CVE-2023-53991
Description
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/dpu: Disallow unallocated resources to be returned
In the event that the topology requests resources that have not been created by the system (because they are typically not represented in dpu_mdss_cfg ^1), the resource(s) in global_state (in this case DSC blocks, until their allocation/assignment is being sanity-checked in "drm/msm/dpu: Reject topologies for which no DSC blocks are available") remain NULL but will still be returned out of dpu_rm_get_assigned_resources, where the caller expects to get an array containing num_blks valid pointers (but instead gets these NULLs).
To prevent this from happening, where null-pointer dereferences typically result in a hard-to-debug platform lockup, num_blks shouldn't increase past NULL blocks and will print an error and break instead. After all, max_blks represents the static size of the maximum number of blocks whereas the actual amount varies per platform.
^1: which can happen after a git rebase ended up moving additions to _dpu_cfg to a different struct which has the same patch context.
Patchwork: https://patchwork.freedesktop.org/patch/517636/
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel DRM MSM DPU can return NULL pointers for unallocated DSC resources, causing null-pointer dereference and system lockup.
Root
Cause In the Linux kernel's DRM MSM DPU driver, when a topology requests resources (such as DSC blocks) that are not present in the system's configuration (dpu_mdss_cfg), the corresponding resource pointer in the global state remains NULL. The function dpu_rm_get_assigned_resources then returns an array containing these NULL pointers, expecting valid pointers. This leads to a null-pointer dereference when the caller attempts to use them.
Attack
Surface An attacker who can influence the topology configuration (e.g., through a malicious display mode or crafted input) could trigger this code path. The vulnerability is local, requiring access to the DRM subsystem or the ability to trigger resource allocation. No authentication is mentioned, but it likely requires local user access or root privileges to manipulate DRM state.
Impact
A null-pointer dereference in this context typically results in a hard-to-debug platform lockup or kernel panic, leading to a denial of service. The system becomes unresponsive, requiring a reboot. There is no information about arbitrary code execution, but the crash itself is a security issue.
Mitigation
The fix ensures that num_blks does not increase past NULL blocks, printing an error and breaking out of the loop instead. The patched code prevents returning NULL pointers. The fix is included in stable kernel updates. Administrators should apply the latest kernel updates to their systems.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
58dbd54d679e3bf661c5e3bc49e1e236acdc49fe3644c720aabc40122d9a6Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/8dbd54d679e3ab37be43bc1ed9f463dbf83a2259nvd
- git.kernel.org/stable/c/9e1e236acdc42b5c43ec8d7f03a39537e70cc309nvd
- git.kernel.org/stable/c/9fe3644c720ac87d150f0bba5a4ae86cae55afafnvd
- git.kernel.org/stable/c/abc40122d9a69f56c04efb5a7485795f5ac799d1nvd
- git.kernel.org/stable/c/bf661c5e3bc48973acb363c76e3db965d9ed26d0nvd
News mentions
0No linked articles in our index yet.