[PATCH 6.10 22/22] drm/amdgpu/display: Fix null pointer dereference in dc_stream_program_cursor_position

Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> · Thu, 15 Aug 2024 15:25:30 +0200

6.10-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Srinivasan Shanmugam <srinivasan.shanmugam@xxxxxxx>

commit fa4c500ce93f4f933c38e6d6388970e121e27b21 upstream.

The fix involves adding a null check for 'stream' at the beginning of
the function. If 'stream' is NULL, the function immediately returns
false. This ensures that 'stream' is not NULL when we dereference it to
access 'ctx' in 'dc = stream->ctx->dc;' the function.

Fixes the below:
	drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_stream.c:398 dc_stream_program_cursor_position()
	error: we previously assumed 'stream' could be null (see line 397)

drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_stream.c
    389 bool dc_stream_program_cursor_position(
    390         struct dc_stream_state *stream,
    391         const struct dc_cursor_position *position)
    392 {
    393         struct dc *dc;
    394         bool reset_idle_optimizations = false;
    395         const struct dc_cursor_position *old_position;
    396
    397         old_position = stream ? &stream->cursor_position : NULL;
                               ^^^^^^^^
The patch adds a NULL check

--> 398         dc = stream->ctx->dc;
                     ^^^^^^^^
The old code didn't check

    399
    400         if (dc_stream_set_cursor_position(stream, position)) {
    401                 dc_z10_restore(dc);
    402
    403                 /* disable idle optimizations if enabling cursor */
    404                 if (dc->idle_optimizations_allowed &&
    405                     (!old_position->enable || dc->debug.exit_idle_opt_for_cursor_updates) &&
    406                     position->enable) {
    407                         dc_allow_idle_optimizations(dc, false);

Fixes: f63f86b5affc ("drm/amd/display: Separate setting and programming of cursor")
Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Cc: Harry Wentland <harry.wentland@xxxxxxx>
Cc: Tom Chung <chiahsuan.chung@xxxxxxx>
Cc: Rodrigo Siqueira <Rodrigo.Siqueira@xxxxxxx>
Cc: Roman Li <roman.li@xxxxxxx>
Cc: Aurabindo Pillai <aurabindo.pillai@xxxxxxx>
Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@xxxxxxx>
Reviewed-by: Harry Wentland <harry.wentland@xxxxxxx>
Signed-off-by: Alex Deucher <alexander.deucher@xxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 drivers/gpu/drm/amd/display/dc/core/dc_stream.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/gpu/drm/amd/display/dc/core/dc_stream.c
+++ b/drivers/gpu/drm/amd/display/dc/core/dc_stream.c
@@ -394,7 +394,10 @@ bool dc_stream_program_cursor_position(
 	bool reset_idle_optimizations = false;
 	const struct dc_cursor_position *old_position;
 
-	old_position = stream ? &stream->cursor_position : NULL;
+	if (!stream)
+		return false;
+
+	old_position = &stream->cursor_position;
 	dc = stream->ctx->dc;
 
 	if (dc_stream_set_cursor_position(stream, position)) {









