CVE-2024-26607

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/bridge: sii902x: Fix probing race issue<br /> <br /> A null pointer dereference crash has been observed rarely on TI<br /> platforms using sii9022 bridge:<br /> <br /> [ 53.271356] sii902x_get_edid+0x34/0x70 [sii902x]<br /> [ 53.276066] sii902x_bridge_get_edid+0x14/0x20 [sii902x]<br /> [ 53.281381] drm_bridge_get_edid+0x20/0x34 [drm]<br /> [ 53.286305] drm_bridge_connector_get_modes+0x8c/0xcc [drm_kms_helper]<br /> [ 53.292955] drm_helper_probe_single_connector_modes+0x190/0x538 [drm_kms_helper]<br /> [ 53.300510] drm_client_modeset_probe+0x1f0/0xbd4 [drm]<br /> [ 53.305958] __drm_fb_helper_initial_config_and_unlock+0x50/0x510 [drm_kms_helper]<br /> [ 53.313611] drm_fb_helper_initial_config+0x48/0x58 [drm_kms_helper]<br /> [ 53.320039] drm_fbdev_dma_client_hotplug+0x84/0xd4 [drm_dma_helper]<br /> [ 53.326401] drm_client_register+0x5c/0xa0 [drm]<br /> [ 53.331216] drm_fbdev_dma_setup+0xc8/0x13c [drm_dma_helper]<br /> [ 53.336881] tidss_probe+0x128/0x264 [tidss]<br /> [ 53.341174] platform_probe+0x68/0xc4<br /> [ 53.344841] really_probe+0x188/0x3c4<br /> [ 53.348501] __driver_probe_device+0x7c/0x16c<br /> [ 53.352854] driver_probe_device+0x3c/0x10c<br /> [ 53.357033] __device_attach_driver+0xbc/0x158<br /> [ 53.361472] bus_for_each_drv+0x88/0xe8<br /> [ 53.365303] __device_attach+0xa0/0x1b4<br /> [ 53.369135] device_initial_probe+0x14/0x20<br /> [ 53.373314] bus_probe_device+0xb0/0xb4<br /> [ 53.377145] deferred_probe_work_func+0xcc/0x124<br /> [ 53.381757] process_one_work+0x1f0/0x518<br /> [ 53.385770] worker_thread+0x1e8/0x3dc<br /> [ 53.389519] kthread+0x11c/0x120<br /> [ 53.392750] ret_from_fork+0x10/0x20<br /> <br /> The issue here is as follows:<br /> <br /> - tidss probes, but is deferred as sii902x is still missing.<br /> - sii902x starts probing and enters sii902x_init().<br /> - sii902x calls drm_bridge_add(). Now the sii902x bridge is ready from<br /> DRM&amp;#39;s perspective.<br /> - sii902x calls sii902x_audio_codec_init() and<br /> platform_device_register_data()<br /> - The registration of the audio platform device causes probing of the<br /> deferred devices.<br /> - tidss probes, which eventually causes sii902x_bridge_get_edid() to be<br /> called.<br /> - sii902x_bridge_get_edid() tries to use the i2c to read the edid.<br /> However, the sii902x driver has not set up the i2c part yet, leading<br /> to the crash.<br /> <br /> Fix this by moving the drm_bridge_add() to the end of the<br /> sii902x_init(), which is also at the very end of sii902x_probe().