{"id":"CVE-2024-26607","summary":"drm/bridge: sii902x: Fix probing race issue","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/bridge: sii902x: Fix probing race issue\n\nA null pointer dereference crash has been observed rarely on TI\nplatforms using sii9022 bridge:\n\n[   53.271356]  sii902x_get_edid+0x34/0x70 [sii902x]\n[   53.276066]  sii902x_bridge_get_edid+0x14/0x20 [sii902x]\n[   53.281381]  drm_bridge_get_edid+0x20/0x34 [drm]\n[   53.286305]  drm_bridge_connector_get_modes+0x8c/0xcc [drm_kms_helper]\n[   53.292955]  drm_helper_probe_single_connector_modes+0x190/0x538 [drm_kms_helper]\n[   53.300510]  drm_client_modeset_probe+0x1f0/0xbd4 [drm]\n[   53.305958]  __drm_fb_helper_initial_config_and_unlock+0x50/0x510 [drm_kms_helper]\n[   53.313611]  drm_fb_helper_initial_config+0x48/0x58 [drm_kms_helper]\n[   53.320039]  drm_fbdev_dma_client_hotplug+0x84/0xd4 [drm_dma_helper]\n[   53.326401]  drm_client_register+0x5c/0xa0 [drm]\n[   53.331216]  drm_fbdev_dma_setup+0xc8/0x13c [drm_dma_helper]\n[   53.336881]  tidss_probe+0x128/0x264 [tidss]\n[   53.341174]  platform_probe+0x68/0xc4\n[   53.344841]  really_probe+0x188/0x3c4\n[   53.348501]  __driver_probe_device+0x7c/0x16c\n[   53.352854]  driver_probe_device+0x3c/0x10c\n[   53.357033]  __device_attach_driver+0xbc/0x158\n[   53.361472]  bus_for_each_drv+0x88/0xe8\n[   53.365303]  __device_attach+0xa0/0x1b4\n[   53.369135]  device_initial_probe+0x14/0x20\n[   53.373314]  bus_probe_device+0xb0/0xb4\n[   53.377145]  deferred_probe_work_func+0xcc/0x124\n[   53.381757]  process_one_work+0x1f0/0x518\n[   53.385770]  worker_thread+0x1e8/0x3dc\n[   53.389519]  kthread+0x11c/0x120\n[   53.392750]  ret_from_fork+0x10/0x20\n\nThe issue here is as follows:\n\n- tidss probes, but is deferred as sii902x is still missing.\n- sii902x starts probing and enters sii902x_init().\n- sii902x calls drm_bridge_add(). Now the sii902x bridge is ready from\n  DRM's perspective.\n- sii902x calls sii902x_audio_codec_init() and\n  platform_device_register_data()\n- The registration of the audio platform device causes probing of the\n  deferred devices.\n- tidss probes, which eventually causes sii902x_bridge_get_edid() to be\n  called.\n- sii902x_bridge_get_edid() tries to use the i2c to read the edid.\n  However, the sii902x driver has not set up the i2c part yet, leading\n  to the crash.\n\nFix this by moving the drm_bridge_add() to the end of the\nsii902x_init(), which is also at the very end of sii902x_probe().","modified":"2026-04-02T10:04:56.362650Z","published":"2024-02-29T11:47:26.439Z","related":["SUSE-SU-2024:0855-1","SUSE-SU-2024:0856-1","SUSE-SU-2024:0857-1","SUSE-SU-2024:0900-1","SUSE-SU-2024:0900-2","SUSE-SU-2024:0926-1","SUSE-SU-2024:0977-1","SUSE-SU-2024:1466-1","SUSE-SU-2024:1480-1","USN-6818-2","USN-6819-2"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26607.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/08ac6f132dd77e40f786d8af51140c96c6d739c9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2a4c6af7934a7b4c304542c38fee35e09cc1770c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/56f96cf6eb11a1c2d594367c3becbfb06a855ec1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e0f83c234ea7a3dec1f84e5d02caa1c51664a076"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26607.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26607"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"21d808405fe49028036932dd969920f4fee4f481"},{"fixed":"e0f83c234ea7a3dec1f84e5d02caa1c51664a076"},{"fixed":"56f96cf6eb11a1c2d594367c3becbfb06a855ec1"},{"fixed":"2a4c6af7934a7b4c304542c38fee35e09cc1770c"},{"fixed":"08ac6f132dd77e40f786d8af51140c96c6d739c9"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-26607.json"}}],"schema_version":"1.7.5"}