CVE-2026-31571

Vulnerability Description

In the Linux kernel, the following vulnerability has been resolved: drm/i915: Unlink NV12 planes earlier unlink_nv12_plane() will clobber parts of the plane state potentially already set up by plane_atomic_check(), so we must make sure not to call the two in the wrong order. The problem happens when a plane previously selected as a Y plane is now configured as a normal plane by user space. plane_atomic_check() will first compute the proper plane state based on the userspace request, and unlink_nv12_plane() later clears some of the state. This used to work on account of unlink_nv12_plane() skipping the state clearing based on the plane visibility. But I removed that check, thinking it was an impossible situation. Now when that situation happens unlink_nv12_plane() will just WARN and proceed to clobber the state. Rather than reverting to the old way of doing things, I think it's more clear if we unlink the NV12 planes before we even compute the new plane state. (cherry picked from commit 017ecd04985573eeeb0745fa2c23896fb22ee0cc)

CVSS Score

Affected Products

References

• https://git.kernel.org/stable/c/12f3b6cbab8fbeb95097685b40f0147406cf9746Patch
• https://git.kernel.org/stable/c/70e2eb91cb6310a3508439f6f2539dfffa0abf77Patch
• https://git.kernel.org/stable/c/bfa71b7a9dc6b5b8af157686e03308291141d00cPatch