{"id":"CVE-2024-57918","summary":"drm/amd/display: fix page fault due to max surface definition mismatch","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix page fault due to max surface definition mismatch\n\nDC driver is using two different values to define the maximum number of\nsurfaces: MAX_SURFACES and MAX_SURFACE_NUM. Consolidate MAX_SURFACES as\nthe unique definition for surface updates across DC.\n\nIt fixes page fault faced by Cosmic users on AMD display versions that\nsupport two overlay planes, since the introduction of cursor overlay\nmode.\n\n[Nov26 21:33] BUG: unable to handle page fault for address: 0000000051d0f08b\n[  +0.000015] #PF: supervisor read access in kernel mode\n[  +0.000006] #PF: error_code(0x0000) - not-present page\n[  +0.000005] PGD 0 P4D 0\n[  +0.000007] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI\n[  +0.000006] CPU: 4 PID: 71 Comm: kworker/u32:6 Not tainted 6.10.0+ #300\n[  +0.000006] Hardware name: Valve Jupiter/Jupiter, BIOS F7A0131 01/30/2024\n[  +0.000007] Workqueue: events_unbound commit_work [drm_kms_helper]\n[  +0.000040] RIP: 0010:copy_stream_update_to_stream.isra.0+0x30d/0x750 [amdgpu]\n[  +0.000847] Code: 8b 10 49 89 94 24 f8 00 00 00 48 8b 50 08 49 89 94 24 00 01 00 00 8b 40 10 41 89 84 24 08 01 00 00 49 8b 45 78 48 85 c0 74 0b \u003c0f\u003e b6 00 41 88 84 24 90 64 00 00 49 8b 45 60 48 85 c0 74 3b 48 8b\n[  +0.000010] RSP: 0018:ffffc203802f79a0 EFLAGS: 00010206\n[  +0.000009] RAX: 0000000051d0f08b RBX: 0000000000000004 RCX: ffff9f964f0a8070\n[  +0.000004] RDX: ffff9f9710f90e40 RSI: ffff9f96600c8000 RDI: ffff9f964f000000\n[  +0.000004] RBP: ffffc203802f79f8 R08: 0000000000000000 R09: 0000000000000000\n[  +0.000005] R10: 0000000000000000 R11: 0000000000000000 R12: ffff9f96600c8000\n[  +0.000004] R13: ffff9f9710f90e40 R14: ffff9f964f000000 R15: ffff9f96600c8000\n[  +0.000004] FS:  0000000000000000(0000) GS:ffff9f9970000000(0000) knlGS:0000000000000000\n[  +0.000005] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  +0.000005] CR2: 0000000051d0f08b CR3: 00000002e6a20000 CR4: 0000000000350ef0\n[  +0.000005] Call Trace:\n[  +0.000011]  \u003cTASK\u003e\n[  +0.000010]  ? __die_body.cold+0x19/0x27\n[  +0.000012]  ? page_fault_oops+0x15a/0x2d0\n[  +0.000014]  ? exc_page_fault+0x7e/0x180\n[  +0.000009]  ? asm_exc_page_fault+0x26/0x30\n[  +0.000013]  ? copy_stream_update_to_stream.isra.0+0x30d/0x750 [amdgpu]\n[  +0.000739]  ? dc_commit_state_no_check+0xd6c/0xe70 [amdgpu]\n[  +0.000470]  update_planes_and_stream_state+0x49b/0x4f0 [amdgpu]\n[  +0.000450]  ? srso_return_thunk+0x5/0x5f\n[  +0.000009]  ? commit_minimal_transition_state+0x239/0x3d0 [amdgpu]\n[  +0.000446]  update_planes_and_stream_v2+0x24a/0x590 [amdgpu]\n[  +0.000464]  ? srso_return_thunk+0x5/0x5f\n[  +0.000009]  ? sort+0x31/0x50\n[  +0.000007]  ? amdgpu_dm_atomic_commit_tail+0x159f/0x3a30 [amdgpu]\n[  +0.000508]  ? srso_return_thunk+0x5/0x5f\n[  +0.000009]  ? amdgpu_crtc_get_scanout_position+0x28/0x40 [amdgpu]\n[  +0.000377]  ? srso_return_thunk+0x5/0x5f\n[  +0.000009]  ? drm_crtc_vblank_helper_get_vblank_timestamp_internal+0x160/0x390 [drm]\n[  +0.000058]  ? srso_return_thunk+0x5/0x5f\n[  +0.000005]  ? dma_fence_default_wait+0x8c/0x260\n[  +0.000010]  ? srso_return_thunk+0x5/0x5f\n[  +0.000005]  ? wait_for_completion_timeout+0x13b/0x170\n[  +0.000006]  ? srso_return_thunk+0x5/0x5f\n[  +0.000005]  ? dma_fence_wait_timeout+0x108/0x140\n[  +0.000010]  ? commit_tail+0x94/0x130 [drm_kms_helper]\n[  +0.000024]  ? process_one_work+0x177/0x330\n[  +0.000008]  ? worker_thread+0x266/0x3a0\n[  +0.000006]  ? __pfx_worker_thread+0x10/0x10\n[  +0.000004]  ? kthread+0xd2/0x100\n[  +0.000006]  ? __pfx_kthread+0x10/0x10\n[  +0.000006]  ? ret_from_fork+0x34/0x50\n[  +0.000004]  ? __pfx_kthread+0x10/0x10\n[  +0.000005]  ? ret_from_fork_asm+0x1a/0x30\n[  +0.000011]  \u003c/TASK\u003e\n\n(cherry picked from commit 1c86c81a86c60f9b15d3e3f43af0363cf56063e7)","modified":"2026-04-02T12:25:23.097668Z","published":"2025-01-19T11:52:38.535Z","related":["USN-7379-2","USN-7380-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/57xxx/CVE-2024-57918.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/37b8de96ae48c7bb1a17cd5585195c43fcacbe94"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7de8d5c90be9ad9f6575e818a674801db2ada794"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/57xxx/CVE-2024-57918.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-57918"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"1b04dcca4fb10dd3834893a60de74edd99f2bfaf"},{"fixed":"37b8de96ae48c7bb1a17cd5585195c43fcacbe94"},{"fixed":"7de8d5c90be9ad9f6575e818a674801db2ada794"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-57918.json"}}],"schema_version":"1.7.5"}