Linux Kernel DRM Bridge Atomic Check Vulnerability in Downstream Display Pipeline

A vulnerability in the Linux kernel's Direct Rendering Manager (DRM) subsystem, specifically within the Qualcomm MSM graphics driver, can lead to a kernel panic. This issue arises when a user space display manager sends a screen update just before closing the DRM device, causing the 'crtc->active' state to be incorrectly set. When the device is closed, the 'commit_tails()' function, called by 'drm_release()', fails to properly disable the downstream display pipeline, leading to a crash. The vulnerability affects several versions of the Linux kernel, including 5.19.0-stb-cbq, and has been addressed by adding an atomic check to the bridge operations, preventing the premature screen update and ensuring the pipeline is correctly managed.

Impact

The vulnerability causes a kernel panic, disrupting the normal operation of the system and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by issuing a screen update through the user space display manager, immediately followed by closing the DRM device while the downstream display interface is disabled. This sequence causes the 'crtc->active' state to be incorrectly set, which is not properly cleared before the device is released, leading to a crash when the 'dp_bridge_disable()' function attempts to access a disabled display link.

Remediation

Users can upgrade to the patched version of the Linux kernel available in the official Linux kernel stable tree.