[SRU][F][PATCH v2 0/3] CVE-2024-23848

[Jacob Martin]

[Impact]

A use-after-free vulnerability in the Linux kernel's HDMI CEC framework could
potentially lead to denial of service or arbitrary code execution. This is
resolved by a series of patches that improve the status tracking of CEC data
transmission and use proper locking where necessary.

[Fix]

The following upstream patches are sufficient to resolve this issue:
9fe2816816a3 ("media: cec: cec-adap: always cancel work in cec_transmit_msg_fh")
42bcaacae924 ("media: cec: cec-api: add locking in cec_release()")
47c82aac10a6 ("media: cec: core: avoid recursive cec_claim_log_addrs")
cbe499977bc3 ("media: cec: core: avoid confusing "transmit timed out" message")

The contents of upstream commits 9fe2816816a3 and 42bcaacae924 are already
present in Focal via stable updates.

Noble: Fix released
Jammy: Fix released
Focal: Backport from mainline
Bionic: Patch sent to ESM list
Xenial: Not affected
Trusty: Not affected

[Test Case]

Compile tested.

[Where issues could occur]

These changes affect the kernel's HDMI-CEC framework. Issues with this fix
would manifest as issues with drivers using this framework, which could result
in HDMI display output issues or issues with CEC communication.

v2:
- Fix "media: cec: abort if the current transmit was canceled" backport to
include these lines
```
	if (adap->transmitting)
		cec_data_cancel(adap->transmitting, CEC_TX_STATUS_ABORTED);
```
in __cec_s_phys_addr.
- Match upstream, only set `adap->transmit_in_progress_aborted = false;` in the
de-init case of __cec_s_phys_addr.

Hans Verkuil (3):
  media: cec: abort if the current transmit was canceled
  media: cec: core: avoid recursive cec_claim_log_addrs
  media: cec: core: avoid confusing "transmit timed out" message

 drivers/media/cec/cec-adap.c | 35 ++++++++++++++++++++++++++++++-----
 drivers/media/cec/cec-api.c  |  2 +-
 include/media/cec.h          |  2 ++
 3 files changed, 33 insertions(+), 6 deletions(-)

-- 
2.43.0