CVE-2025-22093

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: avoid NPD when ASIC does not support DMUB

ctx->dmubsrv will de NULL if the ASIC does not support DMUB, which is tested in dmdmubswinit.

However, it will be dereferenced in dmubhwlockmgrcmd if shouldusedmub_lock returns true.

This has been the case since dmub support has been added for PSR1.

Fix this by checking for dmubsrv in shouldusedmublock.

[ 37.440832] BUG: kernel NULL pointer dereference, address: 0000000000000058 [ 37.447808] #PF: supervisor read access in kernel mode [ 37.452959] #PF: errorcode(0x0000) - not-present page [ 37.458112] PGD 0 P4D 0 [ 37.460662] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI [ 37.465553] CPU: 2 UID: 1000 PID: 1745 Comm: DrmThread Not tainted 6.14.0-rc1-00003-gd62e938120f0 #23 99720e1cb1e0fc4773b8513150932a07de3c6e88 [ 37.478324] Hardware name: Google Morphius/Morphius, BIOS GoogleMorphius.13434.858.0 10/26/2023 [ 37.487103] RIP: 0010:dmubhwlockmgrcmd+0x77/0xb0 [ 37.492074] Code: 44 24 0e 00 00 00 00 48 c7 04 24 45 00 00 0c 40 88 74 24 0d 0f b6 02 88 44 24 0c 8b 01 89 44 24 08 85 f6 75 05 c6 44 24 0e 01 <48> 8b 7f 58 48 89 e6 ba 01 00 00 00 e8 08 3c 2a 00 65 48 8b 04 5 [ 37.510822] RSP: 0018:ffff969442853300 EFLAGS: 00010202 [ 37.516052] RAX: 0000000000000000 RBX: ffff92db03000000 RCX: ffff969442853358 [ 37.523185] RDX: ffff969442853368 RSI: 0000000000000001 RDI: 0000000000000000 [ 37.530322] RBP: 0000000000000001 R08: 00000000000004a7 R09: 00000000000004a5 [ 37.537453] R10: 0000000000000476 R11: 0000000000000062 R12: ffff92db0ade8000 [ 37.544589] R13: ffff92da01180ae0 R14: ffff92da011802a8 R15: ffff92db03000000 [ 37.551725] FS: 0000784a9cdfc6c0(0000) GS:ffff92db2af00000(0000) knlGS:0000000000000000 [ 37.559814] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.565562] CR2: 0000000000000058 CR3: 0000000112b1c000 CR4: 00000000003506f0 [ 37.572697] Call Trace: [ 37.575152] <TASK> [ 37.577258] ? diebody+0x66/0xb0 [ 37.580756] ? pagefaultoops+0x3e7/0x4a0 [ 37.584861] ? excpagefault+0x3e/0xe0 [ 37.588706] ? excpagefault+0x5c/0xe0 [ 37.592550] ? asmexcpagefault+0x22/0x30 [ 37.596742] ? dmubhwlockmgrcmd+0x77/0xb0 [ 37.601107] dcn10cursorlock+0x1e1/0x240 [ 37.605211] programcursorattributes+0x81/0x190 [ 37.609923] commitplanesforstream+0x998/0x1ef0 [ 37.614722] updateplanesandstreamv2+0x41e/0x5c0 [ 37.619703] dcupdateplanesandstream+0x78/0x140 [ 37.624588] amdgpudmatomiccommittail+0x4362/0x49f0 [ 37.629832] ? srsoreturnthunk+0x5/0x5f [ 37.633847] ? markheldlocks+0x6d/0xd0 [ 37.637774] ? _rawspinunlockirq+0x24/0x50 [ 37.642135] ? srsoreturnthunk+0x5/0x5f [ 37.646148] ? lockdephardirqson+0x95/0x150 [ 37.650510] ? srsoreturnthunk+0x5/0x5f [ 37.654522] ? rawspinunlockirq+0x2f/0x50 [ 37.658883] ? srsoreturnthunk+0x5/0x5f [ 37.662897] ? waitforcommon+0x186/0x1c0 [ 37.666998] ? srsoreturnthunk+0x5/0x5f [ 37.671009] ? drmcrtcnextvblankstart+0xc3/0x170 [ 37.675983] committail+0xf5/0x1c0 [ 37.679478] drmatomichelpercommit+0x2a2/0x2b0 [ 37.684186] drmatomiccommit+0xd6/0x100 [ 37.688199] ? _cfidrmprintfninfo+0x10/0x10 [ 37.692911] drmatomichelperupdateplane+0xe5/0x130 [ 37.698054] drmmodecursorcommon+0x501/0x670 [ 37.702600] ? _cfidrmmodecursorioctl+0x10/0x10 [ 37.707572] drmmodecursorioctl+0x48/0x70 [ 37.711851] drmioctlkernel+0xf2/0x150 [ 37.715781] drmioctl+0x363/0x590 [ 37.719189] ? _cfidrmmodecursorioctl+0x10/0x10 [ 37.724165] amdgpudrmioctl+0x41/0x80 [ 37.728013] _sesysioctl+0x7f/0xd0 [ 37.731685] dosyscall64+0x87/0x100 [ 37.735355] ? vmaendread+0x12/0xe0 [ 37.739024] ? srsoreturnthunk+0x5/0x5f [ 37.743041] ? findheldlock+0x47/0xf0 [ 37.746884] ? vmaendread+0x12/0xe0 [ 37.750552] ? srsoreturnthunk+0x5/0 ---truncated---