[PATCH] drm/modeset_lock: add NULL check for ctx before WARN_ON

[PATCH] drm/modeset_lock: add NULL check for ctx before WARN_ON

[george.d.sworo]

From: George D Sworo <george.d.sworo@intel.com>

modeset_lock() and drm_modeset_drop_locks() do not validate
the ctx pointer before dereferencing it in WARN_ON(ctx->contended),
which can lead to a NULL pointer dereference if ctx is NULL.

Add a NULL check to prevent this.

Signed-off-by: George D Sworo <george.d.sworo@intel.com>
---
 drivers/gpu/drm/drm_modeset_lock.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/drm_modeset_lock.c b/drivers/gpu/drm/drm_modeset_lock.c
index beb91a13a312..2052bb9bb9e5 100644
--- a/drivers/gpu/drm/drm_modeset_lock.c
+++ b/drivers/gpu/drm/drm_modeset_lock.c
@@ -295,7 +295,7 @@ static inline int modeset_lock(struct drm_modeset_lock *lock,
 {
 	int ret;
 
-	if (WARN_ON(ctx->contended))
+	if (ctx && WARN_ON(ctx->contended))
 		__drm_stack_depot_print(ctx->stack_depot);
 
 	if (ctx->trylock_only) {
-- 
2.34.1

[PATCH v2 0/2] drm/i915/modeset: fix NULL/ctx handling in lock paths

[george.d.sworo]

From: George D Sworo <george.d.sworo@intel.com>

Hi,

This series addresses lock-context robustness seen in HDCP/MST paths,
where modeset locking can be reached with invalid or stale acquire_ctx
state and trigger WARN/Oops in modeset_lock().

Patch 1 keeps the original fix from v1.
Patch 2 adds a defensive fix for the additional ctx handling issue.

Changes in v2:
- Added patch 2 to handle NULL ctx defensively in modeset lock helper
  path.
- Kept patch 1 from v1 (no functional change) for complete series
  resend.
- Updated commit messages for clearer rationale and call-path context.
- Linked previous posting:
  https://patchwork.freedesktop.org/patch/721791/

Patch overview:
  drm/modeset_lock: add NULL check for ctx before WARN_ON
  drm/modeset: harden modeset_lock() against NULL ctx

 drivers/gpu/drm/drm_modeset_lock.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

-- 
2.34.1

[PATCH v2 1/2] drm/modeset_lock: add NULL check for ctx before WARN_ON

[george.d.sworo]

From: George D Sworo <george.d.sworo@intel.com>

modeset_lock() and drm_modeset_drop_locks() do not validate
the ctx pointer before dereferencing it in WARN_ON(ctx->contended),
which can lead to a NULL pointer dereference if ctx is NULL.

Add a NULL check to prevent this.

Signed-off-by: George D Sworo <george.d.sworo@intel.com>
---
 drivers/gpu/drm/drm_modeset_lock.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/drm_modeset_lock.c b/drivers/gpu/drm/drm_modeset_lock.c
index beb91a13a312..2052bb9bb9e5 100644
--- a/drivers/gpu/drm/drm_modeset_lock.c
+++ b/drivers/gpu/drm/drm_modeset_lock.c
@@ -295,7 +295,7 @@ static inline int modeset_lock(struct drm_modeset_lock *lock,
 {
 	int ret;
 
-	if (WARN_ON(ctx->contended))
+	if (ctx && WARN_ON(ctx->contended))
 		__drm_stack_depot_print(ctx->stack_depot);
 
 	if (ctx->trylock_only) {
-- 
2.34.1

Re: [PATCH v2 1/2] drm/modeset_lock: add NULL check for ctx before WARN_ON

[Ville Syrjälä]

On Tue, Apr 28, 2026 at 11:04:30PM -0700, george.d.sworo@intel.com wrote:
> From: George D Sworo <george.d.sworo@intel.com>
> 
> modeset_lock() and drm_modeset_drop_locks() do not validate
> the ctx pointer before dereferencing it in WARN_ON(ctx->contended),
> which can lead to a NULL pointer dereference if ctx is NULL.
> 
> Add a NULL check to prevent this.

Why are you trying to pass garbage into the function?

