From: Matthew Schwartz <matthew.schwartz@linux.dev>
To: Ray Wu <ray.wu@amd.com>, amd-gfx@lists.freedesktop.org
Cc: Harry Wentland <harry.wentland@amd.com>,
Leo Li <sunpeng.li@amd.com>,
Aurabindo Pillai <aurabindo.pillai@amd.com>,
Roman Li <roman.li@amd.com>, Wayne Lin <wayne.lin@amd.com>,
Tom Chung <chiahsuan.chung@amd.com>,
Fangzhi Zuo <jerry.zuo@amd.com>,
Dan Wheeler <daniel.wheeler@amd.com>,
Ivan Lipski <ivan.lipski@amd.com>, Alex Hung <alex.hung@amd.com>
Subject: Re: [PATCH] drm/amd/display: fix NULL ptr deref in ISM delayed work
Date: Thu, 9 Apr 2026 11:15:28 -0700 [thread overview]
Message-ID: <afa8bd88-9b9e-42f9-92c8-2c104fcf5c7c@linux.dev> (raw)
In-Reply-To: <20260409072057.1133476-1-ray.wu@amd.com>
On 4/9/26 12:20 AM, Ray Wu wrote:
> dc_destroy() sets dm->dc to NULL before amdgpu_dm_ism_fini() is called,
> leaving a window where in-flight ISM delayed work dereferences the stale
> pointer. Call amdgpu_dm_ism_fini() in amdgpu_dm_fini() before dc_destroy().
>
> Fixes: f5d0d3f3439e ("drm/amd/display: Add Idle state manager(ISM)")
> Signed-off-by: Ray Wu <ray.wu@amd.com>
> ---
> drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 9 +++++++++
> drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c | 7 ++++++-
> 2 files changed, 15 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
> index bac02ea15b8a..bb79b6bed3c4 100644
> --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
> +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
> @@ -2236,6 +2236,8 @@ static int amdgpu_dm_early_fini(struct amdgpu_ip_block *ip_block)
> static void amdgpu_dm_fini(struct amdgpu_device *adev)
> {
> int i;
> + struct drm_crtc *crtc;
> + struct amdgpu_crtc *acrtc;
>
> if (adev->dm.vblank_control_workqueue) {
> destroy_workqueue(adev->dm.vblank_control_workqueue);
> @@ -2252,6 +2254,13 @@ static void amdgpu_dm_fini(struct amdgpu_device *adev)
> adev->dm.idle_workqueue = NULL;
> }
>
> + /* Finalize ISM for each CRTC before dc_destroy() sets dm->dc to NULL */
> + drm_for_each_crtc(crtc, adev_to_drm(adev)) {
> + acrtc = to_amdgpu_crtc(crtc);
> + amdgpu_dm_ism_fini(&acrtc->ism);
> +
> + }
> +
> amdgpu_dm_destroy_drm_device(&adev->dm);
>
> #if defined(CONFIG_DRM_AMD_SECURE_DISPLAY)
> diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c
> index 26f3d513576b..de203445e084 100644
> --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c
> +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c
> @@ -459,7 +459,12 @@ static void amdgpu_dm_crtc_destroy(struct drm_crtc *crtc)
> {
> struct amdgpu_crtc *acrtc = to_amdgpu_crtc(crtc);
>
> - amdgpu_dm_ism_fini(&acrtc->ism);
> + /*
> + * amdgpu_dm_ism_fini() is intentionally called in amdgpu_dm_fini().
> + * It must be called before dc_destroy() in amdgpu_dm_fini()
> + * to avoid ISM accessing an invalid dc handle once dc is released.
> + */
I'm seeing a new build warning with this hunk:
drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_crtc.c: In function ‘amdgpu_dm_crtc_destroy’:
drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_crtc.c:460:29: warning: unused variable ‘acrtc’ [-Wunused-variable]
460 | struct amdgpu_crtc *acrtc = to_amdgpu_crtc(crtc);
| ^~~~~
This diff resolved it:
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c
index de203445e0844..40c5f74dbe2b6 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c
@@ -457,8 +457,6 @@ static struct drm_crtc_state *amdgpu_dm_crtc_duplicate_state(struct drm_crtc *cr
static void amdgpu_dm_crtc_destroy(struct drm_crtc *crtc)
{
- struct amdgpu_crtc *acrtc = to_amdgpu_crtc(crtc);
-
/*
* amdgpu_dm_ism_fini() is intentionally called in amdgpu_dm_fini().
* It must be called before dc_destroy() in amdgpu_dm_fini()
Thanks,
Matt
> +
> drm_crtc_cleanup(crtc);
> kfree(crtc);
> }
prev parent reply other threads:[~2026-04-10 7:07 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-09 7:20 [PATCH] drm/amd/display: fix NULL ptr deref in ISM delayed work Ray Wu
2026-04-09 15:05 ` Leo Li
2026-04-09 18:15 ` Matthew Schwartz [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=afa8bd88-9b9e-42f9-92c8-2c104fcf5c7c@linux.dev \
--to=matthew.schwartz@linux.dev \
--cc=alex.hung@amd.com \
--cc=amd-gfx@lists.freedesktop.org \
--cc=aurabindo.pillai@amd.com \
--cc=chiahsuan.chung@amd.com \
--cc=daniel.wheeler@amd.com \
--cc=harry.wentland@amd.com \
--cc=ivan.lipski@amd.com \
--cc=jerry.zuo@amd.com \
--cc=ray.wu@amd.com \
--cc=roman.li@amd.com \
--cc=sunpeng.li@amd.com \
--cc=wayne.lin@amd.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.