Imre Deak

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.74 **Description** The issue concerns a problem with the MST sideband message body length check in the Linux kernel, which must be at least 1 byte accounting for the message body CRC at the end of the message. This fixes a case where an MST branch device returns a header with a correct header CRC, with the body length being incorrectly set to 0, leading to memory corruption in `drm dp sideband append payload()` and resulting in errors such as `UBSAN: array-index-out-of-bounds` and `memcpy: detected field-spanning write`. **Recommendations** To resolve the issue, update the Linux kernel to version 6.6.74 or later. As a temporary workaround, consider restricting access to the `drm dp sideband append payload()` function until a patch is available. Avoid using the `msg` variable in the affected API endpoint until the issue is resolved. At the moment, there is no other information about additional mitigation measures.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.52 **Description** The issue is related to a missing bridge lock in the `pci bus lock()` function, which can cause unlocked secondary bus resets. This is identified by the `cfg access lock` lockdep effort. The problem arises when `pci reset bus()` users trigger these unlocked resets, while `pci bus reset()` locks everything except the bridge itself. To fix this, a `pci dev lock()` is added for `@bus->self` to `pci bus lock()`, similar to the fix applied to `pci reset function()` for "bus" and "cxl bus" reset cases. **Recommendations** Update to Linux kernel version 6.6.52 or later to resolve the issue.