From ec8516334163adf966b31fb60f4b614df7a46ece Mon Sep 17 00:00:00 2001
From: Ole-Jacob Enderud Jensen <olejacob.jensen@gmail.com>
Date: Wed, 25 Feb 2026 00:10:45 +0100
Subject: [PATCH] displayport: Fix NULL pointer dereferences in DSC capability
 checks

Fixes two race conditions that cause kernel panics during DisplayPort
hotplug disconnection:

1. compoundQueryAttachMSTIsDscPossible() - Guard outer conditional with
   dev->parent check before dereferencing. Falls back to checking device's
   own FEC capability when parent is NULL.

2. compoundQueryAttachMSTDsc() - Add NULL check for
   dev->devDoingDscDecompression before calling populateDscCaps().

These race conditions occur when the device hierarchy is torn down during
hotplug events. The parent device destructor sets children[i]->parent = 0,
while the child's devDoingDscDecompression may still reference the parent.

Tested on NVIDIA driver 590.48.01 with DKMS.
---
 src/common/displayport/src/dp_connectorimpl.cpp | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/src/common/displayport/src/dp_connectorimpl.cpp b/src/common/displayport/src/dp_connectorimpl.cpp
index f3267bc57..3d2464adf 100644
--- a/src/common/displayport/src/dp_connectorimpl.cpp
+++ b/src/common/displayport/src/dp_connectorimpl.cpp
@@ -1450,9 +1450,10 @@ bool ConnectorImpl::compoundQueryAttachMSTIsDscPossible
     {
         if (dev && dev->isDSCPossible())
         {
-            if ((dev->devDoingDscDecompression != dev) ||
-                ((dev->devDoingDscDecompression == dev) &&
-                (dev->isLogical() && dev->parent)))
+            if (dev->parent &&
+                ((dev->devDoingDscDecompression != dev) ||
+                 ((dev->devDoingDscDecompression == dev) &&
+                 (dev->isLogical() && dev->parent))))
             {
                 //
                 // If DSC decoding is going to happen at sink's parent or
@@ -1546,7 +1547,15 @@ bool ConnectorImpl::compoundQueryAttachMSTDsc(Group * target,
     dpMemZero(&dscInfo, sizeof(DSC_INFO));
     dpMemZero(&warData, sizeof(WAR_DATA));
 
-    // Populate DSC related info for PPS calculations
+    /// Populate DSC related info for PPS calculations
+    if (!dev->devDoingDscDecompression)
+    {
+      //
+      // Device torn down during query - DSC no longer valid.
+      // This can happen during hotplug disconnection race conditions.
+      //
+      return false;
+    }
     populateDscCaps(&dscInfo, dev->devDoingDscDecompression, pDscParams->forcedParams);
 
     // populate modeset related info for PPS calculations