CVE-2022-50560

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/meson: explicitly remove aggregate driver at module unload time<br /> <br /> Because component_master_del wasn&amp;#39;t being called when unloading the<br /> meson_drm module, the aggregate device would linger forever in the global<br /> aggregate_devices list. That means when unloading and reloading the<br /> meson_dw_hdmi module, component_add would call into<br /> try_to_bring_up_aggregate_device and find the unbound meson_drm aggregate<br /> device.<br /> <br /> This would in turn dereference some of the aggregate_device&amp;#39;s struct<br /> entries which point to memory automatically freed by the devres API when<br /> unbinding the aggregate device from meson_drv_unbind, and trigger an<br /> use-after-free bug:<br /> <br /> [ +0.000014] =============================================================<br /> [ +0.000007] BUG: KASAN: use-after-free in find_components+0x468/0x500<br /> [ +0.000017] Read of size 8 at addr ffff000006731688 by task modprobe/2536<br /> [ +0.000018] CPU: 4 PID: 2536 Comm: modprobe Tainted: G C O 5.19.0-rc6-lrmbkasan+ #1<br /> [ +0.000010] Hardware name: Hardkernel ODROID-N2Plus (DT)<br /> [ +0.000008] Call trace:<br /> [ +0.000005] dump_backtrace+0x1ec/0x280<br /> [ +0.000011] show_stack+0x24/0x80<br /> [ +0.000007] dump_stack_lvl+0x98/0xd4<br /> [ +0.000010] print_address_description.constprop.0+0x80/0x520<br /> [ +0.000011] print_report+0x128/0x260<br /> [ +0.000007] kasan_report+0xb8/0xfc<br /> [ +0.000007] __asan_report_load8_noabort+0x3c/0x50<br /> [ +0.000009] find_components+0x468/0x500<br /> [ +0.000008] try_to_bring_up_aggregate_device+0x64/0x390<br /> [ +0.000009] __component_add+0x1dc/0x49c<br /> [ +0.000009] component_add+0x20/0x30<br /> [ +0.000008] meson_dw_hdmi_probe+0x28/0x34 [meson_dw_hdmi]<br /> [ +0.000013] platform_probe+0xd0/0x220<br /> [ +0.000008] really_probe+0x3ac/0xa80<br /> [ +0.000008] __driver_probe_device+0x1f8/0x400<br /> [ +0.000008] driver_probe_device+0x68/0x1b0<br /> [ +0.000008] __driver_attach+0x20c/0x480<br /> [ +0.000009] bus_for_each_dev+0x114/0x1b0<br /> [ +0.000007] driver_attach+0x48/0x64<br /> [ +0.000009] bus_add_driver+0x390/0x564<br /> [ +0.000007] driver_register+0x1a8/0x3e4<br /> [ +0.000009] __platform_driver_register+0x6c/0x94<br /> [ +0.000007] meson_dw_hdmi_platform_driver_init+0x30/0x1000 [meson_dw_hdmi]<br /> [ +0.000014] do_one_initcall+0xc4/0x2b0<br /> [ +0.000008] do_init_module+0x154/0x570<br /> [ +0.000010] load_module+0x1a78/0x1ea4<br /> [ +0.000008] __do_sys_init_module+0x184/0x1cc<br /> [ +0.000008] __arm64_sys_init_module+0x78/0xb0<br /> [ +0.000008] invoke_syscall+0x74/0x260<br /> [ +0.000008] el0_svc_common.constprop.0+0xcc/0x260<br /> [ +0.000009] do_el0_svc+0x50/0x70<br /> [ +0.000008] el0_svc+0x68/0x1a0<br /> [ +0.000009] el0t_64_sync_handler+0x11c/0x150<br /> [ +0.000009] el0t_64_sync+0x18c/0x190<br /> <br /> [ +0.000014] Allocated by task 902:<br /> [ +0.000007] kasan_save_stack+0x2c/0x5c<br /> [ +0.000009] __kasan_kmalloc+0x90/0xd0<br /> [ +0.000007] __kmalloc_node+0x240/0x580<br /> [ +0.000010] memcg_alloc_slab_cgroups+0xa4/0x1ac<br /> [ +0.000010] memcg_slab_post_alloc_hook+0xbc/0x4c0<br /> [ +0.000008] kmem_cache_alloc_node+0x1d0/0x490<br /> [ +0.000009] __alloc_skb+0x1d4/0x310<br /> [ +0.000010] alloc_skb_with_frags+0x8c/0x620<br /> [ +0.000008] sock_alloc_send_pskb+0x5ac/0x6d0<br /> [ +0.000010] unix_dgram_sendmsg+0x2e0/0x12f0<br /> [ +0.000010] sock_sendmsg+0xcc/0x110<br /> [ +0.000007] sock_write_iter+0x1d0/0x304<br /> [ +0.000008] new_sync_write+0x364/0x460<br /> [ +0.000007] vfs_write+0x420/0x5ac<br /> [ +0.000008] ksys_write+0x19c/0x1f0<br /> [ +0.000008] __arm64_sys_write+0x78/0xb0<br /> [ +0.000007] invoke_syscall+0x74/0x260<br /> [ +0.000008] el0_svc_common.constprop.0+0x1a8/0x260<br /> [ +0.000009] do_el0_svc+0x50/0x70<br /> [ +0.000007] el0_svc+0x68/0x1a0<br /> [ +0.000008] el0t_64_sync_handler+0x11c/0x150<br /> [ +0.000008] el0t_64_sync+0x18c/0x190<br /> <br /> [ +0.000013] Freed by task 2509:<br /> [ +0.000008] kasan_save_stack+0x2c/0x5c<br /> [ +0.000007] kasan_set_track+0x2c/0x40<br /> [ +0.000008] kasan_set_free_info+0x28/0x50<br /> [ +0.000008] ____kasan_slab_free+0x128/0x1d4<br /> [ +0.000008] __kasan_slab_free+0x18/0x24<br /> [ +0.000007] slab_free_freelist_hook+0x108/0x230<br /> [ +0.000010] <br /> ---truncated---