CVE-2024-46871 – drm/amd/display: Correct the defined value for AMDGPU_DMUB_NOTIFICATION_MAX
https://notcve.org/view.php?id=CVE-2024-46871
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Correct the defined value for AMDGPU_DMUB_NOTIFICATION_MAX [Why & How] It actually exposes '6' types in enum dmub_notification_type. Not 5. Using smaller number to create array dmub_callback & dmub_thread_offload has potential to access item out of array bound. Fix it. • https://git.kernel.org/stable/c/9f404b0bc2df3880758fb3c3bc7496f596f347d7 https://git.kernel.org/stable/c/800a5ab673c4a61ca220cce177386723d91bdb37 https://git.kernel.org/stable/c/c592b6355b9b57b8e59fc5978ce1e14f64488a98 https://git.kernel.org/stable/c/ad28d7c3d989fc5689581664653879d664da76f0 •
CVE-2024-46870 – drm/amd/display: Disable DMCUB timeout for DCN35
https://notcve.org/view.php?id=CVE-2024-46870
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Disable DMCUB timeout for DCN35 [Why] DMCUB can intermittently take longer than expected to process commands. Old ASIC policy was to continue while logging a diagnostic error - which works fine for ASIC without IPS, but with IPS this could lead to a race condition where we attempt to access DCN state while it's inaccessible, leading to a system hang when the NIU port is not disabled or register accesses that timeout and the display configuration in an undefined state. [How] We need to investigate why these accesses take longer than expected, but for now we should disable the timeout on DCN35 to avoid this race condition. Since the waits happen only at lower interrupt levels the risk of taking too long at higher IRQ and causing a system watchdog timeout are minimal. • https://git.kernel.org/stable/c/31c254c9cd4b122a10db297124f867107a696d83 https://git.kernel.org/stable/c/7c70e60fbf4bff1123f0e8d5cb1ae71df6164d7f •
CVE-2024-46868 – firmware: qcom: uefisecapp: Fix deadlock in qcuefi_acquire()
https://notcve.org/view.php?id=CVE-2024-46868
In the Linux kernel, the following vulnerability has been resolved: firmware: qcom: uefisecapp: Fix deadlock in qcuefi_acquire() If the __qcuefi pointer is not set, then in the original code, we would hold onto the lock. That means that if we tried to set it later, then it would cause a deadlock. Drop the lock on the error path. That's what all the callers are expecting. • https://git.kernel.org/stable/c/759e7a2b62eb3ef3c93ffeb5cca788a09627d7d9 https://git.kernel.org/stable/c/8c6a5a1fc02ad1d62d06897ab330693d4d27cd03 https://git.kernel.org/stable/c/db213b0cfe3268d8b1d382b3bcc999c687a2567f •
CVE-2024-46867 – drm/xe/client: fix deadlock in show_meminfo()
https://notcve.org/view.php?id=CVE-2024-46867
In the Linux kernel, the following vulnerability has been resolved: drm/xe/client: fix deadlock in show_meminfo() There is a real deadlock as well as sleeping in atomic() bug in here, if the bo put happens to be the last ref, since bo destruction wants to grab the same spinlock and sleeping locks. Fix that by dropping the ref using xe_bo_put_deferred(), and moving the final commit outside of the lock. Dropping the lock around the put is tricky since the bo can go out of scope and delete itself from the list, making it difficult to navigate to the next list entry. (cherry picked from commit 0083b8e6f11d7662283a267d4ce7c966812ffd8a) • https://git.kernel.org/stable/c/0845233388f8a26d00acf9bf230cfd4f36aa4c30 https://git.kernel.org/stable/c/9d3de463e23bfb1ff1567a32b099b1b3e5286a48 https://git.kernel.org/stable/c/9bd7ff293fc84792514aeafa06c5a17f05cb5f4b •
CVE-2024-46866 – drm/xe/client: add missing bo locking in show_meminfo()
https://notcve.org/view.php?id=CVE-2024-46866
In the Linux kernel, the following vulnerability has been resolved: drm/xe/client: add missing bo locking in show_meminfo() bo_meminfo() wants to inspect bo state like tt and the ttm resource, however this state can change at any point leading to stuff like NPD and UAF, if the bo lock is not held. Grab the bo lock when calling bo_meminfo(), ensuring we drop any spinlocks first. In the case of object_idr we now also need to hold a ref. v2 (MattB) - Also add xe_bo_assert_held() (cherry picked from commit 4f63d712fa104c3ebefcb289d1e733e86d8698c7) • https://git.kernel.org/stable/c/0845233388f8a26d00acf9bf230cfd4f36aa4c30 https://git.kernel.org/stable/c/abc8feacacf8fae10eecf6fea7865e8c1fee419c https://git.kernel.org/stable/c/94c4aa266111262c96c98f822d1bccc494786fee •