CVE-2024-47720

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: Add null check for set_output_gamma in dcn30_set_output_transfer_func<br /> <br /> This commit adds a null check for the set_output_gamma function pointer<br /> in the dcn30_set_output_transfer_func function. Previously,<br /> set_output_gamma was being checked for nullity at line 386, but then it<br /> was being dereferenced without any nullity check at line 401. This<br /> could potentially lead to a null pointer dereference error if<br /> set_output_gamma is indeed null.<br /> <br /> To fix this, we now ensure that set_output_gamma is not null before<br /> dereferencing it. We do this by adding a nullity check for<br /> set_output_gamma before the call to set_output_gamma at line 401. If<br /> set_output_gamma is null, we log an error message and do not call the<br /> function.<br /> <br /> This fix prevents a potential null pointer dereference error.<br /> <br /> drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:401 dcn30_set_output_transfer_func()<br /> error: we previously assumed &amp;#39;mpc-&gt;funcs-&gt;set_output_gamma&amp;#39; could be null (see line 386)<br /> <br /> drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c<br /> 373 bool dcn30_set_output_transfer_func(struct dc *dc,<br /> 374 struct pipe_ctx *pipe_ctx,<br /> 375 const struct dc_stream_state *stream)<br /> 376 {<br /> 377 int mpcc_id = pipe_ctx-&gt;plane_res.hubp-&gt;inst;<br /> 378 struct mpc *mpc = pipe_ctx-&gt;stream_res.opp-&gt;ctx-&gt;dc-&gt;res_pool-&gt;mpc;<br /> 379 const struct pwl_params *params = NULL;<br /> 380 bool ret = false;<br /> 381<br /> 382 /* program OGAM or 3DLUT only for the top pipe*/<br /> 383 if (pipe_ctx-&gt;top_pipe == NULL) {<br /> 384 /*program rmu shaper and 3dlut in MPC*/<br /> 385 ret = dcn30_set_mpc_shaper_3dlut(pipe_ctx, stream);<br /> 386 if (ret == false &amp;&amp; mpc-&gt;funcs-&gt;set_output_gamma) {<br /> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If this is NULL<br /> <br /> 387 if (stream-&gt;out_transfer_func.type == TF_TYPE_HWPWL)<br /> 388 params = &amp;stream-&gt;out_transfer_func.pwl;<br /> 389 else if (pipe_ctx-&gt;stream-&gt;out_transfer_func.type ==<br /> 390 TF_TYPE_DISTRIBUTED_POINTS &amp;&amp;<br /> 391 cm3_helper_translate_curve_to_hw_format(<br /> 392 &amp;stream-&gt;out_transfer_func,<br /> 393 &amp;mpc-&gt;blender_params, false))<br /> 394 params = &amp;mpc-&gt;blender_params;<br /> 395 /* there are no ROM LUTs in OUTGAM */<br /> 396 if (stream-&gt;out_transfer_func.type == TF_TYPE_PREDEFINED)<br /> 397 BREAK_TO_DEBUGGER();<br /> 398 }<br /> 399 }<br /> 400<br /> --&gt; 401 mpc-&gt;funcs-&gt;set_output_gamma(mpc, mpcc_id, params);<br /> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Then it will crash<br /> <br /> 402 return ret;<br /> 403 }