CVE-2024-43901

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: Fix NULL pointer dereference for DTN log in DCN401<br /> <br /> When users run the command:<br /> <br /> cat /sys/kernel/debug/dri/0/amdgpu_dm_dtn_log<br /> <br /> The following NULL pointer dereference happens:<br /> <br /> [ +0.000003] BUG: kernel NULL pointer dereference, address: NULL<br /> [ +0.000005] #PF: supervisor instruction fetch in kernel mode<br /> [ +0.000002] #PF: error_code(0x0010) - not-present page<br /> [ +0.000002] PGD 0 P4D 0<br /> [ +0.000004] Oops: 0010 [#1] PREEMPT SMP NOPTI<br /> [ +0.000003] RIP: 0010:0x0<br /> [ +0.000008] Code: Unable to access opcode bytes at 0xffffffffffffffd6.<br /> [...]<br /> [ +0.000002] PKRU: 55555554<br /> [ +0.000002] Call Trace:<br /> [ +0.000002] <br /> [ +0.000003] ? show_regs+0x65/0x70<br /> [ +0.000006] ? __die+0x24/0x70<br /> [ +0.000004] ? page_fault_oops+0x160/0x470<br /> [ +0.000006] ? do_user_addr_fault+0x2b5/0x690<br /> [ +0.000003] ? prb_read_valid+0x1c/0x30<br /> [ +0.000005] ? exc_page_fault+0x8c/0x1a0<br /> [ +0.000005] ? asm_exc_page_fault+0x27/0x30<br /> [ +0.000012] dcn10_log_color_state+0xf9/0x510 [amdgpu]<br /> [ +0.000306] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ +0.000003] ? vsnprintf+0x2fb/0x600<br /> [ +0.000009] dcn10_log_hw_state+0xfd0/0xfe0 [amdgpu]<br /> [ +0.000218] ? __mod_memcg_lruvec_state+0xe8/0x170<br /> [ +0.000008] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ +0.000002] ? debug_smp_processor_id+0x17/0x20<br /> [ +0.000003] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ +0.000002] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ +0.000002] ? set_ptes.isra.0+0x2b/0x90<br /> [ +0.000004] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ +0.000002] ? _raw_spin_unlock+0x19/0x40<br /> [ +0.000004] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ +0.000002] ? do_anonymous_page+0x337/0x700<br /> [ +0.000004] dtn_log_read+0x82/0x120 [amdgpu]<br /> [ +0.000207] full_proxy_read+0x66/0x90<br /> [ +0.000007] vfs_read+0xb0/0x340<br /> [ +0.000005] ? __count_memcg_events+0x79/0xe0<br /> [ +0.000002] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ +0.000003] ? count_memcg_events.constprop.0+0x1e/0x40<br /> [ +0.000003] ? handle_mm_fault+0xb2/0x370<br /> [ +0.000003] ksys_read+0x6b/0xf0<br /> [ +0.000004] __x64_sys_read+0x19/0x20<br /> [ +0.000003] do_syscall_64+0x60/0x130<br /> [ +0.000004] entry_SYSCALL_64_after_hwframe+0x6e/0x76<br /> [ +0.000003] RIP: 0033:0x7fdf32f147e2<br /> [...]<br /> <br /> This error happens when the color log tries to read the gamut remap<br /> information from DCN401 which is not initialized in the dcn401_dpp_funcs<br /> which leads to a null pointer dereference. This commit addresses this<br /> issue by adding a proper guard to access the gamut_remap callback in<br /> case the specific ASIC did not implement this function.