CVE-2026-31488
Description
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Do not skip unrelated mode changes in DSC validation
Starting with commit 17ce8a6907f7 ("drm/amd/display: Add dsc pre-validation in atomic check"), amdgpu resets the CRTC state mode_changed flag to false when recomputing the DSC configuration results in no timing change for a particular stream.
However, this is incorrect in scenarios where a change in MST/DSC configuration happens in the same KMS commit as another (unrelated) mode change. For example, the integrated panel of a laptop may be configured differently (e.g., HDR enabled/disabled) depending on whether external screens are attached. In this case, plugging in external DP-MST screens may result in the mode_changed flag being dropped incorrectly for the integrated panel if its DSC configuration did not change during precomputation in pre_validate_dsc().
At this point, however, dm_update_crtc_state() has already created new streams for CRTCs with DSC-independent mode changes. In turn, amdgpu_dm_commit_streams() will never release the old stream, resulting in a memory leak. amdgpu_dm_atomic_commit_tail() will never acquire a reference to the new stream either, which manifests as a use-after-free when the stream gets disabled later on:
BUG: KASAN: use-after-free in dc_stream_release+0x25/0x90 [amdgpu] Write of size 4 at addr ffff88813d836524 by task kworker/9:9/29977
Workqueue: events drm_mode_rmfb_work_fn Call Trace:
dump_stack_lvl+0x6e/0xa0 print_address_description.constprop.0+0x88/0x320 ? dc_stream_release+0x25/0x90 [amdgpu] print_report+0xfc/0x1ff ? srso_alias_return_thunk+0x5/0xfbef5 ? __virt_addr_valid+0x225/0x4e0 ? dc_stream_release+0x25/0x90 [amdgpu] kasan_report+0xe1/0x180 ? dc_stream_release+0x25/0x90 [amdgpu] kasan_check_range+0x125/0x200 dc_stream_release+0x25/0x90 [amdgpu] dc_state_destruct+0x14d/0x5c0 [amdgpu] dc_state_release.part.0+0x4e/0x130 [amdgpu] dm_atomic_destroy_state+0x3f/0x70 [amdgpu] drm_atomic_state_default_clear+0x8ee/0xf30 ? drm_mode_object_put.part.0+0xb1/0x130 __drm_atomic_state_free+0x15c/0x2d0 atomic_remove_fb+0x67e/0x980
Since there is no reliable way of figuring out whether a CRTC has unrelated mode changes pending at the time of DSC validation, remember the value of the mode_changed flag from before the point where a CRTC was marked as potentially affected by a change in DSC configuration. Reset the mode_changed flag to this earlier value instead in pre_validate_dsc().
(cherry picked from commit cc7c7121ae082b7b82891baa7280f1ff2608f22b)
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
85cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 9 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=5.18.1,<6.12.80
- cpe:2.3:o:linux:linux_kernel:5.18:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
- (no CPE)
