fkie_cve-2022-50560
Vulnerability from fkie_nvd
Published
2025-10-22 14:15
Modified
2025-10-22 21:12
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: drm/meson: explicitly remove aggregate driver at module unload time Because component_master_del wasn't being called when unloading the meson_drm module, the aggregate device would linger forever in the global aggregate_devices list. That means when unloading and reloading the meson_dw_hdmi module, component_add would call into try_to_bring_up_aggregate_device and find the unbound meson_drm aggregate device. This would in turn dereference some of the aggregate_device's struct entries which point to memory automatically freed by the devres API when unbinding the aggregate device from meson_drv_unbind, and trigger an use-after-free bug: [ +0.000014] ============================================================= [ +0.000007] BUG: KASAN: use-after-free in find_components+0x468/0x500 [ +0.000017] Read of size 8 at addr ffff000006731688 by task modprobe/2536 [ +0.000018] CPU: 4 PID: 2536 Comm: modprobe Tainted: G C O 5.19.0-rc6-lrmbkasan+ #1 [ +0.000010] Hardware name: Hardkernel ODROID-N2Plus (DT) [ +0.000008] Call trace: [ +0.000005] dump_backtrace+0x1ec/0x280 [ +0.000011] show_stack+0x24/0x80 [ +0.000007] dump_stack_lvl+0x98/0xd4 [ +0.000010] print_address_description.constprop.0+0x80/0x520 [ +0.000011] print_report+0x128/0x260 [ +0.000007] kasan_report+0xb8/0xfc [ +0.000007] __asan_report_load8_noabort+0x3c/0x50 [ +0.000009] find_components+0x468/0x500 [ +0.000008] try_to_bring_up_aggregate_device+0x64/0x390 [ +0.000009] __component_add+0x1dc/0x49c [ +0.000009] component_add+0x20/0x30 [ +0.000008] meson_dw_hdmi_probe+0x28/0x34 [meson_dw_hdmi] [ +0.000013] platform_probe+0xd0/0x220 [ +0.000008] really_probe+0x3ac/0xa80 [ +0.000008] __driver_probe_device+0x1f8/0x400 [ +0.000008] driver_probe_device+0x68/0x1b0 [ +0.000008] __driver_attach+0x20c/0x480 [ +0.000009] bus_for_each_dev+0x114/0x1b0 [ +0.000007] driver_attach+0x48/0x64 [ +0.000009] bus_add_driver+0x390/0x564 [ +0.000007] driver_register+0x1a8/0x3e4 [ +0.000009] __platform_driver_register+0x6c/0x94 [ +0.000007] meson_dw_hdmi_platform_driver_init+0x30/0x1000 [meson_dw_hdmi] [ +0.000014] do_one_initcall+0xc4/0x2b0 [ +0.000008] do_init_module+0x154/0x570 [ +0.000010] load_module+0x1a78/0x1ea4 [ +0.000008] __do_sys_init_module+0x184/0x1cc [ +0.000008] __arm64_sys_init_module+0x78/0xb0 [ +0.000008] invoke_syscall+0x74/0x260 [ +0.000008] el0_svc_common.constprop.0+0xcc/0x260 [ +0.000009] do_el0_svc+0x50/0x70 [ +0.000008] el0_svc+0x68/0x1a0 [ +0.000009] el0t_64_sync_handler+0x11c/0x150 [ +0.000009] el0t_64_sync+0x18c/0x190 [ +0.000014] Allocated by task 902: [ +0.000007] kasan_save_stack+0x2c/0x5c [ +0.000009] __kasan_kmalloc+0x90/0xd0 [ +0.000007] __kmalloc_node+0x240/0x580 [ +0.000010] memcg_alloc_slab_cgroups+0xa4/0x1ac [ +0.000010] memcg_slab_post_alloc_hook+0xbc/0x4c0 [ +0.000008] kmem_cache_alloc_node+0x1d0/0x490 [ +0.000009] __alloc_skb+0x1d4/0x310 [ +0.000010] alloc_skb_with_frags+0x8c/0x620 [ +0.000008] sock_alloc_send_pskb+0x5ac/0x6d0 [ +0.000010] unix_dgram_sendmsg+0x2e0/0x12f0 [ +0.000010] sock_sendmsg+0xcc/0x110 [ +0.000007] sock_write_iter+0x1d0/0x304 [ +0.000008] new_sync_write+0x364/0x460 [ +0.000007] vfs_write+0x420/0x5ac [ +0.000008] ksys_write+0x19c/0x1f0 [ +0.000008] __arm64_sys_write+0x78/0xb0 [ +0.000007] invoke_syscall+0x74/0x260 [ +0.000008] el0_svc_common.constprop.0+0x1a8/0x260 [ +0.000009] do_el0_svc+0x50/0x70 [ +0.000007] el0_svc+0x68/0x1a0 [ +0.000008] el0t_64_sync_handler+0x11c/0x150 [ +0.000008] el0t_64_sync+0x18c/0x190 [ +0.000013] Freed by task 2509: [ +0.000008] kasan_save_stack+0x2c/0x5c [ +0.000007] kasan_set_track+0x2c/0x40 [ +0.000008] kasan_set_free_info+0x28/0x50 [ +0.000008] ____kasan_slab_free+0x128/0x1d4 [ +0.000008] __kasan_slab_free+0x18/0x24 [ +0.000007] slab_free_freelist_hook+0x108/0x230 [ +0.000010] ---truncated---
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/587c7da877219e6185217bf64418e62e114dab1e
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/6ef20de2fe0ee1decedbfabb17782897ca27bfe5
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/8616f2a0589a80e08434212324250eb22f6a66ce
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/8a427a22839daacd36531a62c83d5c9cd6f20657
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f11aa996fc01888f870be0e79ba71526888c0d8a
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/meson: explicitly remove aggregate driver at module unload time\n\nBecause component_master_del wasn\u0027t being called when unloading the\nmeson_drm module, the aggregate device would linger forever in the global\naggregate_devices list. That means when unloading and reloading the\nmeson_dw_hdmi module, component_add would call into\ntry_to_bring_up_aggregate_device and find the unbound meson_drm aggregate\ndevice.\n\nThis would in turn dereference some of the aggregate_device\u0027s struct\nentries which point to memory automatically freed by the devres API when\nunbinding the aggregate device from meson_drv_unbind, and trigger an\nuse-after-free bug:\n\n[  +0.000014] =============================================================\n[  +0.000007] BUG: KASAN: use-after-free in find_components+0x468/0x500\n[  +0.000017] Read of size 8 at addr ffff000006731688 by task modprobe/2536\n[  +0.000018] CPU: 4 PID: 2536 Comm: modprobe Tainted: G         C O      5.19.0-rc6-lrmbkasan+ #1\n[  +0.000010] Hardware name: Hardkernel ODROID-N2Plus (DT)\n[  +0.000008] Call trace:\n[  +0.000005]  dump_backtrace+0x1ec/0x280\n[  +0.000011]  show_stack+0x24/0x80\n[  +0.000007]  dump_stack_lvl+0x98/0xd4\n[  +0.000010]  print_address_description.constprop.0+0x80/0x520\n[  +0.000011]  print_report+0x128/0x260\n[  +0.000007]  kasan_report+0xb8/0xfc\n[  +0.000007]  __asan_report_load8_noabort+0x3c/0x50\n[  +0.000009]  find_components+0x468/0x500\n[  +0.000008]  try_to_bring_up_aggregate_device+0x64/0x390\n[  +0.000009]  __component_add+0x1dc/0x49c\n[  +0.000009]  component_add+0x20/0x30\n[  +0.000008]  meson_dw_hdmi_probe+0x28/0x34 [meson_dw_hdmi]\n[  +0.000013]  platform_probe+0xd0/0x220\n[  +0.000008]  really_probe+0x3ac/0xa80\n[  +0.000008]  __driver_probe_device+0x1f8/0x400\n[  +0.000008]  driver_probe_device+0x68/0x1b0\n[  +0.000008]  __driver_attach+0x20c/0x480\n[  +0.000009]  bus_for_each_dev+0x114/0x1b0\n[  +0.000007]  driver_attach+0x48/0x64\n[  +0.000009]  bus_add_driver+0x390/0x564\n[  +0.000007]  driver_register+0x1a8/0x3e4\n[  +0.000009]  __platform_driver_register+0x6c/0x94\n[  +0.000007]  meson_dw_hdmi_platform_driver_init+0x30/0x1000 [meson_dw_hdmi]\n[  +0.000014]  do_one_initcall+0xc4/0x2b0\n[  +0.000008]  do_init_module+0x154/0x570\n[  +0.000010]  load_module+0x1a78/0x1ea4\n[  +0.000008]  __do_sys_init_module+0x184/0x1cc\n[  +0.000008]  __arm64_sys_init_module+0x78/0xb0\n[  +0.000008]  invoke_syscall+0x74/0x260\n[  +0.000008]  el0_svc_common.constprop.0+0xcc/0x260\n[  +0.000009]  do_el0_svc+0x50/0x70\n[  +0.000008]  el0_svc+0x68/0x1a0\n[  +0.000009]  el0t_64_sync_handler+0x11c/0x150\n[  +0.000009]  el0t_64_sync+0x18c/0x190\n\n[  +0.000014] Allocated by task 902:\n[  +0.000007]  kasan_save_stack+0x2c/0x5c\n[  +0.000009]  __kasan_kmalloc+0x90/0xd0\n[  +0.000007]  __kmalloc_node+0x240/0x580\n[  +0.000010]  memcg_alloc_slab_cgroups+0xa4/0x1ac\n[  +0.000010]  memcg_slab_post_alloc_hook+0xbc/0x4c0\n[  +0.000008]  kmem_cache_alloc_node+0x1d0/0x490\n[  +0.000009]  __alloc_skb+0x1d4/0x310\n[  +0.000010]  alloc_skb_with_frags+0x8c/0x620\n[  +0.000008]  sock_alloc_send_pskb+0x5ac/0x6d0\n[  +0.000010]  unix_dgram_sendmsg+0x2e0/0x12f0\n[  +0.000010]  sock_sendmsg+0xcc/0x110\n[  +0.000007]  sock_write_iter+0x1d0/0x304\n[  +0.000008]  new_sync_write+0x364/0x460\n[  +0.000007]  vfs_write+0x420/0x5ac\n[  +0.000008]  ksys_write+0x19c/0x1f0\n[  +0.000008]  __arm64_sys_write+0x78/0xb0\n[  +0.000007]  invoke_syscall+0x74/0x260\n[  +0.000008]  el0_svc_common.constprop.0+0x1a8/0x260\n[  +0.000009]  do_el0_svc+0x50/0x70\n[  +0.000007]  el0_svc+0x68/0x1a0\n[  +0.000008]  el0t_64_sync_handler+0x11c/0x150\n[  +0.000008]  el0t_64_sync+0x18c/0x190\n\n[  +0.000013] Freed by task 2509:\n[  +0.000008]  kasan_save_stack+0x2c/0x5c\n[  +0.000007]  kasan_set_track+0x2c/0x40\n[  +0.000008]  kasan_set_free_info+0x28/0x50\n[  +0.000008]  ____kasan_slab_free+0x128/0x1d4\n[  +0.000008]  __kasan_slab_free+0x18/0x24\n[  +0.000007]  slab_free_freelist_hook+0x108/0x230\n[  +0.000010] \n---truncated---"
    }
  ],
  "id": "CVE-2022-50560",
  "lastModified": "2025-10-22T21:12:48.953",
  "metrics": {},
  "published": "2025-10-22T14:15:40.737",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/587c7da877219e6185217bf64418e62e114dab1e"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/6ef20de2fe0ee1decedbfabb17782897ca27bfe5"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/8616f2a0589a80e08434212324250eb22f6a66ce"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/8a427a22839daacd36531a62c83d5c9cd6f20657"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/f11aa996fc01888f870be0e79ba71526888c0d8a"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.