DisplayPort hotplug crash with Thunderbolt dock: NULL pointer dereference in isFECSupportedEv() [590.48.01]

[olejaco]

NVIDIA Open GPU Kernel Modules Version

590.48.01 (Arch linux package: nvidia-open-dkms 590.48.01-1)

Please confirm this issue does not happen with the proprietary driver (of the same version). This issue tracker is only for bugs specific to the open kernel driver.

• I confirm that this does not happen with the proprietary driver package.

Operating System and Version

Arch Linux

Kernel Release

6.18.3-arch1-1 #1 PREEMPT(full) x86_64

Please confirm you are running a stable release kernel (e.g. not a -rc). We do not accept bug reports for unreleased kernels.

• I am running on a stable kernel release.

Hardware: GPU

GPU 0: Quadro T2000 with Max-Q Design (UUID: GPU-e81b2c73-b7d7-a37c-719d-d9261e7c886a)

Describe the bug

Description
System kernel panics with NULL pointer dereference when disconnecting HP Thunderbolt Dock G2 that provides DisplayPort outputs. Crash is 100% reproducible and occurs immediately upon dock disconnection while system is running.

Crash Signature
BUG: kernel NULL pointer dereference, address: 0x0000000000000409
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
RIP: 0010:_ZN11DisplayPort10DeviceImpl14isFECSupportedEv+0x4/0x10 nvidia_modeset

Root Cause
Crash occurs in NVIDIA DisplayPort module when querying FEC (Forward Error Correction) support on a DisplayPort connector that is being removed during Thunderbolt hotplug disconnection. Driver does not validate connector validity before accessing its fields, resulting in NULL pointer dereference at address 0x0000000000000409.

Call Stack
ZN11DisplayPort10DeviceImpl14isFECSupportedEv+0x4/0x10 nvidia_modeset ← CRASH HERE
ZN11DisplayPort13ConnectorImpl35compoundQueryAttachMSTIsDscPossibleEPNS5GroupERKNS15DpModesetParamsEPNS9DscParamsE+0x8d/0x1b0
ZN11DisplayPort13ConnectorImpl22compoundQueryAttachMSTEPNS5GroupERKNS15DpModesetParamsEPNS9DscParamsEPNS12DP_IMP_ERRORE+0x24f/0x540
_ZN11DisplayPort13ConnectorImpl19compoundQueryAttachEPNS5GroupERKNS15DpModesetParamsEPNS9DscParamsEPNS12DP_IMP_ERRORE+0x1e2/0x270
ZN11DisplayPort13ConnectorImpl20dpLinkIsModePossibleERKNS26DpLinkIsModePossibleParamsE+0xa5/0x180
nvDPLibIsModePossible+0x40f/0x710
ValidateProposedModeSetHwStateOneDispDPlib+0x1b9/0x5d0
nvSetDispModeEvo+0x1110/0x41c0
nvKmsIoctl+0x103/0x2c0
ApplyModeSetConfig+0x143/0xd40
nv_drm_atomic_apply_modeset_config+0x6fc/0x7a0 ← DRM atomic commit
drm_atomic_commit+0x71/0xe0
drm_mode_atomic_ioctl+0xa92/0xd00

Sequence of Events

1. Thunderbolt dock connected; DisplayPort displays work normally
2. I physically disconnect Thunderbolt dock
3. PCIe hotplug event triggered; Thunderbolt bridges deregistered
4. boltd detects disconnection: [0026a0a4-f84d-Thunderbolt Dock G2] disconnected
5. Hyprland detects hotplug and calls DRM atomic commit
6. NVIDIA driver validates mode set for reconfiguration
7. Driver attempts to query FEC support on disconnected DisplayPort connector
8. Connector pointer is invalid (freed), causing NULL pointer dereference
9. Kernel panic and system crash

To Reproduce

Steps to Reproduce

1. Connect HP ZBook Fury 15 G7 to HP Thunderbolt Dock G2 with DisplayPort displays
2. Boot with NVIDIA driver 590.48.01
3. Disconnect Thunderbolt dock by unplugging cable while system is running
4. System crashes with kernel panic

Bug Incidence

Always

nvidia-bug-report.log.gz

nvidia-bug-report.log.gz

More Info

nvidia_kernel_crash_logs.txt

nvidia_smi_output.txt

thunderbolt_info.txt

[olejaco]

Fixed in PR #1040