- osv-coords75 versionspkg:rpm/almalinux/bpftoolpkg:rpm/almalinux/kernelpkg:rpm/almalinux/kernel-64kpkg:rpm/almalinux/kernel-64k-corepkg:rpm/almalinux/kernel-64k-debugpkg:rpm/almalinux/kernel-64k-debug-corepkg:rpm/almalinux/kernel-64k-debug-develpkg:rpm/almalinux/kernel-64k-debug-devel-matchedpkg:rpm/almalinux/kernel-64k-debug-modulespkg:rpm/almalinux/kernel-64k-debug-modules-corepkg:rpm/almalinux/kernel-64k-debug-modules-extrapkg:rpm/almalinux/kernel-64k-develpkg:rpm/almalinux/kernel-64k-devel-matchedpkg:rpm/almalinux/kernel-64k-modulespkg:rpm/almalinux/kernel-64k-modules-corepkg:rpm/almalinux/kernel-64k-modules-extrapkg:rpm/almalinux/kernel-abi-stablelistspkg:rpm/almalinux/kernel-corepkg:rpm/almalinux/kernel-cross-headerspkg:rpm/almalinux/kernel-debugpkg:rpm/almalinux/kernel-debug-corepkg:rpm/almalinux/kernel-debug-develpkg:rpm/almalinux/kernel-debug-devel-matchedpkg:rpm/almalinux/kernel-debug-modulespkg:rpm/almalinux/kernel-debug-modules-corepkg:rpm/almalinux/kernel-debug-modules-extrapkg:rpm/almalinux/kernel-debug-uki-virtpkg:rpm/almalinux/kernel-develpkg:rpm/almalinux/kernel-devel-matchedpkg:rpm/almalinux/kernel-docpkg:rpm/almalinux/kernel-headerspkg:rpm/almalinux/kernel-modulespkg:rpm/almalinux/kernel-modules-corepkg:rpm/almalinux/kernel-modules-extrapkg:rpm/almalinux/kernel-rtpkg:rpm/almalinux/kernel-rt-64kpkg:rpm/almalinux/kernel-rt-64k-corepkg:rpm/almalinux/kernel-rt-64k-debugpkg:rpm/almalinux/kernel-rt-64k-debug-corepkg:rpm/almalinux/kernel-rt-64k-debug-develpkg:rpm/almalinux/kernel-rt-64k-debug-modulespkg:rpm/almalinux/kernel-rt-64k-debug-modules-corepkg:rpm/almalinux/kernel-rt-64k-debug-modules-extrapkg:rpm/almalinux/kernel-rt-64k-develpkg:rpm/almalinux/kernel-rt-64k-modulespkg:rpm/almalinux/kernel-rt-64k-modules-corepkg:rpm/almalinux/kernel-rt-64k-modules-extrapkg:rpm/almalinux/kernel-rt-corepkg:rpm/almalinux/kernel-rt-debugpkg:rpm/almalinux/kernel-rt-debug-corepkg:rpm/almalinux/kernel-rt-debug-develpkg:rpm/almalinux/kernel-rt-debug-modulespkg:rpm/almalinux/kernel-rt-debug-modules-corepkg:rpm/almalinux/kernel-rt-debug-modules-extrapkg:rpm/almalinux/kernel-rt-develpkg:rpm/almalinux/kernel-rt-modulespkg:rpm/almalinux/kernel-rt-modules-corepkg:rpm/almalinux/kernel-rt-modules-extrapkg:rpm/almalinux/kernel-toolspkg:rpm/almalinux/kernel-tools-libspkg:rpm/almalinux/kernel-tools-libs-develpkg:rpm/almalinux/kernel-uki-virtpkg:rpm/almalinux/kernel-uki-virt-addonspkg:rpm/almalinux/kernel-zfcpdumppkg:rpm/almalinux/kernel-zfcpdump-corepkg:rpm/almalinux/kernel-zfcpdump-develpkg:rpm/almalinux/kernel-zfcpdump-devel-matchedpkg:rpm/almalinux/kernel-zfcpdump-modulespkg:rpm/almalinux/kernel-zfcpdump-modules-corepkg:rpm/almalinux/kernel-zfcpdump-modules-extrapkg:rpm/almalinux/libperfpkg:rpm/almalinux/perfpkg:rpm/almalinux/python3-perfpkg:rpm/almalinux/rtlapkg:rpm/almalinux/rv
< 4.18.0-553.136.1.el8_10+ 74 more
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 5.14.0-687.19.1.el9_8
- (no CPE)range: < 5.14.0-687.19.1.el9_8
- (no CPE)range: < 5.14.0-687.19.1.el9_8
- (no CPE)range: < 5.14.0-687.19.1.el9_8
