CVE-2024-46850

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: Avoid race between dcn35_set_drr() and dc_state_destruct()<br /> <br /> dc_state_destruct() nulls the resource context of the DC state. The pipe<br /> context passed to dcn35_set_drr() is a member of this resource context.<br /> <br /> If dc_state_destruct() is called parallel to the IRQ processing (which<br /> calls dcn35_set_drr() at some point), we can end up using already nulled<br /> function callback fields of struct stream_resource.<br /> <br /> The logic in dcn35_set_drr() already tries to avoid this, by checking tg<br /> against NULL. But if the nulling happens exactly after the NULL check and<br /> before the next access, then we get a race.<br /> <br /> Avoid this by copying tg first to a local variable, and then use this<br /> variable for all the operations. This should work, as long as nobody<br /> frees the resource pool where the timing generators live.<br /> <br /> (cherry picked from commit 0607a50c004798a96e62c089a4c34c220179dcb5)