Tobias Jakobi

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A race condition has been identified between `dcn35 set drr()` and `dc state destruct()` in the Linux kernel's AMD display module. The issue arises when `dc state destruct()` nulls the resource context of the DC state, and the pipe context passed to `dcn35 set drr()` is a member of this resource context. If `dc state destruct()` is called in parallel with IRQ processing, which calls `dcn35 set drr()`, it can result in using already nulled function callback fields of `struct stream resource`. The logic in `dcn35 set drr()` attempts to avoid this by checking `tg` against NULL, but a race can still occur if the nulling happens after the NULL check and before the next access. To resolve this, the code now copies `tg` to a local variable and uses this variable for all operations. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A race condition vulnerability has been resolved in the Linux kernel's DRM/AMD display module. The issue occurs between the `dcn10 set drr()` and `dc state destruct()` functions. When `dc state destruct()` is called in parallel with IRQ processing, which calls `dcn10 set drr()`, it can result in using already nulled function callback fields of `struct stream resource`. The logic in `dcn10 set drr()` tries to avoid this by checking `tg` against NULL, but a race can still occur if the nulling happens after the NULL check and before the next access. To avoid this, `tg` is copied to a local variable, which is then used for all operations. This fix works as long as nobody frees the resource pool where the timing generators live. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.