CVE-2024-43901

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Fix NULL pointer dereference for DTN log in DCN401

When users run the command:

cat /sys/kernel/debug/dri/0/amdgpudmdtn_log

The following NULL pointer dereference happens:

[ +0.000003] BUG: kernel NULL pointer dereference, address: NULL [ +0.000005] #PF: supervisor instruction fetch in kernel mode [ +0.000002] #PF: errorcode(0x0010) - not-present page [ +0.000002] PGD 0 P4D 0 [ +0.000004] Oops: 0010 [#1] PREEMPT SMP NOPTI [ +0.000003] RIP: 0010:0x0 [ +0.000008] Code: Unable to access opcode bytes at 0xffffffffffffffd6. [...] [ +0.000002] PKRU: 55555554 [ +0.000002] Call Trace: [ +0.000002] <TASK> [ +0.000003] ? showregs+0x65/0x70 [ +0.000006] ? _die+0x24/0x70 [ +0.000004] ? pagefaultoops+0x160/0x470 [ +0.000006] ? douseraddrfault+0x2b5/0x690 [ +0.000003] ? prbreadvalid+0x1c/0x30 [ +0.000005] ? excpagefault+0x8c/0x1a0 [ +0.000005] ? asmexcpagefault+0x27/0x30 [ +0.000012] dcn10logcolorstate+0xf9/0x510 [amdgpu] [ +0.000306] ? srsoaliasreturnthunk+0x5/0xfbef5 [ +0.000003] ? vsnprintf+0x2fb/0x600 [ +0.000009] dcn10loghwstate+0xfd0/0xfe0 [amdgpu] [ +0.000218] ? _modmemcglruvecstate+0xe8/0x170 [ +0.000008] ? srsoaliasreturnthunk+0x5/0xfbef5 [ +0.000002] ? debugsmpprocessorid+0x17/0x20 [ +0.000003] ? srsoaliasreturnthunk+0x5/0xfbef5 [ +0.000002] ? srsoaliasreturnthunk+0x5/0xfbef5 [ +0.000002] ? setptes.isra.0+0x2b/0x90 [ +0.000004] ? srsoaliasreturnthunk+0x5/0xfbef5 [ +0.000002] ? rawspinunlock+0x19/0x40 [ +0.000004] ? srsoaliasreturnthunk+0x5/0xfbef5 [ +0.000002] ? doanonymouspage+0x337/0x700 [ +0.000004] dtnlogread+0x82/0x120 [amdgpu] [ +0.000207] fullproxyread+0x66/0x90 [ +0.000007] vfsread+0xb0/0x340 [ +0.000005] ? _countmemcgevents+0x79/0xe0 [ +0.000002] ? srsoaliasreturnthunk+0x5/0xfbef5 [ +0.000003] ? countmemcgevents.constprop.0+0x1e/0x40 [ +0.000003] ? handlemmfault+0xb2/0x370 [ +0.000003] ksysread+0x6b/0xf0 [ +0.000004] _x64sysread+0x19/0x20 [ +0.000003] dosyscall64+0x60/0x130 [ +0.000004] entrySYSCALL64after_hwframe+0x6e/0x76 [ +0.000003] RIP: 0033:0x7fdf32f147e2 [...]

This error happens when the color log tries to read the gamut remap information from DCN401 which is not initialized in the dcn401dppfuncs which leads to a null pointer dereference. This commit addresses this issue by adding a proper guard to access the gamut_remap callback in case the specific ASIC did not implement this function.