CVE-2024-46867: 
Linux Debian vulnerability analysis and mitigation

CVE-2024-46867 affects the Linux kernel's DRM (Direct Rendering Manager) subsystem, specifically in the xe driver's client memory information display functionality. The vulnerability was discovered and disclosed on September 27, 2024, affecting Linux kernel versions from 6.8 up to 6.10.11 and various release candidates of version 6.11 (NVD).

The vulnerability involves a deadlock condition in the show_meminfo() function within the DRM/XE client implementation. The issue occurs when a buffer object (bo) reference count reaches zero during memory information display, causing both a deadlock and a sleeping in atomic context bug. This happens because the buffer object destruction attempts to acquire the same spinlock and sleeping locks that are already held (Kernel Patch). The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to a system denial of service condition through a deadlock in the kernel's memory management subsystem. The issue specifically affects systems using the Intel XE graphics driver when attempting to display memory information (NVD).

The issue has been fixed in the Linux kernel through a patch that modifies the reference counting mechanism. The fix involves using xe_bo_put_deferred() instead of xe_bo_put() and moving the final commit outside of the lock to prevent the deadlock condition. Updates are available for various Linux distributions, including Ubuntu 24.04 LTS (linux kernel 6.8.0-50.51) and other affected versions (Ubuntu Security).