drm/dp_mst: Fix down request message timeout handling

If receiving a reply for an MST down request message times out, the
thread receiving the reply in drm_dp_mst_handle_down_rep() could try to
dereference the drm_dp_sideband_msg_tx txmsg request message after the
thread waiting for the reply - calling drm_dp_mst_wait_tx_reply() - has
timed out and freed txmsg, hence leading to a use-after-free in
drm_dp_mst_handle_down_rep().

Prevent the above by holding the drm_dp_mst_topology_mgr::qlock in
drm_dp_mst_handle_down_rep() for the whole duration txmsg is looked up
from the request list and dereferenced.

v2: Fix unlocking mgr->qlock after verify_rx_request_type() fails.

Cc: Lyude Paul <lyude@redhat.com>
Reviewed-by: Lyude Paul <lyude@redhat.com>
Signed-off-by: Imre Deak <imre.deak@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20241203174632.2941402-1-imre.deak@intel.com

diff --git a/drivers/gpu/drm/display/drm_dp_mst_topology.c b/drivers/gpu/drm/display/drm_dp_mst_topology.c
index 6ec8680998d5aa738496e4ca37774573752befb0..ab21855d5c0f7fa696dd3e1917b5e639df47f715 100644 (file)
--- a/drivers/gpu/drm/display/drm_dp_mst_topology.c
+++ b/drivers/gpu/drm/display/drm_dp_mst_topology.c
@@ -3984,9 +3984,9 @@ static int drm_dp_mst_handle_down_rep(struct drm_dp_mst_topology_mgr *mgr)
 
        /* find the message */
        mutex_lock(&mgr->qlock);
+
        txmsg = list_first_entry_or_null(&mgr->tx_msg_downq,
                                         struct drm_dp_sideband_msg_tx, next);
-       mutex_unlock(&mgr->qlock);
 
        /* Were we actually expecting a response, and from this mstb? */
        if (!txmsg || txmsg->dst != mstb) {
@@ -3995,11 +3995,17 @@ static int drm_dp_mst_handle_down_rep(struct drm_dp_mst_topology_mgr *mgr)
                hdr = &msg->initial_hdr;
                drm_dbg_kms(mgr->dev, "Got MST reply with no msg %p %d %d %02x %02x\n",
                            mstb, hdr->seqno, hdr->lct, hdr->rad[0], msg->msg[0]);
+
+               mutex_unlock(&mgr->qlock);
+
                goto out_clear_reply;
        }
 
-       if (!verify_rx_request_type(mgr, txmsg, msg))
+       if (!verify_rx_request_type(mgr, txmsg, msg)) {
+               mutex_unlock(&mgr->qlock);
+
                goto out_clear_reply;
+       }
 
        drm_dp_sideband_parse_reply(mgr, msg, &txmsg->reply);
 
@@ -4013,9 +4019,9 @@ static int drm_dp_mst_handle_down_rep(struct drm_dp_mst_topology_mgr *mgr)
                            txmsg->reply.u.nak.nak_data);
        }
 
-       mutex_lock(&mgr->qlock);
        txmsg->state = DRM_DP_SIDEBAND_TX_RX;
        list_del(&txmsg->next);
+
        mutex_unlock(&mgr->qlock);
 
        wake_up_all(&mgr->tx_waitq);