> 
> Signed-off-by: George D Sworo <george.d.sworo@intel.com>
> ---
>  drivers/gpu/drm/drm_modeset_lock.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/drm_modeset_lock.c b/drivers/gpu/drm/drm_modeset_lock.c
> index beb91a13a312..2052bb9bb9e5 100644
> --- a/drivers/gpu/drm/drm_modeset_lock.c
> +++ b/drivers/gpu/drm/drm_modeset_lock.c
> @@ -295,7 +295,7 @@ static inline int modeset_lock(struct drm_modeset_lock *lock,
>  {
>  	int ret;
>  
> -	if (WARN_ON(ctx->contended))
> +	if (ctx && WARN_ON(ctx->contended))
>  		__drm_stack_depot_print(ctx->stack_depot);
>  
>  	if (ctx->trylock_only) {
> -- 
> 2.34.1

-- 
Ville Syrjälä
Intel

Re: [PATCH v2 1/2] drm/modeset_lock: add NULL check for ctx before WARN_ON

[Sworo, George D]

Thanks Ville for the review!
Fair point. Ideally, we shouldn't be calling modeset_lock() with NULL
ctx but during a recent debug we uncovered an issue where the system
kept printing the calltrace and I figured this was one instance where
ctx is being dereferenced without a guard

03-26 11:33:03.261     0     0 F BUG     : kernel NULL pointer
dereference, address: 0000000000000069
03-26 11:33:03.261     0     0 F #PF     : supervisor read access in
kernel mode
03-26 11:33:03.261     0     0 F #PF     : error_code(0x0000) - not-
present page
03-26 11:33:03.261     0     0 I         : PGD 0 P4D 0
03-26 11:33:03.261     0     0 W Oops    : Oops: 0000 [#1] PREEMPT SMP
NOPTI
03-26 11:33:03.261     0     0 W Tainted : [U]=USER, [W]=WARN,
[O]=OOT_MODULE
03-26 11:33:03.261     0     0 W Workqueue: i915_flip
intel_atomic_commit_work [xe]
03-26 11:33:03.262     0     0 W RIP     : 0010:modeset_lock+0x74/0xd0



On Wed, 2026-04-29 at 14:09 +0300, Ville Syrjälä wrote:
> On Tue, Apr 28, 2026 at 11:04:30PM -0700,
> george.d.sworo@intel.com wrote:
> > From: George D Sworo <george.d.sworo@intel.com>
> > 
> > modeset_lock() and drm_modeset_drop_locks() do not validate
> > the ctx pointer before dereferencing it in WARN_ON(ctx->contended),
> > which can lead to a NULL pointer dereference if ctx is NULL.
> > 
> > Add a NULL check to prevent this.
> 
> Why are you trying to pass garbage into the function?
> 
> > 
> > Signed-off-by: George D Sworo <george.d.sworo@intel.com>
> > ---
> >  drivers/gpu/drm/drm_modeset_lock.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/drivers/gpu/drm/drm_modeset_lock.c
> > b/drivers/gpu/drm/drm_modeset_lock.c
> > index beb91a13a312..2052bb9bb9e5 100644
> > --- a/drivers/gpu/drm/drm_modeset_lock.c
> > +++ b/drivers/gpu/drm/drm_modeset_lock.c
> > @@ -295,7 +295,7 @@ static inline int modeset_lock(struct
> > drm_modeset_lock *lock,
> >  {
> >  	int ret;
> >  
> > -	if (WARN_ON(ctx->contended))
> > +	if (ctx && WARN_ON(ctx->contended))
> >  		__drm_stack_depot_print(ctx->stack_depot);
> >  
> >  	if (ctx->trylock_only) {
> > -- 
> > 2.34.1
> 

[PATCH v2 2/2] drm/modeset: harden modeset_lock() against NULL ctx

[george.d.sworo]

From: George D Sworo <george.d.sworo@intel.com>

modeset_lock() dereferences ctx unconditionally. Add a defensive NULL
guard to avoid NULL dereference if a buggy internal caller passes a NULL
acquire context.

For NULL ctx, fall back to plain ww_mutex locking semantics:
- interruptible path uses ww_mutex_lock_interruptible(..., NULL)
- non-interruptible path uses ww_mutex_lock(..., NULL)

This keeps wait behavior consistent with the helper arguments.

Signed-off-by: George D Sworo <george.d.sworo@intel.com>
---
 drivers/gpu/drm/drm_modeset_lock.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/drivers/gpu/drm/drm_modeset_lock.c b/drivers/gpu/drm/drm_modeset_lock.c
index 2052bb9bb9e5..5bee424805c3 100644
--- a/drivers/gpu/drm/drm_modeset_lock.c
+++ b/drivers/gpu/drm/drm_modeset_lock.c
@@ -294,6 +294,18 @@ static inline int modeset_lock(struct drm_modeset_lock *lock,
 		bool interruptible, bool slow)
 {
 	int ret;
+	/*
+	 * Defensive fallback: this helper is expected to be called with a
+	 * valid acquire context, but if a NULL ctx slips through, preserve
+	 * the lock wait semantics and avoid NULL dereference.
+	 */
+	if (unlikely(!ctx)) {
+		if (interruptible)
+			return ww_mutex_lock_interruptible(&lock->mutex, NULL);
+
+		ww_mutex_lock(&lock->mutex, NULL);
+		return 0;
+	}
 
 	if (ctx && WARN_ON(ctx->contended))
 		__drm_stack_depot_print(ctx->stack_depot);
-- 
2.34.1