CVE-2024-57918

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: fix page fault due to max surface definition mismatch<br /> <br /> DC driver is using two different values to define the maximum number of<br /> surfaces: MAX_SURFACES and MAX_SURFACE_NUM. Consolidate MAX_SURFACES as<br /> the unique definition for surface updates across DC.<br /> <br /> It fixes page fault faced by Cosmic users on AMD display versions that<br /> support two overlay planes, since the introduction of cursor overlay<br /> mode.<br /> <br /> [Nov26 21:33] BUG: unable to handle page fault for address: 0000000051d0f08b<br /> [ +0.000015] #PF: supervisor read access in kernel mode<br /> [ +0.000006] #PF: error_code(0x0000) - not-present page<br /> [ +0.000005] PGD 0 P4D 0<br /> [ +0.000007] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI<br /> [ +0.000006] CPU: 4 PID: 71 Comm: kworker/u32:6 Not tainted 6.10.0+ #300<br /> [ +0.000006] Hardware name: Valve Jupiter/Jupiter, BIOS F7A0131 01/30/2024<br /> [ +0.000007] Workqueue: events_unbound commit_work [drm_kms_helper]<br /> [ +0.000040] RIP: 0010:copy_stream_update_to_stream.isra.0+0x30d/0x750 [amdgpu]<br /> [ +0.000847] Code: 8b 10 49 89 94 24 f8 00 00 00 48 8b 50 08 49 89 94 24 00 01 00 00 8b 40 10 41 89 84 24 08 01 00 00 49 8b 45 78 48 85 c0 74 0b b6 00 41 88 84 24 90 64 00 00 49 8b 45 60 48 85 c0 74 3b 48 8b<br /> [ +0.000010] RSP: 0018:ffffc203802f79a0 EFLAGS: 00010206<br /> [ +0.000009] RAX: 0000000051d0f08b RBX: 0000000000000004 RCX: ffff9f964f0a8070<br /> [ +0.000004] RDX: ffff9f9710f90e40 RSI: ffff9f96600c8000 RDI: ffff9f964f000000<br /> [ +0.000004] RBP: ffffc203802f79f8 R08: 0000000000000000 R09: 0000000000000000<br /> [ +0.000005] R10: 0000000000000000 R11: 0000000000000000 R12: ffff9f96600c8000<br /> [ +0.000004] R13: ffff9f9710f90e40 R14: ffff9f964f000000 R15: ffff9f96600c8000<br /> [ +0.000004] FS: 0000000000000000(0000) GS:ffff9f9970000000(0000) knlGS:0000000000000000<br /> [ +0.000005] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ +0.000005] CR2: 0000000051d0f08b CR3: 00000002e6a20000 CR4: 0000000000350ef0<br /> [ +0.000005] Call Trace:<br /> [ +0.000011] <br /> [ +0.000010] ? __die_body.cold+0x19/0x27<br /> [ +0.000012] ? page_fault_oops+0x15a/0x2d0<br /> [ +0.000014] ? exc_page_fault+0x7e/0x180<br /> [ +0.000009] ? asm_exc_page_fault+0x26/0x30<br /> [ +0.000013] ? copy_stream_update_to_stream.isra.0+0x30d/0x750 [amdgpu]<br /> [ +0.000739] ? dc_commit_state_no_check+0xd6c/0xe70 [amdgpu]<br /> [ +0.000470] update_planes_and_stream_state+0x49b/0x4f0 [amdgpu]<br /> [ +0.000450] ? srso_return_thunk+0x5/0x5f<br /> [ +0.000009] ? commit_minimal_transition_state+0x239/0x3d0 [amdgpu]<br /> [ +0.000446] update_planes_and_stream_v2+0x24a/0x590 [amdgpu]<br /> [ +0.000464] ? srso_return_thunk+0x5/0x5f<br /> [ +0.000009] ? sort+0x31/0x50<br /> [ +0.000007] ? amdgpu_dm_atomic_commit_tail+0x159f/0x3a30 [amdgpu]<br /> [ +0.000508] ? srso_return_thunk+0x5/0x5f<br /> [ +0.000009] ? amdgpu_crtc_get_scanout_position+0x28/0x40 [amdgpu]<br /> [ +0.000377] ? srso_return_thunk+0x5/0x5f<br /> [ +0.000009] ? drm_crtc_vblank_helper_get_vblank_timestamp_internal+0x160/0x390 [drm]<br /> [ +0.000058] ? srso_return_thunk+0x5/0x5f<br /> [ +0.000005] ? dma_fence_default_wait+0x8c/0x260<br /> [ +0.000010] ? srso_return_thunk+0x5/0x5f<br /> [ +0.000005] ? wait_for_completion_timeout+0x13b/0x170<br /> [ +0.000006] ? srso_return_thunk+0x5/0x5f<br /> [ +0.000005] ? dma_fence_wait_timeout+0x108/0x140<br /> [ +0.000010] ? commit_tail+0x94/0x130 [drm_kms_helper]<br /> [ +0.000024] ? process_one_work+0x177/0x330<br /> [ +0.000008] ? worker_thread+0x266/0x3a0<br /> [ +0.000006] ? __pfx_worker_thread+0x10/0x10<br /> [ +0.000004] ? kthread+0xd2/0x100<br /> [ +0.000006] ? __pfx_kthread+0x10/0x10<br /> [ +0.000006] ? ret_from_fork+0x34/0x50<br /> [ +0.000004] ? __pfx_kthread+0x10/0x10<br /> [ +0.000005] ? ret_from_fork_asm+0x1a/0x30<br /> [ +0.000011] <br /> <br /> (cherry picked from commit 1c86c81a86c60f9b15d3e3f43af0363cf56063e7)