cve/published/2024/CVE-2024-26700.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26700: drm/amd/display: Fix MST Null Ptr for RV

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 drm/amd/display: Fix MST Null Ptr for RV

 The change try to fix below error specific to RV platform:

 BUG: kernel NULL pointer dereference, address: 0000000000000008
 PGD 0 P4D 0
 Oops: 0000 [#1] PREEMPT SMP NOPTI
 CPU: 4 PID: 917 Comm: sway Not tainted 6.3.9-arch1-1 #1 124dc55df4f5272ccb409f39ef4872fc2b3376a2
 Hardware name: LENOVO 20NKS01Y00/20NKS01Y00, BIOS R12ET61W(1.31 ) 07/28/2022
 RIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]
 Code: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8>
 RSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293
 RAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224
 RDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280
 RBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850
 R10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000
 R13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224
 FS:  00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000000008 CR3: 000000010ddc6000 CR4: 00000000003506e0
 Call Trace:
  <TASK>
  ? __die+0x23/0x70
  ? page_fault_oops+0x171/0x4e0
  ? plist_add+0xbe/0x100
  ? exc_page_fault+0x7c/0x180
  ? asm_exc_page_fault+0x26/0x30
  ? drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]
  ? drm_dp_atomic_find_time_slots+0x28/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]
  compute_mst_dsc_configs_for_link+0x2ff/0xa40 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]
  ? fill_plane_buffer_attributes+0x419/0x510 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]
  compute_mst_dsc_configs_for_state+0x1e1/0x250 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]
  amdgpu_dm_atomic_check+0xecd/0x1190 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]
  drm_atomic_check_only+0x5c5/0xa40
  drm_mode_atomic_ioctl+0x76e/0xbc0
  ? _copy_to_user+0x25/0x30
  ? drm_ioctl+0x296/0x4b0
  ? __pfx_drm_mode_atomic_ioctl+0x10/0x10
  drm_ioctl_kernel+0xcd/0x170
  drm_ioctl+0x26d/0x4b0
  ? __pfx_drm_mode_atomic_ioctl+0x10/0x10
  amdgpu_drm_ioctl+0x4e/0x90 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]
  __x64_sys_ioctl+0x94/0xd0
  do_syscall_64+0x60/0x90
  ? do_syscall_64+0x6c/0x90
  entry_SYSCALL_64_after_hwframe+0x72/0xdc
 RIP: 0033:0x7f4dad17f76f
 Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c>
 RSP: 002b:00007ffd9ae859f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
 RAX: ffffffffffffffda RBX: 000055e255a55900 RCX: 00007f4dad17f76f
 RDX: 00007ffd9ae85a90 RSI: 00000000c03864bc RDI: 000000000000000b
 RBP: 00007ffd9ae85a90 R08: 0000000000000003 R09: 0000000000000003
 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000c03864bc
 R13: 000000000000000b R14: 000055e255a7fc60 R15: 000055e255a01eb0
  </TASK>
 Modules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device ccm cmac algif_hash algif_skcipher af_alg joydev mousedev bnep >
  typec libphy k10temp ipmi_msghandler roles i2c_scmi acpi_cpufreq mac_hid nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_mas>
 CR2: 0000000000000008
 ---[ end trace 0000000000000000 ]---
 RIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]
 Code: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8>
 RSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293
 RAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224
 RDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280
 RBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850
 R10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000
 R13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224
 FS:  00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000000008 CR3: 000000010ddc6000 CR4: 00000000003506e0

 With a second DP monitor connected, drm_atomic_state in dm atomic check
 sequence does not include the connector state for the old/existing/first
 DP monitor. In such case, dsc determination policy would hit a null ptr
 when it tries to iterate the old/existing stream that does not have a
 valid connector state attached to it. When that happens, dm atomic check
 should call drm_atomic_get_connector_state for a new connector state.
 Existing dm has already done that, except for RV due to it does not have
 official support of dsc where .num_dsc is not defined in dcn10 resource
 cap, that prevent from getting drm_atomic_get_connector_state called.
 So, skip dsc determination policy for ASICs that don't have DSC support.

 The Linux kernel CVE team has assigned CVE-2024-26700 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 6.1.82 with commit 01d992088dce3945f70f49f34b0b911c5213c238
 	Fixed in 6.6.18 with commit 7407c61f43b66e90ad127d0cdd13cbc9d87141a5
 	Fixed in 6.7.6 with commit 5cd7185d2db76c42a9b7e69adad9591d9fca093f
 	Fixed in 6.8 with commit e6a7df96facdcf5b1f71eb3ec26f2f9f6ad61e57

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26700
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/01d992088dce3945f70f49f34b0b911c5213c238
 	https://git.kernel.org/stable/c/7407c61f43b66e90ad127d0cdd13cbc9d87141a5
 	https://git.kernel.org/stable/c/5cd7185d2db76c42a9b7e69adad9591d9fca093f
 	https://git.kernel.org/stable/c/e6a7df96facdcf5b1f71eb3ec26f2f9f6ad61e57
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26700: drm/amd/display: Fix MST Null Ptr for RV

