From: Alex Hung alex.hung@amd.com
commit 5559598742fb4538e4c51c48ef70563c49c2af23 upstream.
[WHAT & HOW] "dcn20_validate_apply_pipe_split_flags" dereferences merge, and thus it cannot be a null pointer. Let's pass a valid pointer to avoid null dereference.
This fixes 2 FORWARD_NULL issues reported by Coverity.
Reviewed-by: Rodrigo Siqueira rodrigo.siqueira@amd.com Signed-off-by: Jerry Zuo jerry.zuo@amd.com Signed-off-by: Alex Hung alex.hung@amd.com Tested-by: Daniel Wheeler daniel.wheeler@amd.com Signed-off-by: Alex Deucher alexander.deucher@amd.com [ Daniil: Changes to dcn21_fast_validate_bw() were dropped since the function is not inplemented in 5.10.y. Also dcn20 and dcn21 were moved from drivers/gpu/drm/amd/display/dc to drivers/gpu/drm/amd/display/dc/resource since commit 8b8eed05a1c6 ("drm/amd/display: Refactor resource into component directory"). The path is changed accordingly to apply the patch on 5.10.y ] Signed-off-by: Daniil Dulov d.dulov@aladdin.ru --- Backport fix for CVE-2024-49923
drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c index b4bff3b3d842..029aba780d83 100644 --- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c +++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c @@ -2847,6 +2847,7 @@ bool dcn20_fast_validate_bw( { bool out = false; int split[MAX_PIPES] = { 0 }; + bool merge[MAX_PIPES] = { false }; int pipe_cnt, i, pipe_idx, vlevel;
ASSERT(pipes); @@ -2869,7 +2870,7 @@ bool dcn20_fast_validate_bw( if (vlevel > context->bw_ctx.dml.soc.num_states) goto validate_fail;
- vlevel = dcn20_validate_apply_pipe_split_flags(dc, context, vlevel, split, NULL); + vlevel = dcn20_validate_apply_pipe_split_flags(dc, context, vlevel, split, merge);
/*initialize pipe_just_split_from to invalid idx*/ for (i = 0; i < MAX_PIPES; i++)
From: Alex Hung alex.hung@amd.com
commit 5559598742fb4538e4c51c48ef70563c49c2af23 upstream.
[WHAT & HOW] "dcn20_validate_apply_pipe_split_flags" dereferences merge, and thus it cannot be a null pointer. Let's pass a valid pointer to avoid null dereference.
This fixes 2 FORWARD_NULL issues reported by Coverity.
Reviewed-by: Rodrigo Siqueira rodrigo.siqueira@amd.com Signed-off-by: Jerry Zuo jerry.zuo@amd.com Signed-off-by: Alex Hung alex.hung@amd.com Tested-by: Daniel Wheeler daniel.wheeler@amd.com Signed-off-by: Alex Deucher alexander.deucher@amd.com [ Daniil: dcn20 and dcn21 were moved from drivers/gpu/drm/amd/display/dc to drivers/gpu/drm/amd/display/dc/resource since commit 8b8eed05a1c6 ("drm/amd/display: Refactor resource into component directory"). The path is changed accordingly to apply the patch on 5.15.y and 6.1.y. ] Signed-off-by: Daniil Dulov d.dulov@aladdin.ru --- Backport fix for CVE-2024-49923
drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c | 3 ++- drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c index 04b370e7e732..877acdbb9d8d 100644 --- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c +++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c @@ -2817,6 +2817,7 @@ bool dcn20_fast_validate_bw( { bool out = false; int split[MAX_PIPES] = { 0 }; + bool merge[MAX_PIPES] = { false }; int pipe_cnt, i, pipe_idx, vlevel;
ASSERT(pipes); @@ -2839,7 +2840,7 @@ bool dcn20_fast_validate_bw( if (vlevel > context->bw_ctx.dml.soc.num_states) goto validate_fail;
- vlevel = dcn20_validate_apply_pipe_split_flags(dc, context, vlevel, split, NULL); + vlevel = dcn20_validate_apply_pipe_split_flags(dc, context, vlevel, split, merge);
/*initialize pipe_just_split_from to invalid idx*/ for (i = 0; i < MAX_PIPES; i++) diff --git a/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c b/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c index 257ab8820c7a..4dcfdb2c013f 100644 --- a/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c +++ b/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c @@ -1190,6 +1190,7 @@ static bool dcn21_fast_validate_bw( { bool out = false; int split[MAX_PIPES] = { 0 }; + bool merge[MAX_PIPES] = { false }; int pipe_cnt, i, pipe_idx, vlevel;
ASSERT(pipes); @@ -1230,7 +1231,7 @@ static bool dcn21_fast_validate_bw( goto validate_fail; }
- vlevel = dcn20_validate_apply_pipe_split_flags(dc, context, vlevel, split, NULL); + vlevel = dcn20_validate_apply_pipe_split_flags(dc, context, vlevel, split, merge);
for (i = 0, pipe_idx = 0; i < dc->res_pool->pipe_count; i++) { struct pipe_ctx *pipe = &context->res_ctx.pipe_ctx[i];
[ Sasha's backport helper bot ]
Hi,
✅ All tests passed successfully. No issues detected. No action required from the submitter.
