CVE-2024-46896

Since 2320c9e6a768 ("drm/sched: memset() 'job' in drmschedjobinit()") accessing job->base.sched can produce unexpected results as the initialisation of (*job)->base.sched done in amdgpujob_alloc is overwritten by the memset.

This commit fixes an issue when a CS would fail validation and would be rejected after job->numibs is incremented. In this case, amdgpuib_free(ring->adev, ...) will be called, which would crash the machine because the ring value is bogus.

To fix this, pass a NULL pointer to amdgpuibfree(): we can do this because the device is actually not used in this function.

The next commit will remove the ring argument completely.

(cherry picked from commit 2ae520cb12831d264ceb97c61f72c59d33c0dbd7)

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/46xxx/CVE-2024-46896.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

166df51487f46b6e997dfeea7ca0c2a970853f07

Fixed

65501a4fd84ecdc0af863dbb37759242aab9f2dd

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

87210234e5a273ebf9c4110a6aa82b8221478daa

Fixed

da6b2c626ae73c303378ce9eaf6e3eaf16c9925a

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

2da108b4b5fb7ec04d7e951418ed80e97f7c35ad

Fixed

67291d601f2b032062b1b2f60ffef1b63e10094c

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

2320c9e6a768d135c7b0039995182bb1a4e4fd22

Fixed

a93b1020eb9386d7da11608477121b10079c076a

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.1.120

Fixed

6.1.122

Type: ECOSYSTEM
Events: Introduced

6.6.66

Fixed

6.6.68

Type: ECOSYSTEM
Events: Introduced

6.12.5

Fixed

6.12.7