CVE-2022-49458

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/msm: don&amp;#39;t free the IRQ if it was not requested<br /> <br /> As msm_drm_uninit() is called from the msm_drm_init() error path,<br /> additional care should be necessary as not to call the free_irq() for<br /> the IRQ that was not requested before (because an error occured earlier<br /> than the request_irq() call).<br /> <br /> This fixed the issue reported with the following backtrace:<br /> <br /> [ 8.571329] Trying to free already-free IRQ 187<br /> [ 8.571339] WARNING: CPU: 0 PID: 76 at kernel/irq/manage.c:1895 free_irq+0x1e0/0x35c<br /> [ 8.588746] Modules linked in: pmic_glink pdr_interface fastrpc qrtr_smd snd_soc_hdmi_codec msm fsa4480 gpu_sched drm_dp_aux_bus qrtr i2c_qcom_geni crct10dif_ce qcom_stats qcom_q6v5_pas drm_display_helper gpi qcom_pil_info drm_kms_helper qcom_q6v5 qcom_sysmon qcom_common qcom_glink_smem qcom_rng mdt_loader qmi_helpers phy_qcom_qmp ufs_qcom typec qnoc_sm8350 socinfo rmtfs_mem fuse drm ipv6<br /> [ 8.624154] CPU: 0 PID: 76 Comm: kworker/u16:2 Not tainted 5.18.0-rc5-next-20220506-00033-g6cee8cab6089-dirty #419<br /> [ 8.624161] Hardware name: Qualcomm Technologies, Inc. SM8350 HDK (DT)<br /> [ 8.641496] Workqueue: events_unbound deferred_probe_work_func<br /> [ 8.647510] pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> [ 8.654681] pc : free_irq+0x1e0/0x35c<br /> [ 8.658454] lr : free_irq+0x1e0/0x35c<br /> [ 8.662228] sp : ffff800008ab3950<br /> [ 8.665642] x29: ffff800008ab3950 x28: 0000000000000000 x27: ffff16350f56a700<br /> [ 8.672994] x26: ffff1635025df080 x25: ffff16350251badc x24: ffff16350251bb90<br /> [ 8.680343] x23: 0000000000000000 x22: 00000000000000bb x21: ffff16350e8f9800<br /> [ 8.687690] x20: ffff16350251ba00 x19: ffff16350cbd5880 x18: ffffffffffffffff<br /> [ 8.695039] x17: 0000000000000000 x16: ffffa2dd12179434 x15: ffffa2dd1431d02d<br /> [ 8.702391] x14: 0000000000000000 x13: ffffa2dd1431d028 x12: 662d79646165726c<br /> [ 8.709740] x11: ffffa2dd13fd2438 x10: 000000000000000a x9 : 00000000000000bb<br /> [ 8.717111] x8 : ffffa2dd13fd23f0 x7 : ffff800008ab3750 x6 : 00000000fffff202<br /> [ 8.724487] x5 : ffff16377e870a18 x4 : 00000000fffff202 x3 : ffff735a6ae1b000<br /> [ 8.731851] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff1635015f8000<br /> [ 8.739217] Call trace:<br /> [ 8.741755] free_irq+0x1e0/0x35c<br /> [ 8.745198] msm_drm_uninit.isra.0+0x14c/0x294 [msm]<br /> [ 8.750548] msm_drm_bind+0x28c/0x5d0 [msm]<br /> [ 8.755081] try_to_bring_up_aggregate_device+0x164/0x1d0<br /> [ 8.760657] __component_add+0xa0/0x170<br /> [ 8.764626] component_add+0x14/0x20<br /> [ 8.768337] dp_display_probe+0x2a4/0x464 [msm]<br /> [ 8.773242] platform_probe+0x68/0xe0<br /> [ 8.777043] really_probe.part.0+0x9c/0x28c<br /> [ 8.781368] __driver_probe_device+0x98/0x144<br /> [ 8.785871] driver_probe_device+0x40/0x140<br /> [ 8.790191] __device_attach_driver+0xb4/0x120<br /> [ 8.794788] bus_for_each_drv+0x78/0xd0<br /> [ 8.798751] __device_attach+0xdc/0x184<br /> [ 8.802713] device_initial_probe+0x14/0x20<br /> [ 8.807031] bus_probe_device+0x9c/0xa4<br /> [ 8.810991] deferred_probe_work_func+0x88/0xc0<br /> [ 8.815667] process_one_work+0x1d0/0x320<br /> [ 8.819809] worker_thread+0x14c/0x444<br /> [ 8.823688] kthread+0x10c/0x110<br /> [ 8.827036] ret_from_fork+0x10/0x20<br /> <br /> Patchwork: https://patchwork.freedesktop.org/patch/485422/