cve/published/2022/CVE-2022-48898.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-48898: drm/msm/dp: do not complete dp_aux_cmd_fifo_tx() if irq is not for aux transfer

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 drm/msm/dp: do not complete dp_aux_cmd_fifo_tx() if irq is not for aux transfer

 There are 3 possible interrupt sources are handled by DP controller,
 HPDstatus, Controller state changes and Aux read/write transaction.
 At every irq, DP controller have to check isr status of every interrupt
 sources and service the interrupt if its isr status bits shows interrupts
 are pending. There is potential race condition may happen at current aux
 isr handler implementation since it is always complete dp_aux_cmd_fifo_tx()
 even irq is not for aux read or write transaction. This may cause aux read
 transaction return premature if host aux data read is in the middle of
 waiting for sink to complete transferring data to host while irq happen.
 This will cause host's receiving buffer contains unexpected data. This
 patch fixes this problem by checking aux isr and return immediately at
 aux isr handler if there are no any isr status bits set.

 Current there is a bug report regrading eDP edid corruption happen during
 system booting up. After lengthy debugging to found that VIDEO_READY
 interrupt was continuously firing during system booting up which cause
 dp_aux_isr() to complete dp_aux_cmd_fifo_tx() prematurely to retrieve data
 from aux hardware buffer which is not yet contains complete data transfer
 from sink. This cause edid corruption.

 Follows are the signature at kernel logs when problem happen,
 EDID has corrupt header
 panel-simple-dp-aux aux-aea0000.edp: Couldn't identify panel via EDID

 Changes in v2:
 -- do complete if (ret == IRQ_HANDLED) ay dp-aux_isr()
 -- add more commit text

 Changes in v3:
 -- add Stephen suggested
 -- dp_aux_isr() return IRQ_XXX back to caller
 -- dp_ctrl_isr() return IRQ_XXX back to caller

 Changes in v4:
 -- split into two patches

 Changes in v5:
 -- delete empty line between tags

 Changes in v6:
 -- remove extra "that" and fixed line more than 75 char at commit text

 Patchwork: https://patchwork.freedesktop.org/patch/516121/

 The Linux kernel CVE team has assigned CVE-2022-48898 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.10 with commit c943b4948b5848fc0e07f875edbd35a973879e22 and fixed in 5.10.164 with commit 785607e5e6fb52caf141e4580de40405565f04f1
 	Issue introduced in 5.10 with commit c943b4948b5848fc0e07f875edbd35a973879e22 and fixed in 5.15.89 with commit 984ad875db804948c86ca9e1c2e784ae8252715a
 	Issue introduced in 5.10 with commit c943b4948b5848fc0e07f875edbd35a973879e22 and fixed in 6.1.7 with commit b7dcbca46db3c77fdb02c2a9d6239e5aa3b06a59
 	Issue introduced in 5.10 with commit c943b4948b5848fc0e07f875edbd35a973879e22 and fixed in 6.2 with commit 1cba0d150fa102439114a91b3e215909efc9f169

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-48898
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/gpu/drm/msm/dp/dp_aux.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/785607e5e6fb52caf141e4580de40405565f04f1
 	https://git.kernel.org/stable/c/984ad875db804948c86ca9e1c2e784ae8252715a
 	https://git.kernel.org/stable/c/b7dcbca46db3c77fdb02c2a9d6239e5aa3b06a59
 	https://git.kernel.org/stable/c/1cba0d150fa102439114a91b3e215909efc9f169
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-48898: drm/msm/dp: do not complete dp_aux_cmd_fifo_tx() if irq is not for aux transfer

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	drm/msm/dp: do not complete dp_aux_cmd_fifo_tx() if irq is not for aux transfer

	There are 3 possible interrupt sources are handled by DP controller,
	HPDstatus, Controller state changes and Aux read/write transaction.
	At every irq, DP controller have to check isr status of every interrupt
	sources and service the interrupt if its isr status bits shows interrupts
	are pending. There is potential race condition may happen at current aux
	isr handler implementation since it is always complete dp_aux_cmd_fifo_tx()
	even irq is not for aux read or write transaction. This may cause aux read
	transaction return premature if host aux data read is in the middle of
	waiting for sink to complete transferring data to host while irq happen.
	This will cause host's receiving buffer contains unexpected data. This
	patch fixes this problem by checking aux isr and return immediately at
	aux isr handler if there are no any isr status bits set.

	Current there is a bug report regrading eDP edid corruption happen during
	system booting up. After lengthy debugging to found that VIDEO_READY
	interrupt was continuously firing during system booting up which cause
	dp_aux_isr() to complete dp_aux_cmd_fifo_tx() prematurely to retrieve data
	from aux hardware buffer which is not yet contains complete data transfer
	from sink. This cause edid corruption.

	Follows are the signature at kernel logs when problem happen,
	EDID has corrupt header
	panel-simple-dp-aux aux-aea0000.edp: Couldn't identify panel via EDID

	Changes in v2:
	-- do complete if (ret == IRQ_HANDLED) ay dp-aux_isr()
	-- add more commit text

	Changes in v3:
	-- add Stephen suggested
	-- dp_aux_isr() return IRQ_XXX back to caller
	-- dp_ctrl_isr() return IRQ_XXX back to caller

	Changes in v4:
	-- split into two patches

	Changes in v5:
	-- delete empty line between tags

	Changes in v6:
	-- remove extra "that" and fixed line more than 75 char at commit text

	Patchwork: https://patchwork.freedesktop.org/patch/516121/

	The Linux kernel CVE team has assigned CVE-2022-48898 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.10 with commit c943b4948b5848fc0e07f875edbd35a973879e22 and fixed in 5.10.164 with commit 785607e5e6fb52caf141e4580de40405565f04f1
	Issue introduced in 5.10 with commit c943b4948b5848fc0e07f875edbd35a973879e22 and fixed in 5.15.89 with commit 984ad875db804948c86ca9e1c2e784ae8252715a
	Issue introduced in 5.10 with commit c943b4948b5848fc0e07f875edbd35a973879e22 and fixed in 6.1.7 with commit b7dcbca46db3c77fdb02c2a9d6239e5aa3b06a59
	Issue introduced in 5.10 with commit c943b4948b5848fc0e07f875edbd35a973879e22 and fixed in 6.2 with commit 1cba0d150fa102439114a91b3e215909efc9f169

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48898
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/gpu/drm/msm/dp/dp_aux.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/785607e5e6fb52caf141e4580de40405565f04f1
	https://git.kernel.org/stable/c/984ad875db804948c86ca9e1c2e784ae8252715a
	https://git.kernel.org/stable/c/b7dcbca46db3c77fdb02c2a9d6239e5aa3b06a59
	https://git.kernel.org/stable/c/1cba0d150fa102439114a91b3e215909efc9f169