CVE-2024-40976

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/lima: mask irqs in timeout path before hard reset<br /> <br /> There is a race condition in which a rendering job might take just long<br /> enough to trigger the drm sched job timeout handler but also still<br /> complete before the hard reset is done by the timeout handler.<br /> This runs into race conditions not expected by the timeout handler.<br /> In some very specific cases it currently may result in a refcount<br /> imbalance on lima_pm_idle, with a stack dump such as:<br /> <br /> [10136.669170] WARNING: CPU: 0 PID: 0 at drivers/gpu/drm/lima/lima_devfreq.c:205 lima_devfreq_record_idle+0xa0/0xb0<br /> ...<br /> [10136.669459] pc : lima_devfreq_record_idle+0xa0/0xb0<br /> ...<br /> [10136.669628] Call trace:<br /> [10136.669634] lima_devfreq_record_idle+0xa0/0xb0<br /> [10136.669646] lima_sched_pipe_task_done+0x5c/0xb0<br /> [10136.669656] lima_gp_irq_handler+0xa8/0x120<br /> [10136.669666] __handle_irq_event_percpu+0x48/0x160<br /> [10136.669679] handle_irq_event+0x4c/0xc0<br /> <br /> We can prevent that race condition entirely by masking the irqs at the<br /> beginning of the timeout handler, at which point we give up on waiting<br /> for that job entirely.<br /> The irqs will be enabled again at the next hard reset which is already<br /> done as a recovery by the timeout handler.