit_tail+...

[  +1.041013] BUG: kernel NULL pointer dereference, address: 0000000000000000
[  +0.000027] #PF: supervisor instruction fetch in kernel mode
[  +0.000013] #PF: error_code(0x0010) - not-present page
[  +0.000012] PGD 0 P4D 0
[  +0.000017] Oops: Oops: 0010 [#1] SMP KASAN NOPTI
[  +0.000017] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Tainted: G            E   
    6.18.0+ #3 PREEMPT(voluntary)
[  +0.000023] Tainted: [E]=UNSIGNED_MODULE
[  +0.000010] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING 
(WI-FI), BIOS 1401 12/03/2020
[  +0.000016] Workqueue: events drm_mode_rmfb_work_fn
[  +0.000022] RIP: 0010:0x0
[  +0.000017] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
[  +0.000015] RSP: 0018:ffffc9000017f4c8 EFLAGS: 00010246
[  +0.000016] RAX: 0000000000000000 RBX: ffff88810afdda80 RCX: 1ffff110457000d1
[  +0.000014] RDX: 1ffffffff87b75bd RSI: 0000000000000000 RDI: ffff88810afdda80
[  +0.000014] RBP: ffffc9000017f538 R08: 0000000000000000 R09: ffff88822b800690
[  +0.000013] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffc3dbac20
[  +0.000014] R13: 0000000000000000 R14: ffff88811ab80000 R15: dffffc0000000000
[  +0.000014] FS:  0000000000000000(0000) GS:ffff888434599000(0000) 
knlGS:0000000000000000
[  +0.000015] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  +0.000013] CR2: ffffffffffffffd6 CR3: 000000010ee88000 CR4: 0000000000350ef0
[  +0.000014] Call Trace:
[  +0.000010]  <TASK>
[  +0.000010]  dc_stream_program_cursor_position+0x344/0x920 [amdgpu]
[  +0.001086]  ? __pfx_mutex_lock+0x10/0x10
[  +0.000015]  ? unwind_next_frame+0x18b/0xa70
[  +0.000019]  amdgpu_dm_atomic_commit_tail+0x1124/0xfa20 [amdgpu]
[  +0.001040]  ? ret_from_fork_asm+0x1a/0x30
[  +0.000018]  ? filter_irq_stacks+0x90/0xa0
[  +0.000022]  ? __pfx_amdgpu_dm_atomic_commit_tail+0x10/0x10 [amdgpu]
[  +0.001058]  ? kasan_save_track+0x18/0x70
[  +0.000015]  ? kasan_save_alloc_info+0x37/0x60
[  +0.000015]  ? __kasan_kmalloc+0xc3/0xd0
[  +0.000013]  ? __kmalloc_cache_noprof+0x1aa/0x600
[  +0.000016]  ? drm_atomic_helper_setup_commit+0x788/0x1450
[  +0.000017]  ? drm_atomic_helper_commit+0x7e/0x290
[  +0.000014]  ? drm_atomic_commit+0x205/0x2e0
[  +0.000015]  ? process_one_work+0x629/0xf80
[  +0.000016]  ? worker_thread+0x87f/0x1570
[  +0.000020]  ? srso_return_thunk+0x5/0x5f
[  +0.000014]  ? __kasan_check_write+0x14/0x30
[  +0.000014]  ? srso_return_thunk+0x5/0x5f
[  +0.000013]  ? _raw_spin_lock_irq+0x8a/0xf0
[  +0.000015]  ? __pfx__raw_spin_lock_irq+0x10/0x10
[  +0.000016]  ? srso_return_thunk+0x5/0x5f
[  +0.000013]  ? __kasan_check_write+0x14/0x30
[  +0.000014]  ? srso_return_thunk+0x5/0x5f
[  +0.000013]  ? __wait_for_common+0x204/0x460
[  +0.000015]  ? sched_clock_noinstr+0x9/0x10
[  +0.000014]  ? __pfx_schedule_timeout+0x10/0x10
[  +0.000014]  ? local_clock_noinstr+0xe/0xd0
[  +0.000015]  ? __pfx___wait_for_common+0x10/0x10
[  +0.000014]  ? srso_return_thunk+0x5/0x5f
[  +0.000013]  ? __wait_for_common+0x204/0x460
[  +0.000014]  ? __pfx_schedule_timeout+0x10/0x10
[  +0.000015]  ? __kasan_kmalloc+0xc3/0xd0
[  +0.000015]  ? srso_return_thunk+0x5/0x5f
[  +0.000013]  ? wait_for_completion_timeout+0x1d/0x30
[  +0.000015]  ? srso_return_thunk+0x5/0x5f
[  +0.000013]  ? drm_crtc_commit_wait+0x32/0x180
[  +0.000015]  ? srso_return_thunk+0x5/0x5f
[  +0.000013]  ? drm_atomic_helper_wait_for_dependencies+0x46a/0x800
[  +0.000019]  commit_tail+0x231/0x510