- (no CPE)range: < 5.14.0-687.19.1.el9_8
- (no CPE)range: < 5.14.0-687.19.1.el9_8
- (no CPE)range: < 5.14.0-687.19.1.el9_8
- (no CPE)range: < 5.14.0-687.19.1.el9_8
- (no CPE)range: < 5.14.0-687.19.1.el9_8
- (no CPE)range: < 5.14.0-687.19.1.el9_8
- (no CPE)range: < 5.14.0-687.19.1.el9_8
- (no CPE)range: < 5.14.0-687.19.1.el9_8
- (no CPE)range: < 5.14.0-687.19.1.el9_8
- (no CPE)range: < 5.14.0-687.19.1.el9_8
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 5.14.0-687.19.1.el9_8
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 5.14.0-687.19.1.el9_8
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 5.14.0-687.19.1.el9_8
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 5.14.0-687.19.1.el9_8
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 5.14.0-687.19.1.el9_8
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 4.18.0-553.136.1.rt7.477.el8_10
- (no CPE)range: < 5.14.0-687.19.1.el9_8
- (no CPE)range: < 5.14.0-687.19.1.el9_8
- (no CPE)range: < 5.14.0-687.19.1.el9_8
- (no CPE)range: < 5.14.0-687.19.1.el9_8
- (no CPE)range: < 5.14.0-687.19.1.el9_8
- (no CPE)range: < 5.14.0-687.19.1.el9_8
- (no CPE)range: < 5.14.0-687.19.1.el9_8
- (no CPE)range: < 5.14.0-687.19.1.el9_8
- (no CPE)range: < 5.14.0-687.19.1.el9_8
- (no CPE)range: < 5.14.0-687.19.1.el9_8
- (no CPE)range: < 5.14.0-687.19.1.el9_8
- (no CPE)range: < 5.14.0-687.19.1.el9_8
- (no CPE)range: < 4.18.0-553.136.1.rt7.477.el8_10
- (no CPE)range: < 4.18.0-553.136.1.rt7.477.el8_10
- (no CPE)range: < 4.18.0-553.136.1.rt7.477.el8_10
- (no CPE)range: < 4.18.0-553.136.1.rt7.477.el8_10
- (no CPE)range: < 4.18.0-553.136.1.rt7.477.el8_10
- (no CPE)range: < 5.14.0-687.19.1.el9_8
- (no CPE)range: < 4.18.0-553.136.1.rt7.477.el8_10
- (no CPE)range: < 4.18.0-553.136.1.rt7.477.el8_10
- (no CPE)range: < 4.18.0-553.136.1.rt7.477.el8_10
- (no CPE)range: < 5.14.0-687.19.1.el9_8
- (no CPE)range: < 4.18.0-553.136.1.rt7.477.el8_10
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 5.14.0-687.19.1.el9_8
- (no CPE)range: < 5.14.0-687.19.1.el9_8
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 5.14.0-687.19.1.el9_8
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 5.14.0-687.19.1.el9_8
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 5.14.0-687.19.1.el9_8
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 4.18.0-553.136.1.el8_10
- (no CPE)range: < 5.14.0-687.19.1.el9_8
- (no CPE)range: < 5.14.0-687.19.1.el9_8
Patches
Vulnerability mechanics
References
6- git.kernel.org/stable/c/10862e344b4d6434642a48c87d765813fc0b0ba7nvdPatch
- git.kernel.org/stable/c/111208b5b7ebcdadb3f922cc52d8425f0fa91b33nvdPatch
- git.kernel.org/stable/c/8a5edc97fd9c6415ff2eff872748439a97e3c3d8nvdPatch
- git.kernel.org/stable/c/aed3d041ab061ec8a64f50a3edda0f4db7280025nvdPatch
- git.kernel.org/stable/c/21159d8b335a6b9f44cbb506733013a902ae2da4nvd
- git.kernel.org/stable/c/da1d0ed31e9802fd99384f43cc63678a5a11cb41nvd
News mentions
0No linked articles in our index yet.