Skip to content

Commit 3f61185

Browse files
ideakideak
committed
drm/dp_mst: Fix down request message timeout handling
If receiving a reply for an MST down request message times out, the thread receiving the reply in drm_dp_mst_handle_down_rep() could try to dereference the drm_dp_sideband_msg_tx txmsg request message after the thread waiting for the reply - calling drm_dp_mst_wait_tx_reply() - has timed out and freed txmsg, hence leading to a use-after-free in drm_dp_mst_handle_down_rep(). Prevent the above by holding the drm_dp_mst_topology_mgr::qlock in drm_dp_mst_handle_down_rep() for the whole duration txmsg is looked up from the request list and dereferenced. v2: Fix unlocking mgr->qlock after verify_rx_request_type() fails. Cc: Lyude Paul <lyude@redhat.com> Reviewed-by: Lyude Paul <lyude@redhat.com> Signed-off-by: Imre Deak <imre.deak@intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20241203174632.2941402-1-imre.deak@intel.com
1 parent b559b68 commit 3f61185

File tree

1 file changed

+9
-3
lines changed

1 file changed

+9
-3
lines changed

drivers/gpu/drm/display/drm_dp_mst_topology.c

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3984,9 +3984,9 @@ static int drm_dp_mst_handle_down_rep(struct drm_dp_mst_topology_mgr *mgr)
39843984

39853985
/* find the message */
39863986
mutex_lock(&mgr->qlock);
3987+
39873988
txmsg = list_first_entry_or_null(&mgr->tx_msg_downq,
39883989
struct drm_dp_sideband_msg_tx, next);
3989-
mutex_unlock(&mgr->qlock);
39903990

39913991
/* Were we actually expecting a response, and from this mstb? */
39923992
if (!txmsg || txmsg->dst != mstb) {
@@ -3995,11 +3995,17 @@ static int drm_dp_mst_handle_down_rep(struct drm_dp_mst_topology_mgr *mgr)
39953995
hdr = &msg->initial_hdr;
39963996
drm_dbg_kms(mgr->dev, "Got MST reply with no msg %p %d %d %02x %02x\n",
39973997
mstb, hdr->seqno, hdr->lct, hdr->rad[0], msg->msg[0]);
3998+
3999+
mutex_unlock(&mgr->qlock);
4000+
39984001
goto out_clear_reply;
39994002
}
40004003

4001-
if (!verify_rx_request_type(mgr, txmsg, msg))
4004+
if (!verify_rx_request_type(mgr, txmsg, msg)) {
4005+
mutex_unlock(&mgr->qlock);
4006+
40024007
goto out_clear_reply;
4008+
}
40034009

40044010
drm_dp_sideband_parse_reply(mgr, msg, &txmsg->reply);
40054011

@@ -4013,9 +4019,9 @@ static int drm_dp_mst_handle_down_rep(struct drm_dp_mst_topology_mgr *mgr)
40134019
txmsg->reply.u.nak.nak_data);
40144020
}
40154021

4016-
mutex_lock(&mgr->qlock);
40174022
txmsg->state = DRM_DP_SIDEBAND_TX_RX;
40184023
list_del(&txmsg->next);
4024+
40194025
mutex_unlock(&mgr->qlock);
40204026

40214027
wake_up_all(&mgr->tx_waitq);

0 commit comments

Comments
 (0)