[  +0.000017]  drm_atomic_helper_commit+0x219/0x290
[  +0.000015]  ? __pfx_drm_atomic_helper_commit+0x10/0x10
[  +0.000016]  drm_atomic_commit+0x205/0x2e0
[  +0.000014]  ? __pfx_drm_atomic_commit+0x10/0x10
[  +0.000013]  ? __pfx_drm_connector_free+0x10/0x10
[  +0.000014]  ? __pfx___drm_printfn_info+0x10/0x10
[  +0.000017]  ? srso_return_thunk+0x5/0x5f
[  +0.000013]  ? drm_atomic_set_crtc_for_connector+0x49e/0x660
[  +0.000015]  ? drm_atomic_set_fb_for_plane+0x155/0x290
[  +0.000015]  drm_framebuffer_remove+0xa9b/0x1240
[  +0.000014]  ? finish_task_switch.isra.0+0x15a/0x840
[  +0.000015]  ? __switch_to+0x385/0xda0
[  +0.000015]  ? srso_safe_ret+0x1/0x20
[  +0.000013]  ? __pfx_drm_framebuffer_remove+0x10/0x10
[  +0.000016]  ? kasan_print_address_stack_frame+0x221/0x280
[  +0.000015]  drm_mode_rmfb_work_fn+0x14b/0x240
[  +0.000015]  process_one_work+0x629/0xf80
[  +0.000012]  ? srso_return_thunk+0x5/0x5f
[  +0.000013]  ? __kasan_check_write+0x14/0x30
[  +0.000019]  worker_thread+0x87f/0x1570
[  +0.000013]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[  +0.000014]  ? __pfx_try_to_wake_up+0x10/0x10
[  +0.000017]  ? srso_return_thunk+0x5/0x5f
[  +0.000013]  ? kasan_print_address_stack_frame+0x227/0x280
[  +0.000017]  ? __pfx_worker_thread+0x10/0x10
[  +0.000014]  kthread+0x396/0x830
[  +0.000013]  ? __pfx__raw_spin_lock_irq+0x10/0x10
[  +0.000015]  ? __pfx_kthread+0x10/0x10
[  +0.000012]  ? srso_return_thunk+0x5/0x5f
[  +0.000013]  ? __kasan_check_write+0x14/0x30
[  +0.000014]  ? srso_return_thunk+0x5/0x5f
[  +0.000013]  ? recalc_sigpending+0x180/0x210
[  +0.000015]  ? srso_return_thunk+0x5/0x5f
[  +0.000013]  ? __pfx_kthread+0x10/0x10
[  +0.000014]  ret_from_fork+0x31c/0x3e0
[  +0.000014]  ? __pfx_kthread+0x10/0x10
[  +0.000013]  ret_from_fork_asm+0x1a/0x30
[  +0.000019]  </TASK>
[  +0.000010] Modules linked in: rfcomm(E) cmac(E) algif_hash(E) 
algif_skcipher(E) af_alg(E) snd_seq_dummy(E) snd_hrtimer(E) qrtr(E) 
xt_MASQUERADE(E) nf_nat(E) nf_conntrack(E) nf_defrag_ipv6(E) nf_defrag_ipv4(E) 
xt_mark(E) xt_tcpudp(E) nft_compat(E) nf_tables(E) x_tables(E) bnep(E) 
snd_hda_codec_alc882(E) snd_hda_codec_atihdmi(E) snd_hda_codec_realtek_lib(E) 
snd_hda_codec_hdmi(E) snd_hda_codec_generic(E) iwlmvm(E) snd_hda_intel(E) 
binfmt_misc(E) snd_hda_codec(E) snd_hda_core(E) mac80211(E) snd_intel_dspcfg(E) 
snd_intel_sdw_acpi(E) snd_hwdep(E) snd_pcm(E) libarc4(E) snd_seq_midi(E) 
snd_seq_midi_event(E) snd_rawmidi(E) amd_atl(E) intel_rapl_msr(E) snd_seq(E) 
intel_rapl_common(E) iwlwifi(E) jc42(E) snd_seq_device(E) btusb(E) snd_timer(E) 
btmtk(E) btrtl(E) edac_mce_amd(E) eeepc_wmi(E) polyval_clmulni(E) btbcm(E) 
ghash_clmulni_intel(E) asus_wmi(E) ee1004(E) platform_profile(E) btintel(E) 
snd(E) nls_iso8859_1(E) aesni_intel(E) soundcore(E) i2c_piix4(E) cfg80211(E) 
sparse_keymap(E) wmi_bmof(E) bluetooth(E) k10temp(E) rapl(E)
[  +0.000300]  i2c_smbus(E) ccp(E) joydev(E) input_leds(E) gpio_amdpt(E) 
mac_hid(E) sch_fq_codel(E) msr(E) parport_pc(E) ppdev(E) lp(E) parport(E) 
efi_pstore(E) nfnetlink(E) dmi_sysfs(E) autofs4(E) cdc_ether(E) usbnet(E) 
amdgpu(E) amdxcp(E) hid_generic(E) i2c_algo_bit(E) drm_ttm_helper(E) ttm(E) 
drm_exec(E) drm_panel_backlight_quirks(E) gpu_sched(E) drm_suballoc_helper(E) 
video(E) drm_buddy(E) usbhid(E) drm_display_helper(E) r8152(E) hid(E) mii(E) 
cec(E) ahci(E) rc_core(E) igc(E) libahci(E) wmi(E)
[  +0.000294] CR2: 0000000000000000
[  +0.000013] ---[ end trace 0000000000000000 ]---

