[SRU][J/F][PATCH 0/1] CVE-2024-26607

[Hui Wang]

[Impact]

A null pointer dereference crash has been observed rarely on TI
platforms using sii9022 bridge, The issue here is as follows:

- tidss probes, but is deferred as sii902x is still missing.
- sii902x starts probing and enters sii902x_init().
- sii902x calls drm_bridge_add(). Now the sii902x bridge is ready from
  DRM's perspective.
- sii902x calls sii902x_audio_codec_init() and
  platform_device_register_data()
- The registration of the audio platform device causes probing of the
  deferred devices.
- tidss probes, which eventually causes sii902x_bridge_get_edid() to be
  called.
- sii902x_bridge_get_edid() tries to use the i2c to read the edid.
  However, the sii902x driver has not set up the i2c part yet, leading
  to the crash.


[Backport]

This backporting moves bridge_add() behind the add_adapter()
and del_adapter() behind the bridge_remove() as the original patch
does, in the meantime, adjust the context due to missing:
f4319f72a9bc ("drm/bridge: sii902x: add support for DRM_BRIDGE_ATTACH_NO_CONNECTOR")
ed5c2f5fd10d ("i2c: Make remove callback return void")
ff1eae1201a4 ("drm/bridge: sii902x: Use devm_regulator_bulk_get_enable()")


[Fix]

Noble:  Not affected
Jammy:  Backported from mainline v6.8-rc2, see explanation in [Backport]
Focal:  Backported from mainline v6.8-rc2, see explanation in [Backport]
Bionic: Not affected
Xenial: Not affected
Trusty: Not affected

[Test Case]

Compile and boot test.


[Where problems could occur]

The change is on drm/bridge driver, if there is regression, it could
impact graphic driver. But the likely of regression is very low, the
change is straightforward and simple.


Tomi Valkeinen (1):
  drm/bridge: sii902x: Fix probing race issue

 drivers/gpu/drm/bridge/sii902x.c | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

-- 
2.34.1