[PATCH] drm/amd/display: Add NULL check for panel_cntl in dce110_edp_backlight_control

Mikhail Arkhipov <m.arhipov@xxxxxxx> · Sun, 15 Sep 2024 20:40:50 +0300

If link->panel_cntl is NULL, the function dce110_edp_backlight_control
attempts to dereference it at line 1019, leading to a potential NULL
pointer dereference and a kernel crash.

This bug can manifest when the eDP panel is not correctly configured
or initialized during certain power or display state transitions,
leaving link->panel_cntl unset or NULL. In such cases, the dereference
of a NULL pointer can result in an immediate kernel panic or
system instability.

Add a NULL check for link->panel_cntl before using it. Ensure that
the function safely returns if link->panel_cntl is not properly set,
preventing any attempts to dereference a NULL pointer and avoiding
potential crashes.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 06ddcee49a35 ("drm/amd/display: Added multi instance support for panel control")
Signed-off-by: Mikhail Arkhipov <m.arhipov@xxxxxxx>
---
 .../display/dc/dce110/dce110_hw_sequencer.c   | 50 ++++++++++---------
 1 file changed, 26 insertions(+), 24 deletions(-)

diff --git a/drivers/gpu/drm/amd/display/dc/dce110/dce110_hw_sequencer.c b/drivers/gpu/drm/amd/display/dc/dce110/dce110_hw_sequencer.c
index 508f5fe26848..1269628a4014 100644
--- a/drivers/gpu/drm/amd/display/dc/dce110/dce110_hw_sequencer.c
+++ b/drivers/gpu/drm/amd/display/dc/dce110/dce110_hw_sequencer.c
@@ -1016,32 +1016,34 @@ void dce110_edp_backlight_control(
 	 */
 	/* dc_service_sleep_in_milliseconds(50); */
 		/*edp 1.2*/
-	panel_instance = link->panel_cntl->inst;
+	if (link->panel_cntl) {
+		panel_instance = link->panel_cntl->inst;
 
-	if (cntl.action == TRANSMITTER_CONTROL_BACKLIGHT_ON) {
-		if (!link->dc->config.edp_no_power_sequencing)
-		/*
-		 * Sometimes, DP receiver chip power-controlled externally by an
-		 * Embedded Controller could be treated and used as eDP,
-		 * if it drives mobile display. In this case,
-		 * we shouldn't be doing power-sequencing, hence we can skip
-		 * waiting for T7-ready.
-		 */
-			edp_receiver_ready_T7(link);
-		else
-			DC_LOG_DC("edp_receiver_ready_T7 skipped\n");
-	}
+		if (cntl.action == TRANSMITTER_CONTROL_BACKLIGHT_ON) {
+			if (!link->dc->config.edp_no_power_sequencing)
+				/*
+				 * Sometimes, DP receiver chip power-controlled externally by an
+				 * Embedded Controller could be treated and used as eDP,
+				 * if it drives mobile display. In this case,
+				 * we shouldn't be doing power-sequencing, hence we can skip
+				 * waiting for T7-ready.
+				 */
+				edp_receiver_ready_T7(link);
+			else
+				DC_LOG_DC("edp_receiver_ready_T7 skipped\n");
+		}
 
-	if (ctx->dc->ctx->dmub_srv &&
-			ctx->dc->debug.dmub_command_table) {
-		if (cntl.action == TRANSMITTER_CONTROL_BACKLIGHT_ON)
-			ctx->dc_bios->funcs->enable_lvtma_control(ctx->dc_bios,
-					LVTMA_CONTROL_LCD_BLON,
-					panel_instance);
-		else
-			ctx->dc_bios->funcs->enable_lvtma_control(ctx->dc_bios,
-					LVTMA_CONTROL_LCD_BLOFF,
-					panel_instance);
+		if (ctx->dc->ctx->dmub_srv &&
+				ctx->dc->debug.dmub_command_table) {
+			if (cntl.action == TRANSMITTER_CONTROL_BACKLIGHT_ON)
+				ctx->dc_bios->funcs->enable_lvtma_control(ctx->dc_bios,
+						LVTMA_CONTROL_LCD_BLON,
+						panel_instance);
+			else
+				ctx->dc_bios->funcs->enable_lvtma_control(ctx->dc_bios,
+						LVTMA_CONTROL_LCD_BLOFF,
+						panel_instance);
+		}
 	}
 
 	link_transmitter_control(ctx->dc_bios, &cntl);
-- 
2.39.3 (Apple Git-146)







