Updated: 2025-11-10 03:08:45.872526
Description:
In the Linux kernel, the following vulnerability has been resolved: drm/dp_mst: Fix resetting msg rx state after topology removal If the MST topology is removed during the reception of an MST down reply or MST up request sideband message, the drm_dp_mst_topology_mgr::up_req_recv/down_rep_recv states could be reset from one thread via drm_dp_mst_topology_mgr_set_mst(false), racing with the reading/parsing of the message from another thread via drm_dp_mst_handle_down_rep() or drm_dp_mst_handle_up_req(). The race is possible since the reader/parser doesn't hold any lock while accessing the reception state. This in turn can lead to a memory corruption in the reader/parser as described by commit bd2fccac61b4 ("drm/dp_mst: Fix MST sideband message body length check"). Fix the above by resetting the message reception state if needed before reading/parsing a message. Another solution would be to hold the drm_dp_mst_topology_mgr::lock for the whole duration of the message reception/parsing in drm_dp_mst_handle_down_rep() and drm_dp_mst_handle_up_req(), however this would require a bigger change. Since the fix is also needed for stable, opting for the simpler solution in this patch.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | 0.0 | |
| CVSS Version 3.x | HIGH | 7.0 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| AlmaLinux 9.2 ESU | kernel | 5.14.0 | 7.0 | HIGH | Released | CLSA-2025:1760546935 | 2025-10-15 21:25:29 | Ignored due to low severity |
| CentOS 8.4 ELS | kernel | 4.18.0 | 7.0 | HIGH | Needs Triage | 2025-09-28 21:06:51 | Ignored due to low severity | |
| CentOS 8.5 ELS | kernel | 4.18.0 | 7.0 | HIGH | Needs Triage | 2025-09-28 21:06:52 | Ignored due to low severity | |
| CentOS Stream 8 ELS | kernel | 4.18.0 | 7.0 | HIGH | Released | CLSA-2025:1763722365 | 2026-02-07 22:58:01 | Ignored due to low severity |