APPLIED: [SRU][J/F][PATCH 0/1] CVE-2024-26607

Stefan Bader stefan.bader at canonical.com
Wed Sep 25 10:03:31 UTC 2024 

On 13.09.24 06:04, Hui Wang wrote:
> [Impact]
> 
> A null pointer dereference crash has been observed rarely on TI
> platforms using sii9022 bridge, The issue here is as follows:
> 
> - tidss probes, but is deferred as sii902x is still missing.
> - sii902x starts probing and enters sii902x_init().
> - sii902x calls drm_bridge_add(). Now the sii902x bridge is ready from
>    DRM's perspective.
> - sii902x calls sii902x_audio_codec_init() and
>    platform_device_register_data()
> - The registration of the audio platform device causes probing of the
>    deferred devices.
> - tidss probes, which eventually causes sii902x_bridge_get_edid() to be
>    called.
> - sii902x_bridge_get_edid() tries to use the i2c to read the edid.
>    However, the sii902x driver has not set up the i2c part yet, leading
>    to the crash.
> 
> 
> [Backport]
> 
> This backporting moves bridge_add() behind the add_adapter()
> and del_adapter() behind the bridge_remove() as the original patch
> does, in the meantime, adjust the context due to missing:
> f4319f72a9bc ("drm/bridge: sii902x: add support for DRM_BRIDGE_ATTACH_NO_CONNECTOR")
> ed5c2f5fd10d ("i2c: Make remove callback return void")
> ff1eae1201a4 ("drm/bridge: sii902x: Use devm_regulator_bulk_get_enable()")
> 
> 
> [Fix]
> 
> Noble:  Not affected
> Jammy:  Backported from mainline v6.8-rc2, see explanation in [Backport]
> Focal:  Backported from mainline v6.8-rc2, see explanation in [Backport]
> Bionic: Not affected
> Xenial: Not affected
> Trusty: Not affected
> 
> [Test Case]
> 
> Compile and boot test.
> 
> 
> [Where problems could occur]
> 
> The change is on drm/bridge driver, if there is regression, it could
> impact graphic driver. But the likely of regression is very low, the
> change is straightforward and simple.
> 
> 
> Tomi Valkeinen (1):
>    drm/bridge: sii902x: Fix probing race issue
> 
>   drivers/gpu/drm/bridge/sii902x.c | 20 +++++++++++---------
>   1 file changed, 11 insertions(+), 9 deletions(-)
> 

Applied to jammy,focal:linux/master-next. Thanks.

-Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240925/41041079/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240925/41041079/attachment-0001.sig>

More information about the kernel-team mailing list