[PATCH 6.1/6.6] drm/amd/display: Add null check for head_pipe in dcn32_acquire_idle_pipe_for_head_pipe_in_layer

Tue, 29 Jul 2025 04:50:07 -0700 

From: Srinivasan Shanmugam <srinivasan.shanmu...@amd.com>

commit ac2140449184a26eac99585b7f69814bd3ba8f2d upstream.

This commit addresses a potential null pointer dereference issue in the
`dcn32_acquire_idle_pipe_for_head_pipe_in_layer` function. The issue
could occur when `head_pipe` is null.

The fix adds a check to ensure `head_pipe` is not null before asserting
it. If `head_pipe` is null, the function returns NULL to prevent a
potential null pointer dereference.

Reported by smatch:
drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn32/dcn32_resource.c:2690 
dcn32_acquire_idle_pipe_for_head_pipe_in_layer() error: we previously assumed 
'head_pipe' could be null (see line 2681)

Cc: Tom Chung <chiahsuan.ch...@amd.com>
Cc: Rodrigo Siqueira <rodrigo.sique...@amd.com>
Cc: Roman Li <roman...@amd.com>
Cc: Alex Hung <alex.h...@amd.com>
Cc: Aurabindo Pillai <aurabindo.pil...@amd.com>
Cc: Harry Wentland <harry.wentl...@amd.com>
Cc: Hamza Mahfooz <hamza.mahf...@amd.com>
Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmu...@amd.com>
Reviewed-by: Tom Chung <chiahsuan.ch...@amd.com>
Signed-off-by: Alex Deucher <alexander.deuc...@amd.com>
[ Daniil: dcn32 was moved from drivers/gpu/drm/amd/display/dc to
  drivers/gpu/drm/amd/display/dc/resource since commit
  8b8eed05a1c6 ("drm/amd/display: Refactor resource into component directory").
  The path is changed accordingly to apply the patch on 6.1.y. and 6.6.y ]
Signed-off-by: Daniil Dulov <d.du...@aladdin.ru>
---
Backport fix for CVE-2024-49918
 drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource.c 
b/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource.c
index 1b1534ffee9f..591c3166a468 100644
--- a/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource.c
+++ b/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource.c
@@ -2563,8 +2563,10 @@ struct pipe_ctx 
*dcn32_acquire_idle_pipe_for_head_pipe_in_layer(
        struct resource_context *old_ctx = 
&stream->ctx->dc->current_state->res_ctx;
        int head_index;
 
-       if (!head_pipe)
+       if (!head_pipe) {
                ASSERT(0);
+               return NULL;
+       }
 
        /*
         * Modified from dcn20_acquire_idle_pipe_for_layer
-- 
2.34.1

Reply via email to