CVE-2022-50260

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/msm: Make .remove and .shutdown HW shutdown consistent<br /> <br /> Drivers&amp;#39; .remove and .shutdown callbacks are executed on different code<br /> paths. The former is called when a device is removed from the bus, while<br /> the latter is called at system shutdown time to quiesce the device.<br /> <br /> This means that some overlap exists between the two, because both have to<br /> take care of properly shutting down the hardware. But currently the logic<br /> used in these two callbacks isn&amp;#39;t consistent in msm drivers, which could<br /> lead to kernel panic.<br /> <br /> For example, on .remove the component is deleted and its .unbind callback<br /> leads to the hardware being shutdown but only if the DRM device has been<br /> marked as registered.<br /> <br /> That check doesn&amp;#39;t exist in the .shutdown logic and this can lead to the<br /> driver calling drm_atomic_helper_shutdown() for a DRM device that hasn&amp;#39;t<br /> been properly initialized.<br /> <br /> A situation like this can happen if drivers for expected sub-devices fail<br /> to probe, since the .bind callback will never be executed. If that is the<br /> case, drm_atomic_helper_shutdown() will attempt to take mutexes that are<br /> only initialized if drm_mode_config_init() is called during a device bind.<br /> <br /> This bug was attempted to be fixed in commit 623f279c7781 ("drm/msm: fix<br /> shutdown hook in case GPU components failed to bind"), but unfortunately<br /> it still happens in some cases as the one mentioned above, i.e:<br /> <br /> systemd-shutdown[1]: Powering off.<br /> kvm: exiting hardware virtualization<br /> platform wifi-firmware.0: Removing from iommu group 12<br /> platform video-firmware.0: Removing from iommu group 10<br /> ------------[ cut here ]------------<br /> WARNING: CPU: 6 PID: 1 at drivers/gpu/drm/drm_modeset_lock.c:317 drm_modeset_lock_all_ctx+0x3c4/0x3d0<br /> ...<br /> Hardware name: Google CoachZ (rev3+) (DT)<br /> pstate: a0400009 (NzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : drm_modeset_lock_all_ctx+0x3c4/0x3d0<br /> lr : drm_modeset_lock_all_ctx+0x48/0x3d0<br /> sp : ffff80000805bb80<br /> x29: ffff80000805bb80 x28: ffff327c00128000 x27: 0000000000000000<br /> x26: 0000000000000000 x25: 0000000000000001 x24: ffffc95d820ec030<br /> x23: ffff327c00bbd090 x22: ffffc95d8215eca0 x21: ffff327c039c5800<br /> x20: ffff327c039c5988 x19: ffff80000805bbe8 x18: 0000000000000034<br /> x17: 000000040044ffff x16: ffffc95d80cac920 x15: 0000000000000000<br /> x14: 0000000000000315 x13: 0000000000000315 x12: 0000000000000000<br /> x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000<br /> x8 : ffff80000805bc28 x7 : 0000000000000000 x6 : 0000000000000000<br /> x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000<br /> x2 : ffff327c00128000 x1 : 0000000000000000 x0 : ffff327c039c59b0<br /> Call trace:<br /> drm_modeset_lock_all_ctx+0x3c4/0x3d0<br /> drm_atomic_helper_shutdown+0x70/0x134<br /> msm_drv_shutdown+0x30/0x40<br /> platform_shutdown+0x28/0x40<br /> device_shutdown+0x148/0x350<br /> kernel_power_off+0x38/0x80<br /> __do_sys_reboot+0x288/0x2c0<br /> __arm64_sys_reboot+0x28/0x34<br /> invoke_syscall+0x48/0x114<br /> el0_svc_common.constprop.0+0x44/0xec<br /> do_el0_svc+0x2c/0xc0<br /> el0_svc+0x2c/0x84<br /> el0t_64_sync_handler+0x11c/0x150<br /> el0t_64_sync+0x18c/0x190<br /> ---[ end trace 0000000000000000 ]---<br /> Unable to handle kernel NULL pointer dereference at virtual address 0000000000000018<br /> Mem abort info:<br /> ESR = 0x0000000096000004<br /> EC = 0x25: DABT (current EL), IL = 32 bits<br /> SET = 0, FnV = 0<br /> EA = 0, S1PTW = 0<br /> FSC = 0x04: level 0 translation fault<br /> Data abort info:<br /> ISV = 0, ISS = 0x00000004<br /> CM = 0, WnR = 0<br /> user pgtable: 4k pages, 48-bit VAs, pgdp=000000010eab1000<br /> [0000000000000018] pgd=0000000000000000, p4d=0000000000000000<br /> Internal error: Oops: 96000004 [#1] PREEMPT SMP<br /> ...<br /> Hardware name: Google CoachZ (rev3+) (DT)<br /> pstate: a0400009 (NzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : ww_mutex_lock+0x28/0x32c<br /> lr : drm_modeset_lock_all_ctx+0x1b0/0x3d0<br /> sp : ffff80000805bb50<br /> x29: ffff80000805bb50 x28: ffff327c00128000 x27: 0000000000000000<br /> x26: 00000<br /> ---truncated---