Commit b7ac7746 authored Mar 04, 2026 by Mario Limonciello Committed by Alex Deucher Mar 06, 2026

drm/amd: Fix NULL pointer dereference in device cleanup



When GPU initialization fails due to an unsupported HW block
IP blocks may have a NULL version pointer. During cleanup in
amdgpu_device_fini_hw, the code calls amdgpu_device_set_pg_state and
amdgpu_device_set_cg_state which iterate over all IP blocks and access
adev->ip_blocks[i].version without NULL checks, leading to a kernel
NULL pointer dereference.

Add NULL checks for adev->ip_blocks[i].version in both
amdgpu_device_set_cg_state and amdgpu_device_set_pg_state to prevent
dereferencing NULL pointers during GPU teardown when initialization has
failed.

Fixes: 39fc2bc4 ("drm/amdgpu: Protect GPU register accesses in powergated state in some paths")
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>

parent 576a1079

drivers/gpu/drm/amd/amdgpu/amdgpu_device.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -2550,6 +2550,8 @@ int amdgpu_device_set_cg_state(struct amdgpu_device *adev,
		i = state == AMD_CG_STATE_GATE ? j : adev->num_ip_blocks - j - 1;
		if (!adev->ip_blocks[i].status.late_initialized)
		continue;
		if (!adev->ip_blocks[i].version)
		continue;
		/* skip CG for GFX, SDMA on S0ix */
		if (adev->in_s0ix &&
		(adev->ip_blocks[i].version->type == AMD_IP_BLOCK_TYPE_GFX \|\|
		@@ -2589,6 +2591,8 @@ int amdgpu_device_set_pg_state(struct amdgpu_device *adev,
		i = state == AMD_PG_STATE_GATE ? j : adev->num_ip_blocks - j - 1;
		if (!adev->ip_blocks[i].status.late_initialized)
		continue;
		if (!adev->ip_blocks[i].version)
		continue;
		/* skip PG for GFX, SDMA on S0ix */
		if (adev->in_s0ix &&
		(adev->ip_blocks[i].version->type == AMD_IP_BLOCK_TYPE_GFX \|\|