CVE-2026-31571

Summary

In the Linux kernel, the following vulnerability has been resolved:

drm/i915: Unlink NV12 planes earlier

unlink_nv12_plane() will clobber parts of the plane state potentially already set up by plane_atomic_check(), so we must make sure not to call the two in the wrong order. The problem happens when a plane previously selected as a Y plane is now configured as a normal plane by user space. plane_atomic_check() will first compute the proper plane state based on the userspace request, and unlink_nv12_plane() later clears some of the state.

This used to work on account of unlink_nv12_plane() skipping the state clearing based on the plane visibility. But I removed that check, thinking it was an impossible situation. Now when that situation happens unlink_nv12_plane() will just WARN and proceed to clobber the state.

Rather than reverting to the old way of doing things, I think it's more clear if we unlink the NV12 planes before we even compute the new plane state.

(cherry picked from commit 017ecd04985573eeeb0745fa2c23896fb22ee0cc)

Affected Software

VendorProductVersion RangeStatus
LinuxLinux6a01df2f1b2a3b29721143729a3feff816bc0083 < 70e2eb91cb6310a3508439f6f2539dfffa0abf77affected
LinuxLinux6a01df2f1b2a3b29721143729a3feff816bc0083 < 12f3b6cbab8fbeb95097685b40f0147406cf9746affected
LinuxLinux6a01df2f1b2a3b29721143729a3feff816bc0083 < bfa71b7a9dc6b5b8af157686e03308291141d00caffected
LinuxLinux6.15affected
LinuxLinux0 < 6.15unaffected
LinuxLinux6.18.21 <= 6.18.*unaffected
LinuxLinux6.19.11 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References