{"id":"CVE-2024-47720","summary":"drm/amd/display: Add null check for set_output_gamma in dcn30_set_output_transfer_func","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null check for set_output_gamma in dcn30_set_output_transfer_func\n\nThis commit adds a null check for the set_output_gamma function pointer\nin the  dcn30_set_output_transfer_func function. Previously,\nset_output_gamma was being checked for nullity at line 386, but then it\nwas being dereferenced without any nullity check at line 401. This\ncould potentially lead to a null pointer dereference error if\nset_output_gamma is indeed null.\n\nTo fix this, we now ensure that set_output_gamma is not null before\ndereferencing it. We do this by adding a nullity check for\nset_output_gamma before the call to set_output_gamma at line 401. If\nset_output_gamma is null, we log an error message and do not call the\nfunction.\n\nThis fix prevents a potential null pointer dereference error.\n\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:401 dcn30_set_output_transfer_func()\nerror: we previously assumed 'mpc-\u003efuncs-\u003eset_output_gamma' could be null (see line 386)\n\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c\n    373 bool dcn30_set_output_transfer_func(struct dc *dc,\n    374                                 struct pipe_ctx *pipe_ctx,\n    375                                 const struct dc_stream_state *stream)\n    376 {\n    377         int mpcc_id = pipe_ctx-\u003eplane_res.hubp-\u003einst;\n    378         struct mpc *mpc = pipe_ctx-\u003estream_res.opp-\u003ectx-\u003edc-\u003eres_pool-\u003empc;\n    379         const struct pwl_params *params = NULL;\n    380         bool ret = false;\n    381\n    382         /* program OGAM or 3DLUT only for the top pipe*/\n    383         if (pipe_ctx-\u003etop_pipe == NULL) {\n    384                 /*program rmu shaper and 3dlut in MPC*/\n    385                 ret = dcn30_set_mpc_shaper_3dlut(pipe_ctx, stream);\n    386                 if (ret == false && mpc-\u003efuncs-\u003eset_output_gamma) {\n                                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If this is NULL\n\n    387                         if (stream-\u003eout_transfer_func.type == TF_TYPE_HWPWL)\n    388                                 params = &stream-\u003eout_transfer_func.pwl;\n    389                         else if (pipe_ctx-\u003estream-\u003eout_transfer_func.type ==\n    390                                         TF_TYPE_DISTRIBUTED_POINTS &&\n    391                                         cm3_helper_translate_curve_to_hw_format(\n    392                                         &stream-\u003eout_transfer_func,\n    393                                         &mpc-\u003eblender_params, false))\n    394                                 params = &mpc-\u003eblender_params;\n    395                          /* there are no ROM LUTs in OUTGAM */\n    396                         if (stream-\u003eout_transfer_func.type == TF_TYPE_PREDEFINED)\n    397                                 BREAK_TO_DEBUGGER();\n    398                 }\n    399         }\n    400\n--\u003e 401         mpc-\u003efuncs-\u003eset_output_gamma(mpc, mpcc_id, params);\n                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Then it will crash\n\n    402         return ret;\n    403 }","modified":"2026-04-16T04:40:18.955190240Z","published":"2024-10-21T11:53:50.178Z","related":["SUSE-SU-2024:3983-1","SUSE-SU-2024:3984-1","SUSE-SU-2024:3985-1","SUSE-SU-2024:3986-1","SUSE-SU-2024:4318-1","SUSE-SU-2024:4364-1","SUSE-SU-2024:4387-1","SUSE-SU-2025:20163-1","SUSE-SU-2025:20164-1","SUSE-SU-2025:20246-1","SUSE-SU-2025:20247-1","USN-7276-1","USN-7277-1","openSUSE-SU-2024:14500-1","openSUSE-SU-2025:14705-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/47xxx/CVE-2024-47720.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/08ae395ea22fb3d9b318c8bde28c0dfd2f5fa4d2"},{"type":"WEB","url":"https://git.kernel.org/stable/c/44948d3cb943602ba4a0b5ed3c91ae0525838fb1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/64886a4e6f1dce843c0889505cf0673b5211e16a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/72ee32d0907364104fbcf4f68dd5ae63cd8eae9e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/84edd5a3f5fa6aafa4afcaf9f101f46426c620c9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ddf9ff244d704e1903533f7be377615ed34b83e7"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/47xxx/CVE-2024-47720.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47720"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"d99f13878d6f9c286b13860d8bf0b4db9ffb189a"},{"fixed":"44948d3cb943602ba4a0b5ed3c91ae0525838fb1"},{"fixed":"64886a4e6f1dce843c0889505cf0673b5211e16a"},{"fixed":"ddf9ff244d704e1903533f7be377615ed34b83e7"},{"fixed":"84edd5a3f5fa6aafa4afcaf9f101f46426c620c9"},{"fixed":"72ee32d0907364104fbcf4f68dd5ae63cd8eae9e"},{"fixed":"08ae395ea22fb3d9b318c8bde28c0dfd2f5fa4d2"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-47720.json"}}],"schema_version":"1.7.5"}