CVE-2022-50332

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> video/aperture: Call sysfb_disable() before removing PCI devices<br /> <br /> Call sysfb_disable() from aperture_remove_conflicting_pci_devices()<br /> before removing PCI devices. Without, simpledrm can still bind to<br /> simple-framebuffer devices after the hardware driver has taken over<br /> the hardware. Both drivers interfere with each other and results are<br /> undefined.<br /> <br /> Reported modesetting errors [1] are shown below.<br /> <br /> ---- snap ----<br /> rcu: INFO: rcu_sched detected expedited stalls on CPUs/tasks: { 13-.... } 7 jiffies s: 165 root: 0x2000/.<br /> rcu: blocking rcu_node structures (internal RCU debug):<br /> Task dump for CPU 13:<br /> task:X state:R running task stack: 0 pid: 4242 ppid: 4228 flags:0x00000008<br /> Call Trace:<br /> <br /> ? commit_tail+0xd7/0x130<br /> ? drm_atomic_helper_commit+0x126/0x150<br /> ? drm_atomic_commit+0xa4/0xe0<br /> ? drm_plane_get_damage_clips.cold+0x1c/0x1c<br /> ? drm_atomic_helper_dirtyfb+0x19e/0x280<br /> ? drm_mode_dirtyfb_ioctl+0x10f/0x1e0<br /> ? drm_mode_getfb2_ioctl+0x2d0/0x2d0<br /> ? drm_ioctl_kernel+0xc4/0x150<br /> ? drm_ioctl+0x246/0x3f0<br /> ? drm_mode_getfb2_ioctl+0x2d0/0x2d0<br /> ? __x64_sys_ioctl+0x91/0xd0<br /> ? do_syscall_64+0x60/0xd0<br /> ? entry_SYSCALL_64_after_hwframe+0x4b/0xb5<br /> <br /> ...<br /> rcu: INFO: rcu_sched detected expedited stalls on CPUs/tasks: { 13-.... } 30 jiffies s: 169 root: 0x2000/.<br /> rcu: blocking rcu_node structures (internal RCU debug):<br /> Task dump for CPU 13:<br /> task:X state:R running task stack: 0 pid: 4242 ppid: 4228 flags:0x0000400e<br /> Call Trace:<br /> <br /> ? memcpy_toio+0x76/0xc0<br /> ? memcpy_toio+0x1b/0xc0<br /> ? drm_fb_memcpy_toio+0x76/0xb0<br /> ? drm_fb_blit_toio+0x75/0x2b0<br /> ? simpledrm_simple_display_pipe_update+0x132/0x150<br /> ? drm_atomic_helper_commit_planes+0xb6/0x230<br /> ? drm_atomic_helper_commit_tail+0x44/0x80<br /> ? commit_tail+0xd7/0x130<br /> ? drm_atomic_helper_commit+0x126/0x150<br /> ? drm_atomic_commit+0xa4/0xe0<br /> ? drm_plane_get_damage_clips.cold+0x1c/0x1c<br /> ? drm_atomic_helper_dirtyfb+0x19e/0x280<br /> ? drm_mode_dirtyfb_ioctl+0x10f/0x1e0<br /> ? drm_mode_getfb2_ioctl+0x2d0/0x2d0<br /> ? drm_ioctl_kernel+0xc4/0x150<br /> ? drm_ioctl+0x246/0x3f0<br /> ? drm_mode_getfb2_ioctl+0x2d0/0x2d0<br /> ? __x64_sys_ioctl+0x91/0xd0<br /> ? do_syscall_64+0x60/0xd0<br /> ? entry_SYSCALL_64_after_hwframe+0x4b/0xb5<br /> <br /> <br /> The problem was added by commit 5e0137612430 ("video/aperture: Disable<br /> and unregister sysfb devices via aperture helpers") to v6.0.3 and does<br /> not exist in the mainline branch.<br /> <br /> The mainline commit 5e0137612430 ("video/aperture: Disable and<br /> unregister sysfb devices via aperture helpers") has been backported<br /> from v6.0-rc1 to stable v6.0.3 from a larger patch series [2] that<br /> reworks fbdev framebuffer ownership. The backport misses a change to<br /> aperture_remove_conflicting_pci_devices(). Mainline itself is fine,<br /> because the function does not exist there as a result of the patch<br /> series.<br /> <br /> Instead of backporting the whole series, fix the additional function.