CVE-2024-47720

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Add null check for setoutputgamma in dcn30setoutputtransferfunc

This commit adds a null check for the setoutputgamma function pointer in the dcn30setoutputtransferfunc function. Previously, setoutputgamma was being checked for nullity at line 386, but then it was being dereferenced without any nullity check at line 401. This could potentially lead to a null pointer dereference error if setoutputgamma is indeed null.

To fix this, we now ensure that setoutputgamma is not null before dereferencing it. We do this by adding a nullity check for setoutputgamma before the call to setoutputgamma at line 401. If setoutputgamma is null, we log an error message and do not call the function.

This fix prevents a potential null pointer dereference error.

drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30hwseq.c:401 dcn30setoutputtransferfunc() error: we previously assumed 'mpc->funcs->setoutput_gamma' could be null (see line 386)

drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30hwseq.c 373 bool dcn30setoutputtransferfunc(struct dc *dc, 374 struct pipectx *pipectx, 375 const struct dcstreamstate *stream) 376 { 377 int mpccid = pipectx->planeres.hubp->inst; 378 struct mpc mpc = pipectx->streamres.opp->ctx->dc->respool->mpc; 379 const struct pwlparams params = NULL; 380 bool ret = false; 381 382 / program OGAM or 3DLUT only for the top pipe/ 383 if (pipectx->toppipe == NULL) { 384 /program rmu shaper and 3dlut in MPC/ 385 ret = dcn30setmpcshaper3dlut(pipectx, stream); 386 if (ret == false && mpc->funcs->setoutput_gamma) { ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If this is NULL

387                         if (stream->out_transfer_func.type == TF_TYPE_HWPWL)
388                                 params = &stream->out_transfer_func.pwl;
389                         else if (pipe_ctx->stream->out_transfer_func.type ==
390                                         TF_TYPE_DISTRIBUTED_POINTS &&
391                                         cm3_helper_translate_curve_to_hw_format(
392                                         &stream->out_transfer_func,
393                                         &mpc->blender_params, false))
394                                 params = &mpc->blender_params;
395                          /* there are no ROM LUTs in OUTGAM */
396                         if (stream->out_transfer_func.type == TF_TYPE_PREDEFINED)
397                                 BREAK_TO_DEBUGGER();
398                 }
399         }
400

--> 401 mpc->funcs->setoutputgamma(mpc, mpcc_id, params); ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Then it will crash

402         return ret;
403 }