CVE-2022-49430

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Input: gpio-keys - cancel delayed work only in case of GPIO<br /> <br /> gpio_keys module can either accept gpios or interrupts. The module<br /> initializes delayed work in case of gpios only and is only used if<br /> debounce timer is not used, so make sure cancel_delayed_work_sync()<br /> is called only when its gpio-backed and debounce_use_hrtimer is false.<br /> <br /> This fixes the issue seen below when the gpio_keys module is unloaded and<br /> an interrupt pin is used instead of GPIO:<br /> <br /> [ 360.297569] ------------[ cut here ]------------<br /> [ 360.302303] WARNING: CPU: 0 PID: 237 at kernel/workqueue.c:3066 __flush_work+0x414/0x470<br /> [ 360.310531] Modules linked in: gpio_keys(-)<br /> [ 360.314797] CPU: 0 PID: 237 Comm: rmmod Not tainted 5.18.0-rc5-arm64-renesas-00116-g73636105874d-dirty #166<br /> [ 360.324662] Hardware name: Renesas SMARC EVK based on r9a07g054l2 (DT)<br /> [ 360.331270] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> [ 360.338318] pc : __flush_work+0x414/0x470<br /> [ 360.342385] lr : __cancel_work_timer+0x140/0x1b0<br /> [ 360.347065] sp : ffff80000a7fba00<br /> [ 360.350423] x29: ffff80000a7fba00 x28: ffff000012b9c5c0 x27: 0000000000000000<br /> [ 360.357664] x26: ffff80000a7fbb80 x25: ffff80000954d0a8 x24: 0000000000000001<br /> [ 360.364904] x23: ffff800009757000 x22: 0000000000000000 x21: ffff80000919b000<br /> [ 360.372143] x20: ffff00000f5974e0 x19: ffff00000f5974e0 x18: ffff8000097fcf48<br /> [ 360.379382] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000053f40<br /> [ 360.386622] x14: ffff800009850e88 x13: 0000000000000002 x12: 000000000000a60c<br /> [ 360.393861] x11: 000000000000a610 x10: 0000000000000000 x9 : 0000000000000008<br /> [ 360.401100] x8 : 0101010101010101 x7 : 00000000a473c394 x6 : 0080808080808080<br /> [ 360.408339] x5 : 0000000000000001 x4 : 0000000000000000 x3 : ffff80000919b458<br /> [ 360.415578] x2 : ffff8000097577f0 x1 : 0000000000000001 x0 : 0000000000000000<br /> [ 360.422818] Call trace:<br /> [ 360.425299] __flush_work+0x414/0x470<br /> [ 360.429012] __cancel_work_timer+0x140/0x1b0<br /> [ 360.433340] cancel_delayed_work_sync+0x10/0x18<br /> [ 360.437931] gpio_keys_quiesce_key+0x28/0x58 [gpio_keys]<br /> [ 360.443327] devm_action_release+0x10/0x18<br /> [ 360.447481] release_nodes+0x8c/0x1a0<br /> [ 360.451194] devres_release_all+0x90/0x100<br /> [ 360.455346] device_unbind_cleanup+0x14/0x60<br /> [ 360.459677] device_release_driver_internal+0xe8/0x168<br /> [ 360.464883] driver_detach+0x4c/0x90<br /> [ 360.468509] bus_remove_driver+0x54/0xb0<br /> [ 360.472485] driver_unregister+0x2c/0x58<br /> [ 360.476462] platform_driver_unregister+0x10/0x18<br /> [ 360.481230] gpio_keys_exit+0x14/0x828 [gpio_keys]<br /> [ 360.486088] __arm64_sys_delete_module+0x1e0/0x270<br /> [ 360.490945] invoke_syscall+0x40/0xf8<br /> [ 360.494661] el0_svc_common.constprop.3+0xf0/0x110<br /> [ 360.499515] do_el0_svc+0x20/0x78<br /> [ 360.502877] el0_svc+0x48/0xf8<br /> [ 360.505977] el0t_64_sync_handler+0x88/0xb0<br /> [ 360.510216] el0t_64_sync+0x148/0x14c<br /> [ 360.513930] irq event stamp: 4306<br /> [ 360.517288] hardirqs last enabled at (4305): [] __cancel_work_timer+0x130/0x1b0<br /> [ 360.526359] hardirqs last disabled at (4306): [] el1_dbg+0x24/0x88<br /> [ 360.534204] softirqs last enabled at (4278): [] _stext+0x4a0/0x5e0<br /> [ 360.542133] softirqs last disabled at (4267): [] irq_exit_rcu+0x18c/0x1b0<br /> [ 360.550591] ---[ end trace 0000000000000000 ]---