Description
In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Add error handling for old state CRTC in atomic_disable Introduce error handling to address an issue where, after a hotplug event, the cursor continues to update. This situation can lead to a kernel panic due to accessing the NULL `old_state->crtc`. E,g. Unable to handle kernel NULL pointer dereference at virtual address Call trace: mtk_crtc_plane_disable+0x24/0x140 mtk_plane_atomic_update+0x8c/0xa8 drm_atomic_helper_commit_planes+0x114/0x2c8 drm_atomic_helper_commit_tail_rpm+0x4c/0x158 commit_tail+0xa0/0x168 drm_atomic_helper_commit+0x110/0x120 drm_atomic_commit+0x8c/0xe0 drm_atomic_helper_update_plane+0xd4/0x128 __setplane_atomic+0xcc/0x110 drm_mode_cursor_common+0x250/0x440 drm_mode_cursor_ioctl+0x44/0x70 drm_ioctl+0x264/0x5d8 __arm64_sys_ioctl+0xd8/0x510 invoke_syscall+0x6c/0xe0 do_el0_svc+0x68/0xe8 el0_svc+0x34/0x60 el0t_64_sync_handler+0x1c/0xf8 el0t_64_sync+0x180/0x188 Adding NULL pointer checks to ensure stability by preventing operations on an invalid CRTC state.
Product status
40b5b4ba8ed87c0bfb6268c10589777652ebde4c (git) before 7d5cc22efa44e0fe321ce195c71c3d7da211fbb2
d208261e9f7c66960587b10473081dc1cecbe50b (git) before 9a94e9d8b50bcfe89693bc899a54d3866d86e973
d208261e9f7c66960587b10473081dc1cecbe50b (git) before 0c6b24d70da21201ed009a2aca740d2dfddc7ab5
a9c482689051ca96f4a4630fe49fd6919694caaa (git)
6.16
Any version before 6.16
6.12.45 (semver)
6.16.5 (semver)
6.17 (original_commit_for_fix)
References
git.kernel.org/...c/7d5cc22efa44e0fe321ce195c71c3d7da211fbb2
git.kernel.org/...c/9a94e9d8b50bcfe89693bc899a54d3866d86e973
git.kernel.org/...c/0c6b24d70da21201ed009a2aca740d2dfddc7ab5
