{"id":"CVE-2025-40148","summary":"drm/amd/display: Add NULL pointer checks in dc_stream cursor attribute functions","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add NULL pointer checks in dc_stream cursor attribute functions\n\nThe function dc_stream_set_cursor_attributes() currently dereferences\nthe `stream` pointer and nested members `stream-\u003ectx-\u003edc-\u003ecurrent_state`\nwithout checking for NULL.\n\nAll callers of these functions, such as in\n`dcn30_apply_idle_power_optimizations()` and\n`amdgpu_dm_plane_handle_cursor_update()`, already perform NULL checks\nbefore calling these functions.\n\nFixes below:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_stream.c:336 dc_stream_program_cursor_attributes()\nerror: we previously assumed 'stream' could be null (see line 334)\n\ndrivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_stream.c\n    327 bool dc_stream_program_cursor_attributes(\n    328         struct dc_stream_state *stream,\n    329         const struct dc_cursor_attributes *attributes)\n    330 {\n    331         struct dc  *dc;\n    332         bool reset_idle_optimizations = false;\n    333\n    334         dc = stream ? stream-\u003ectx-\u003edc : NULL;\n                     ^^^^^^\nThe old code assumed stream could be NULL.\n\n    335\n--\u003e 336         if (dc_stream_set_cursor_attributes(stream, attributes)) {\n                                                    ^^^^^^\nThe refactor added an unchecked dereference.\n\ndrivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_stream.c\n   313  bool dc_stream_set_cursor_attributes(\n   314          struct dc_stream_state *stream,\n   315          const struct dc_cursor_attributes *attributes)\n   316  {\n   317          bool result = false;\n   318\n   319          if (dc_stream_check_cursor_attributes(stream, stream-\u003ectx-\u003edc-\u003ecurrent_state, attributes)) {\n                                                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Here.\nThis function used to check for if stream as NULL and return false at\nthe start. Probably we should add that back.","modified":"2026-04-02T12:48:18.013349Z","published":"2025-11-12T10:23:26.841Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40148.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/01e793e7d4d402c473f1a61ca5824f086693be65"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bf4e4b97d0fdc66f04fc19d807e24dd8421b8f11"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40148.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40148"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"4465dd0e41e8223a46a41ce4fcdfc55fabd319d8"},{"fixed":"01e793e7d4d402c473f1a61ca5824f086693be65"},{"fixed":"bf4e4b97d0fdc66f04fc19d807e24dd8421b8f11"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40148.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.16.0"},{"fixed":"6.17.3"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40148.json"}}],"schema_version":"1.7.5"}