CVE-2024-57798

While receiving an MST up request message from one thread in drmdpmsthandleupreq(), the MST topology could be removed from another thread via drmdpmsttopologymgrsetmst(false), freeing mstprimary and setting drmdpmsttopologymgr::mstprimary to NULL. This could lead to a NULL deref/use-after-free of mstprimary in drmdpmsthandleup_req().

Avoid the above by holding a reference for mstprimary in drmdpmsthandleupreq() while it's used.

v2: Fix kfreeing the request if getting an mst_primary reference fails.

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/57xxx/CVE-2024-57798.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

9408cc94eb041d0c2f9f00189a613b94c0449450

Fixed

f61b2e5e7821f868d6afc22382a66a30ee780ba0

Fixed

9735d40f5fde9970aa46e828ecc85c32571d58a2

Fixed

ce55818b2d3a999f886af91679589e4644ff1dc8

Fixed

e54b00086f7473dbda1a7d6fc47720ced157c6a8

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-57798.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.5.0

Fixed

6.1.123

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.69

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.8

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-57798.json"