CVE-2024-40976

{"id": "CVE-2024-40976", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-07-12T13:15:19.073", "references": [{"url": "https://git.kernel.org/stable/c/03e7b2f7ae4c0ae5fb8e4e2454ba4008877f196a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/58bfd311c93d66d8282bf21ebbf35cc3bb8ad9db", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/70aa1f2dec46b6fdb5f6b9f37b6bfa4a4dee0d3a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9fd8ddd23793a50dbcd11c6ba51f437f1ea7d344", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a421cc7a6a001b70415aa4f66024fa6178885a14", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bdbc4ca77f5eaac15de7230814253cddfed273b1", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/03e7b2f7ae4c0ae5fb8e4e2454ba4008877f196a", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/58bfd311c93d66d8282bf21ebbf35cc3bb8ad9db", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/70aa1f2dec46b6fdb5f6b9f37b6bfa4a4dee0d3a", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/9fd8ddd23793a50dbcd11c6ba51f437f1ea7d344", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/a421cc7a6a001b70415aa4f66024fa6178885a14", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/bdbc4ca77f5eaac15de7230814253cddfed273b1", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-362"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/lima: mask irqs in timeout path before hard reset\n\nThere is a race condition in which a rendering job might take just long\nenough to trigger the drm sched job timeout handler but also still\ncomplete before the hard reset is done by the timeout handler.\nThis runs into race conditions not expected by the timeout handler.\nIn some very specific cases it currently may result in a refcount\nimbalance on lima_pm_idle, with a stack dump such as:\n\n[10136.669170] WARNING: CPU: 0 PID: 0 at drivers/gpu/drm/lima/lima_devfreq.c:205 lima_devfreq_record_idle+0xa0/0xb0\n...\n[10136.669459] pc : lima_devfreq_record_idle+0xa0/0xb0\n...\n[10136.669628] Call trace:\n[10136.669634] lima_devfreq_record_idle+0xa0/0xb0\n[10136.669646] lima_sched_pipe_task_done+0x5c/0xb0\n[10136.669656] lima_gp_irq_handler+0xa8/0x120\n[10136.669666] __handle_irq_event_percpu+0x48/0x160\n[10136.669679] handle_irq_event+0x4c/0xc0\n\nWe can prevent that race condition entirely by masking the irqs at the\nbeginning of the timeout handler, at which point we give up on waiting\nfor that job entirely.\nThe irqs will be enabled again at the next hard reset which is already\ndone as a recovery by the timeout handler."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/lima: enmascara irqs en la ruta de tiempo de espera antes del restablecimiento completo. Existe una condici\u00f3n de ejecuci\u00f3n en la que un trabajo de renderizado puede tardar el tiempo suficiente para activar el controlador de tiempo de espera del trabajo programado drm, pero tambi\u00e9n completar antes de que el controlador de tiempo de espera realice el restablecimiento completo. Esto se encuentra con condiciones de ejecuci\u00f3n que el controlador de tiempo de espera no esperaba. En algunos casos muy espec\u00edficos, actualmente puede resultar en un desequilibrio de recuento en lima_pm_idle, con un volcado de pila como: [10136.669170] ADVERTENCIA: CPU: 0 PID: 0 en drivers/gpu/drm/lima/lima_devfreq.c:205 lima_devfreq_record_idle+ 0xa0/0xb0... [10136.669459] pc: lima_devfreq_record_idle+0xa0/0xb0... [10136.669628] Rastreo de llamadas: [10136.669634] lima_devfreq_record_idle+0xa0/0xb0 [10136.669646] lima_sched_pipe_tas k_done+0x5c/0xb0 [10136.669656] lima_gp_irq_handler+0xa8/0x120 [ 10136.669666] __handle_irq_event_percpu+0x48/0x160 [10136.669679] handle_irq_event+0x4c/0xc0 Podemos evitar esa condici\u00f3n de ejecuci\u00f3n por completo enmascarando los irqs al comienzo del controlador de tiempo de espera, momento en el cual renunciamos a esperar por ese trabajo por completo. Los irqs se habilitar\u00e1n nuevamente en el pr\u00f3ximo restablecimiento completo, que ya se realiza como recuperaci\u00f3n mediante el controlador de tiempo de espera."}], "lastModified": "2025-10-06T20:31:45.680", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5CB2F0A2-E907-4695-BDA2-66F0081D24C9", "versionEndExcluding": "5.10.221", "versionStartIncluding": "5.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "10A39ACC-3005-40E8-875C-98A372D1FFD5", "versionEndExcluding": "5.15.162", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "61E887B4-732A-40D2-9983-CC6F281EBFB7", "versionEndExcluding": "6.1.96", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E1046C95-860A-45B0-B718-2B29F65BFF10", "versionEndExcluding": "6.6.36", "versionStartIncluding": "6.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0A047AF2-94AC-4A3A-B32D-6AB930D8EF1C", "versionEndExcluding": "6.9.7", "versionStartIncluding": "6.7"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}