git.ipfire.org Git - thirdparty/linux.git/commit

author	Imre Deak <imre.deak@intel.com>
	Tue, 3 Dec 2024 17:46:32 +0000 (19:46 +0200)
committer	Imre Deak <imre.deak@intel.com>
	Thu, 5 Dec 2024 14:19:09 +0000 (16:19 +0200)
commit	3f611855031f94385c2eeb32b1f99dd7a9fa566b
tree	b8d8e88a9f600e10e2f3007c85ed907f5f3be18f	tree
parent	b559b68d2761739b7c2e44d6fa59092b0d03e9ed	commit \| diff

drm/dp_mst: Fix down request message timeout handling

If receiving a reply for an MST down request message times out, the
thread receiving the reply in drm_dp_mst_handle_down_rep() could try to
dereference the drm_dp_sideband_msg_tx txmsg request message after the
thread waiting for the reply - calling drm_dp_mst_wait_tx_reply() - has
timed out and freed txmsg, hence leading to a use-after-free in
drm_dp_mst_handle_down_rep().

Prevent the above by holding the drm_dp_mst_topology_mgr::qlock in
drm_dp_mst_handle_down_rep() for the whole duration txmsg is looked up
from the request list and dereferenced.

v2: Fix unlocking mgr->qlock after verify_rx_request_type() fails.

Cc: Lyude Paul <lyude@redhat.com>
Reviewed-by: Lyude Paul <lyude@redhat.com>
Signed-off-by: Imre Deak <imre.deak@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20241203174632.2941402-1-imre.deak@intel.com