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	drm/amd/display: Fix MST Null Ptr for RV

	The change try to fix below error specific to RV platform:

	BUG: kernel NULL pointer dereference, address: 0000000000000008
	PGD 0 P4D 0
	Oops: 0000 [#1] PREEMPT SMP NOPTI
	CPU: 4 PID: 917 Comm: sway Not tainted 6.3.9-arch1-1 #1 124dc55df4f5272ccb409f39ef4872fc2b3376a2
	Hardware name: LENOVO 20NKS01Y00/20NKS01Y00, BIOS R12ET61W(1.31 ) 07/28/2022
	RIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]
	Code: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8>
	RSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293
	RAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224
	RDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280
	RBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850
	R10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000
	R13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224
	FS: 00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 0000000000000008 CR3: 000000010ddc6000 CR4: 00000000003506e0
	Call Trace:
	<TASK>
	? __die+0x23/0x70
	? page_fault_oops+0x171/0x4e0
	? plist_add+0xbe/0x100
	? exc_page_fault+0x7c/0x180
	? asm_exc_page_fault+0x26/0x30
	? drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]
	? drm_dp_atomic_find_time_slots+0x28/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]
	compute_mst_dsc_configs_for_link+0x2ff/0xa40 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]
	? fill_plane_buffer_attributes+0x419/0x510 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]
	compute_mst_dsc_configs_for_state+0x1e1/0x250 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]
	amdgpu_dm_atomic_check+0xecd/0x1190 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]
	drm_atomic_check_only+0x5c5/0xa40
	drm_mode_atomic_ioctl+0x76e/0xbc0
	? _copy_to_user+0x25/0x30
	? drm_ioctl+0x296/0x4b0
	? __pfx_drm_mode_atomic_ioctl+0x10/0x10
	drm_ioctl_kernel+0xcd/0x170
	drm_ioctl+0x26d/0x4b0
	? __pfx_drm_mode_atomic_ioctl+0x10/0x10
	amdgpu_drm_ioctl+0x4e/0x90 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]
	__x64_sys_ioctl+0x94/0xd0
	do_syscall_64+0x60/0x90
	? do_syscall_64+0x6c/0x90
	entry_SYSCALL_64_after_hwframe+0x72/0xdc
	RIP: 0033:0x7f4dad17f76f
	Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c>
	RSP: 002b:00007ffd9ae859f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
	RAX: ffffffffffffffda RBX: 000055e255a55900 RCX: 00007f4dad17f76f
	RDX: 00007ffd9ae85a90 RSI: 00000000c03864bc RDI: 000000000000000b
	RBP: 00007ffd9ae85a90 R08: 0000000000000003 R09: 0000000000000003
	R10: 0000000000000000 R11: 0000000000000246 R12: 00000000c03864bc
	R13: 000000000000000b R14: 000055e255a7fc60 R15: 000055e255a01eb0
	</TASK>
	Modules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device ccm cmac algif_hash algif_skcipher af_alg joydev mousedev bnep >
	typec libphy k10temp ipmi_msghandler roles i2c_scmi acpi_cpufreq mac_hid nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_mas>
	CR2: 0000000000000008
	---[ end trace 0000000000000000 ]---
	RIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]
	Code: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8>
	RSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293
	RAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224
	RDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280
	RBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850
	R10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000
	R13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224
	FS: 00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 0000000000000008 CR3: 000000010ddc6000 CR4: 00000000003506e0

	With a second DP monitor connected, drm_atomic_state in dm atomic check
	sequence does not include the connector state for the old/existing/first
	DP monitor. In such case, dsc determination policy would hit a null ptr
	when it tries to iterate the old/existing stream that does not have a
	valid connector state attached to it. When that happens, dm atomic check
	should call drm_atomic_get_connector_state for a new connector state.
	Existing dm has already done that, except for RV due to it does not have
	official support of dsc where .num_dsc is not defined in dcn10 resource
	cap, that prevent from getting drm_atomic_get_connector_state called.
	So, skip dsc determination policy for ASICs that don't have DSC support.

	The Linux kernel CVE team has assigned CVE-2024-26700 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 6.1.82 with commit 01d992088dce3945f70f49f34b0b911c5213c238
	Fixed in 6.6.18 with commit 7407c61f43b66e90ad127d0cdd13cbc9d87141a5
	Fixed in 6.7.6 with commit 5cd7185d2db76c42a9b7e69adad9591d9fca093f
	Fixed in 6.8 with commit e6a7df96facdcf5b1f71eb3ec26f2f9f6ad61e57

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26700
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/01d992088dce3945f70f49f34b0b911c5213c238
	https://git.kernel.org/stable/c/7407c61f43b66e90ad127d0cdd13cbc9d87141a5
	https://git.kernel.org/stable/c/5cd7185d2db76c42a9b7e69adad9591d9fca093f
	https://git.kernel.org/stable/c/e6a7df96facdcf5b1f71eb3ec26f2f9f6ad61e57