CVE-2026-23467

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/i915/dmc: Fix an unlikely NULL pointer deference at probe<br /> <br /> intel_dmc_update_dc6_allowed_count() oopses when DMC hasn&amp;#39;t been<br /> initialized, and dmc is thus NULL.<br /> <br /> That would be the case when the call path is<br /> intel_power_domains_init_hw() -&gt; {skl,bxt,icl}_display_core_init() -&gt;<br /> gen9_set_dc_state() -&gt; intel_dmc_update_dc6_allowed_count(), as<br /> intel_power_domains_init_hw() is called *before* intel_dmc_init().<br /> <br /> However, gen9_set_dc_state() calls intel_dmc_update_dc6_allowed_count()<br /> conditionally, depending on the current and target DC states. At probe,<br /> the target is disabled, but if DC6 is enabled, the function is called,<br /> and an oops follows. Apparently it&amp;#39;s quite unlikely that DC6 is enabled<br /> at probe, as we haven&amp;#39;t seen this failure mode before.<br /> <br /> It is also strange to have DC6 enabled at boot, since that would require<br /> the DMC firmware (loaded by BIOS); the BIOS loading the DMC firmware and<br /> the driver stopping / reprogramming the firmware is a poorly specified<br /> sequence and as such unlikely an intentional BIOS behaviour. It&amp;#39;s more<br /> likely that BIOS is leaving an unintentionally enabled DC6 HW state<br /> behind (without actually loading the required DMC firmware for this).<br /> <br /> The tracking of the DC6 allowed counter only works if starting /<br /> stopping the counter depends on the _SW_ DC6 state vs. the current _HW_<br /> DC6 state (since stopping the counter requires the DC5 counter captured<br /> when the counter was started). Thus, using the HW DC6 state is incorrect<br /> and it also leads to the above oops. Fix both issues by using the SW DC6<br /> state for the tracking.<br /> <br /> This is v2 of the fix originally sent by Jani, updated based on the<br /> first Link: discussion below.<br /> <br /> (cherry picked from commit 2344b93af8eb5da5d496b4e0529d35f0f559eaf0)