In the Linux kernel, the following vulnerability has been resolved:
drm/bridge: sii902x: Fix probing race issue
A null pointer dereference crash has been observed rarely on TI platforms using sii9022 bridge:
[ 53.271356] sii902xgetedid+0x34/0x70 [sii902x] [ 53.276066] sii902xbridgegetedid+0x14/0x20 [sii902x] [ 53.281381] drmbridgegetedid+0x20/0x34 [drm] [ 53.286305] drmbridgeconnectorgetmodes+0x8c/0xcc [drmkmshelper] [ 53.292955] drmhelperprobesingleconnectormodes+0x190/0x538 [drmkmshelper] [ 53.300510] drmclientmodesetprobe+0x1f0/0xbd4 [drm] [ 53.305958] _drmfbhelperinitialconfigandunlock+0x50/0x510 [drmkmshelper] [ 53.313611] drmfbhelperinitialconfig+0x48/0x58 [drmkmshelper] [ 53.320039] drmfbdevdmaclienthotplug+0x84/0xd4 [drmdmahelper] [ 53.326401] drmclientregister+0x5c/0xa0 [drm] [ 53.331216] drmfbdevdmasetup+0xc8/0x13c [drmdmahelper] [ 53.336881] tidssprobe+0x128/0x264 [tidss] [ 53.341174] platformprobe+0x68/0xc4 [ 53.344841] reallyprobe+0x188/0x3c4 [ 53.348501] _driverprobedevice+0x7c/0x16c [ 53.352854] driverprobedevice+0x3c/0x10c [ 53.357033] _deviceattachdriver+0xbc/0x158 [ 53.361472] busforeachdrv+0x88/0xe8 [ 53.365303] _deviceattach+0xa0/0x1b4 [ 53.369135] deviceinitialprobe+0x14/0x20 [ 53.373314] busprobedevice+0xb0/0xb4 [ 53.377145] deferredprobeworkfunc+0xcc/0x124 [ 53.381757] processonework+0x1f0/0x518 [ 53.385770] workerthread+0x1e8/0x3dc [ 53.389519] kthread+0x11c/0x120 [ 53.392750] retfromfork+0x10/0x20
The issue here is as follows:
Fix this by moving the drmbridgeadd() to the end of the sii902xinit(), which is also at the very end of sii902xprobe().