CVE-2024-46896

Since 2320c9e6a768 ("drm/sched: memset() 'job' in drmschedjobinit()") accessing job->base.sched can produce unexpected results as the initialisation of (*job)->base.sched done in amdgpujob_alloc is overwritten by the memset.

This commit fixes an issue when a CS would fail validation and would be rejected after job->numibs is incremented. In this case, amdgpuib_free(ring->adev, ...) will be called, which would crash the machine because the ring value is bogus.

To fix this, pass a NULL pointer to amdgpuibfree(): we can do this because the device is actually not used in this function.

The next commit will remove the ring argument completely.

(cherry picked from commit 2ae520cb12831d264ceb97c61f72c59d33c0dbd7)

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

166df51487f46b6e997dfeea7ca0c2a970853f07

Fixed

65501a4fd84ecdc0af863dbb37759242aab9f2dd

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

87210234e5a273ebf9c4110a6aa82b8221478daa

Fixed

da6b2c626ae73c303378ce9eaf6e3eaf16c9925a

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

2da108b4b5fb7ec04d7e951418ed80e97f7c35ad

Fixed

67291d601f2b032062b1b2f60ffef1b63e10094c

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

2320c9e6a768d135c7b0039995182bb1a4e4fd22

Fixed

a93b1020eb9386d7da11608477121b10079c076a

Affected versions

v6.*

v6.1.120

v6.1.121

v6.12

v6.12-rc3

v6.12-rc4

v6.12-rc5

v6.12-rc6

v6.12-rc7

v6.12.5

v6.12.6

v6.13-rc1

v6.13-rc2

v6.6.66

v6.6.67

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.1.120

Fixed

6.1.122

Type: ECOSYSTEM
Events: Introduced

6.6.66

Fixed

6.6.68

Type: ECOSYSTEM
Events: Introduced

6.12.5

Fixed

6.12.7