The upstream commit SHA1 provided is correct: 5559598742fb4538e4c51c48ef70563c49c2af23
WARNING: Author mismatch between patch and upstream commit: Backport author: Daniil Dulov d.dulov@aladdin.ru Commit author: Alex Hung alex.hung@amd.com
Status in newer kernel trees: 6.15.y | Present (exact SHA1) 6.12.y | Present (exact SHA1) 6.6.y | Present (different SHA1: 39a580cd1539)
Note: The patch differs from the upstream commit: --- 1: 5559598742fb ! 1: 011d5796b713 drm/amd/display: Pass non-null to dcn20_validate_apply_pipe_split_flags @@ Metadata ## Commit message ## drm/amd/display: Pass non-null to dcn20_validate_apply_pipe_split_flags
+ commit 5559598742fb4538e4c51c48ef70563c49c2af23 upstream. + [WHAT & HOW] "dcn20_validate_apply_pipe_split_flags" dereferences merge, and thus it cannot be a null pointer. Let's pass a valid pointer to avoid null @@ Commit message Signed-off-by: Alex Hung alex.hung@amd.com Tested-by: Daniel Wheeler daniel.wheeler@amd.com Signed-off-by: Alex Deucher alexander.deucher@amd.com + [ Daniil: dcn20 and dcn21 were moved from drivers/gpu/drm/amd/display/dc to + drivers/gpu/drm/amd/display/dc/resource since commit + 8b8eed05a1c6 ("drm/amd/display: Refactor resource into component directory"). + The path is changed accordingly to apply the patch on 5.15.y and 6.1.y. ] + Signed-off-by: Daniil Dulov d.dulov@aladdin.ru
- ## drivers/gpu/drm/amd/display/dc/resource/dcn20/dcn20_resource.c ## -@@ drivers/gpu/drm/amd/display/dc/resource/dcn20/dcn20_resource.c: bool dcn20_fast_validate_bw( + ## drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c ## +@@ drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c: bool dcn20_fast_validate_bw( { bool out = false; int split[MAX_PIPES] = { 0 }; @@ drivers/gpu/drm/amd/display/dc/resource/dcn20/dcn20_resource.c: bool dcn20_fast_ int pipe_cnt, i, pipe_idx, vlevel;
ASSERT(pipes); -@@ drivers/gpu/drm/amd/display/dc/resource/dcn20/dcn20_resource.c: bool dcn20_fast_validate_bw( +@@ drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c: bool dcn20_fast_validate_bw( if (vlevel > context->bw_ctx.dml.soc.num_states) goto validate_fail;
@@ drivers/gpu/drm/amd/display/dc/resource/dcn20/dcn20_resource.c: bool dcn20_fast_ /*initialize pipe_just_split_from to invalid idx*/ for (i = 0; i < MAX_PIPES; i++)
- ## drivers/gpu/drm/amd/display/dc/resource/dcn21/dcn21_resource.c ## -@@ drivers/gpu/drm/amd/display/dc/resource/dcn21/dcn21_resource.c: bool dcn21_fast_validate_bw(struct dc *dc, + ## drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c ## +@@ drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c: bool dcn21_fast_validate_bw(struct dc *dc, { bool out = false; int split[MAX_PIPES] = { 0 }; @@ drivers/gpu/drm/amd/display/dc/resource/dcn21/dcn21_resource.c: bool dcn21_fast_ int pipe_cnt, i, pipe_idx, vlevel;
ASSERT(pipes); -@@ drivers/gpu/drm/amd/display/dc/resource/dcn21/dcn21_resource.c: bool dcn21_fast_validate_bw(struct dc *dc, +@@ drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c: bool dcn21_fast_validate_bw(struct dc *dc, goto validate_fail; }
---
Results of testing on various branches:
| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | origin/linux-5.15.y | Success | Success | | origin/linux-6.1.y | Success | Success |
[ Sasha's backport helper bot ]
Hi,
✅ All tests passed successfully. No issues detected. No action required from the submitter.
The upstream commit SHA1 provided is correct: 5559598742fb4538e4c51c48ef70563c49c2af23
WARNING: Author mismatch between patch and upstream commit: Backport author: Daniil Dulov d.dulov@aladdin.ru Commit author: Alex Hung alex.hung@amd.com
Status in newer kernel trees: 6.15.y | Present (exact SHA1) 6.12.y | Present (exact SHA1) 6.6.y | Present (different SHA1: 39a580cd1539) 6.1.y | Not found 5.15.y | Not found
Note: The patch differs from the upstream commit: --- 1: 5559598742fb < -: ------------ drm/amd/display: Pass non-null to dcn20_validate_apply_pipe_split_flags -: ------------ > 1: fceefb8a1082 drm/amd/display: Pass non-null to dcn20_validate_apply_pipe_split_flags
---
Results of testing on various branches:
| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | origin/linux-5.10.y | Success | Success |
linux-stable-mirror@lists.linaro.org
-
Daniil Dulov -
Sasha Levin