APPLIED: [SRU][J 0/2][N 0/1][PATCH] CVE-2024-57798

[Koichiro Den]

On Mon, Feb 24, 2025 at 04:17:59PM GMT, Massimiliano Pellizzer wrote:
> [Impact]
> 
> drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req()
> 
> While receiving an MST up request message from one thread in
> drm_dp_mst_handle_up_req(), the MST topology could be removed from
> another thread via drm_dp_mst_topology_mgr_set_mst(false), freeing
> mst_primary and setting drm_dp_mst_topology_mgr::mst_primary to NULL.
> This could lead to a NULL deref/use-after-free of mst_primary in
> drm_dp_mst_handle_up_req().
> 
> Avoid the above by holding a reference for mst_primary in
> drm_dp_mst_handle_up_req() while it's used.
> 
> [Fix]
> 
> Oracular: Fixed via upstream stable updates (LP: #2097531)
> Noble: Cherry picked from mainline
> Jammy: Cherry picked both a prereq and the fix commit from mainline
> Focal: Not affected
> 
> [Test case]
> 
> Compile and boot tested.
> Verified that the interested drm modules load correctly on both
> amd64 and arm64.
> 
> [Where problems could occur]
> 
> The fix affects the display port multi-stream transport subsystem. An
> issue with this fix may lead to incorrect handling of MST topology
> management and resource allocation. A user might experience problems
> such as unexpected crashes when connecting or disconnecting MST-capable
> monitors and failure to properly detect or configure daisy-chained
> displays. 
> 
> 
> Imre Deak (1):
>   drm/dp_mst: Ensure mst_primary pointer is valid in
>     drm_dp_mst_handle_up_req()
> 
> Wayne Lin (1):
>   drm/dp_mst: Skip CSN if topology probing is not done yet
> 
>  drivers/gpu/drm/drm_dp_mst_topology.c | 31 +++++++++++++++++++++++----
>  1 file changed, 27 insertions(+), 4 deletions(-)
> 

Applied to noble:linux, jammy:linux master-next branches. Thanks!