[SRU][J 0/2][N 0/1][PATCH] CVE-2024-57798

[Massimiliano Pellizzer]

[Impact]

drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req()

While receiving an MST up request message from one thread in
drm_dp_mst_handle_up_req(), the MST topology could be removed from
another thread via drm_dp_mst_topology_mgr_set_mst(false), freeing
mst_primary and setting drm_dp_mst_topology_mgr::mst_primary to NULL.
This could lead to a NULL deref/use-after-free of mst_primary in
drm_dp_mst_handle_up_req().

Avoid the above by holding a reference for mst_primary in
drm_dp_mst_handle_up_req() while it's used.

[Fix]

Oracular: Fixed via upstream stable updates (LP: #2097531)
Noble: Cherry picked from mainline
Jammy: Cherry picked both a prereq and the fix commit from mainline
Focal: Not affected

[Test case]

Compile and boot tested.
Verified that the interested drm modules load correctly on both
amd64 and arm64.

[Where problems could occur]

The fix affects the display port multi-stream transport subsystem. An
issue with this fix may lead to incorrect handling of MST topology
management and resource allocation. A user might experience problems
such as unexpected crashes when connecting or disconnecting MST-capable
monitors and failure to properly detect or configure daisy-chained
displays. 


Imre Deak (1):
  drm/dp_mst: Ensure mst_primary pointer is valid in
    drm_dp_mst_handle_up_req()

Wayne Lin (1):
  drm/dp_mst: Skip CSN if topology probing is not done yet

 drivers/gpu/drm/drm_dp_mst_topology.c | 31 +++++++++++++++++++++++----
 1 file changed, 27 insertions(+), 4 deletions(-)

-- 
2.43.0