CVE-2022-49203

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: Fix double free during GPU reset on DC streams<br /> <br /> [Why]<br /> The issue only occurs during the GPU reset code path.<br /> <br /> We first backup the current state prior to commiting 0 streams<br /> internally from DM to DC. This state backup contains valid link<br /> encoder assignments.<br /> <br /> DC will clear the link encoder assignments as part of current state<br /> (but not the backup, since it was a copied before the commit) and<br /> free the extra stream reference it held.<br /> <br /> DC requires that the link encoder assignments remain cleared/invalid<br /> prior to commiting. Since the backup still has valid assignments we<br /> call the interface post reset to clear them. This routine also<br /> releases the extra reference that the link encoder interface held -<br /> resulting in a double free (and eventually a NULL pointer dereference).<br /> <br /> [How]<br /> We&amp;#39;ll have to do a full DC commit anyway after GPU reset because<br /> the stream count previously went to 0.<br /> <br /> We don&amp;#39;t need to retain the assignment that we had backed up, so<br /> just copy off of the now clean current state assignment after the<br /> reset has occcurred with the new link_enc_cfg_copy() interface.