Alex Deucheralexdeucher@gmail.com wrote:
On Wed, Aug 21, 2024 at 3:45 AM Ma Ke make24@iscas.ac.cn wrote:
Instead of using state->fb->obj[0] directly, get object from framebuffer by calling drm_gem_fb_get_obj() and return error code when object is null to avoid using null object of framebuffer.
Cc: stable@vger.kernel.org Fixes: 5d945cbcd4b1 ("drm/amd/display: Create a file dedicated to planes") Signed-off-by: Ma Ke make24@iscas.ac.cn
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c index a83bd0331c3b..5cb11cc2d063 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c @@ -28,6 +28,7 @@ #include <drm/drm_blend.h> #include <drm/drm_gem_atomic_helper.h> #include <drm/drm_plane_helper.h> +#include <drm/drm_gem_framebuffer_helper.h> #include <drm/drm_fourcc.h>
#include "amdgpu.h" @@ -935,10 +936,14 @@ static int amdgpu_dm_plane_helper_prepare_fb(struct drm_plane *plane, }
afb = to_amdgpu_framebuffer(new_state->fb);
obj = new_state->fb->obj[0];
obj = drm_gem_fb_get_obj(new_state->fb, 0);
Is it possible for obj to be NULL here?
Alex
Thank you for your response to the vulnerability I submitted. Yes, we believe there is a similar issue. As described in CVE-2024-41093, the obj will return as NULL and lead to a dereferencing problem, and a similar issue exists in this code. The discovery of this problem was confirmed through manual review of the code and compilation testing. -- Regards,
Ma Ke