The crash happens when we unconditionally call into the timing generator
manual trigger hook:

  pipe_ctx->stream_res.tg->funcs->program_manual_trigger(...)

On some configurations the timing generator (tg), its funcs table, or the
program_manual_trigger callback can be NULL. Guard all of these before
calling the hook. If the first pipe matching the stream cannot trigger,
keep scanning to find another matching pipe with a valid hook.

Cc: Aurabindo Pillai <[email protected]>
Cc: Alexander Deucher <[email protected]>
Cc: Christian Koenig  <[email protected]>

Suggested-by: Aurabindo Pillai <[email protected]>
Signed-off-by: Vitaly Prosyak <[email protected]>
---
 drivers/gpu/drm/amd/display/dc/core/dc_stream.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_stream.c 
b/drivers/gpu/drm/amd/display/dc/core/dc_stream.c
index f59020f1a722..ecd08580937d 100644
--- a/drivers/gpu/drm/amd/display/dc/core/dc_stream.c
+++ b/drivers/gpu/drm/amd/display/dc/core/dc_stream.c
@@ -522,8 +522,10 @@ bool dc_stream_program_cursor_position(
                        struct pipe_ctx *pipe_ctx = 
&dc->current_state->res_ctx.pipe_ctx[i];
 
                        /* trigger event on first pipe with current stream */
-                       if (stream == pipe_ctx->stream) {
-                               
pipe_ctx->stream_res.tg->funcs->program_manual_trigger(pipe_ctx->stream_res.tg);
+                       if (stream == pipe_ctx->stream &&
+                               
pipe_ctx->stream_res.tg->funcs->program_manual_trigger) {
+                               
pipe_ctx->stream_res.tg->funcs->program_manual_trigger(
+                                       pipe_ctx->stream_res.tg);
                                break;
                        }
                }
-- 
2.52.0

Reply via email to