Memory safety / NULL pointer dereference
Description
The patch fixes a NULL pointer dereference in the Renesas RCAR-DU DRM driver by guarding accesses to rcrtc->cmm and its dev field. Previously, code paths dereferenced rcrtc->cmm->dev without ensuring rcrtc->cmm was non-NULL, which could crash the kernel if rcrtc->cmm was NULL. The fix adds an early check (if (!rcrtc->cmm) return;) and uses the pointer directly in subsequent calls (without dereferencing a NULL rcrtc->cmm->dev). This converts a potential NULL pointer dereference into a safe no-op when CMM is not present, mitigating a memory-safety crash path.
Commit Details
Author: Dave Airlie
Date: 2026-04-23 23:16 UTC
Message:
Merge tag 'drm-misc-next-fixes-2026-04-23' of https://gitlab.freedesktop.org/drm/misc/kernel into drm-next
Short summary of fixes pull:
rcar-du:
- fix NULL-ptr crash
Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patch.msgid.link/20260423130852.GA114622@linux.fritz.box
Triage Assessment
Vulnerability Type: Memory safety (NULL pointer dereference)
Confidence: HIGH
Reasoning:
The patch changes null-checks to guard against dereferencing a NULL pointer (rcrtc->cmm). Previously the code dereferenced rcrtc->cmm->dev without ensuring rcrtc->cmm is non-NULL, which could cause a crash. This is a memory-safety fix that mitigates potential security-relevant crashes.
Verification Assessment
Vulnerability Type: Memory safety / NULL pointer dereference
Confidence: HIGH
Affected Versions: v7.0-rc6 and earlier (RCAR-DU DRM CMM path)
Code Diff
diff --git a/drivers/gpu/drm/renesas/rcar-du/rcar_du_crtc.c b/drivers/gpu/drm/renesas/rcar-du/rcar_du_crtc.c
index 7c36c30a75b63e..1a246ebbfc613b 100644
--- a/drivers/gpu/drm/renesas/rcar-du/rcar_du_crtc.c
+++ b/drivers/gpu/drm/renesas/rcar-du/rcar_du_crtc.c
@@ -513,7 +513,7 @@ static void rcar_du_cmm_setup(struct drm_crtc *crtc)
struct rcar_du_crtc *rcrtc = to_rcar_crtc(crtc);
struct rcar_cmm_config cmm_config = {};
- if (!rcrtc->cmm->dev)
+ if (!rcrtc->cmm)
return;
if (drm_lut)
@@ -667,7 +667,7 @@ static void rcar_du_crtc_stop(struct rcar_du_crtc *rcrtc)
if (rcar_du_has(rcrtc->dev, RCAR_DU_FEATURE_VSP1_SOURCE))
rcar_du_vsp_disable(rcrtc);
- if (rcrtc->cmm->dev)
+ if (rcrtc->cmm)
rcar_cmm_disable(rcrtc->cmm->dev);
/*
@@ -726,7 +726,7 @@ static void rcar_du_crtc_atomic_enable(struct drm_crtc *crtc,
struct rcar_du_crtc_state *rstate = to_rcar_crtc_state(crtc->state);
struct rcar_du_device *rcdu = rcrtc->dev;
- if (rcrtc->cmm->dev)
+ if (rcrtc->cmm)
rcar_cmm_enable(rcrtc->cmm->dev);
rcar_du_crtc_get(rcrtc);