CVE-2022-50560

In the Linux kernel, the following vulnerability has been resolved:

drm/meson: explicitly remove aggregate driver at module unload time

Because componentmasterdel wasn't being called when unloading the mesondrm module, the aggregate device would linger forever in the global aggregatedevices list. That means when unloading and reloading the mesondwhdmi module, componentadd would call into trytobringupaggregatedevice and find the unbound meson_drm aggregate device.

This would in turn dereference some of the aggregatedevice's struct entries which point to memory automatically freed by the devres API when unbinding the aggregate device from mesondrv_unbind, and trigger an use-after-free bug:

[ +0.000014] ============================================================= [ +0.000007] BUG: KASAN: use-after-free in findcomponents+0x468/0x500 [ +0.000017] Read of size 8 at addr ffff000006731688 by task modprobe/2536 [ +0.000018] CPU: 4 PID: 2536 Comm: modprobe Tainted: G C O 5.19.0-rc6-lrmbkasan+ #1 [ +0.000010] Hardware name: Hardkernel ODROID-N2Plus (DT) [ +0.000008] Call trace: [ +0.000005] dumpbacktrace+0x1ec/0x280 [ +0.000011] showstack+0x24/0x80 [ +0.000007] dumpstacklvl+0x98/0xd4 [ +0.000010] printaddressdescription.constprop.0+0x80/0x520 [ +0.000011] printreport+0x128/0x260 [ +0.000007] kasan_report+0xb8/0xfc [ +0.000007] __asanreportload8noabort+0x3c/0x50 [ +0.000009] findcomponents+0x468/0x500 [ +0.000008] trytobringupaggregate_device+0x64/0x390 [ +0.000009] __componentadd+0x1dc/0x49c [ +0.000009] componentadd+0x20/0x30 [ +0.000008] mesondwhdmiprobe+0x28/0x34 [mesondwhdmi] [ +0.000013] platformprobe+0xd0/0x220 [ +0.000008] really_probe+0x3ac/0xa80 [ +0.000008] __driverprobedevice+0x1f8/0x400 [ +0.000008] driverprobedevice+0x68/0x1b0 [ +0.000008] __driverattach+0x20c/0x480 [ +0.000009] busforeachdev+0x114/0x1b0 [ +0.000007] driverattach+0x48/0x64 [ +0.000009] busadddriver+0x390/0x564 [ +0.000007] driverregister+0x1a8/0x3e4 [ +0.000009] __platformdriverregister+0x6c/0x94 [ +0.000007] mesondwhdmiplatformdriverinit+0x30/0x1000 [mesondwhdmi] [ +0.000014] dooneinitcall+0xc4/0x2b0 [ +0.000008] doinitmodule+0x154/0x570 [ +0.000010] loadmodule+0x1a78/0x1ea4 [ +0.000008] __dosysinit_module+0x184/0x1cc [ +0.000008] __arm64sysinitmodule+0x78/0xb0 [ +0.000008] invokesyscall+0x74/0x260 [ +0.000008] el0svccommon.constprop.0+0xcc/0x260 [ +0.000009] doel0svc+0x50/0x70 [ +0.000008] el0svc+0x68/0x1a0 [ +0.000009] el0t64synchandler+0x11c/0x150 [ +0.000009] el0t64sync+0x18c/0x190

[ +0.000014] Allocated by task 902: [ +0.000007] kasansavestack+0x2c/0x5c [ +0.000009] __kasan_kmalloc+0x90/0xd0 [ +0.000007] __kmallocnode+0x240/0x580 [ +0.000010] memcgallocslabcgroups+0xa4/0x1ac [ +0.000010] memcg_slabpostallochook+0xbc/0x4c0 [ +0.000008] kmemcacheallocnode+0x1d0/0x490 [ +0.000009] __allocskb+0x1d4/0x310 [ +0.000010] allocskbwithfrags+0x8c/0x620 [ +0.000008] sockallocsendpskb+0x5ac/0x6d0 [ +0.000010] unixdgramsendmsg+0x2e0/0x12f0 [ +0.000010] socksendmsg+0xcc/0x110 [ +0.000007] sockwriteiter+0x1d0/0x304 [ +0.000008] newsyncwrite+0x364/0x460 [ +0.000007] vfswrite+0x420/0x5ac [ +0.000008] ksyswrite+0x19c/0x1f0 [ +0.000008] _arm64syswrite+0x78/0xb0 [ +0.000007] invokesyscall+0x74/0x260 [ +0.000008] el0svccommon.constprop.0+0x1a8/0x260 [ +0.000009] doel0svc+0x50/0x70 [ +0.000007] el0svc+0x68/0x1a0 [ +0.000008] el0t64synchandler+0x11c/0x150 [ +0.000008] el0t64sync+0x18c/0x190

[ +0.000013] Freed by task 2509: [ +0.000008] kasansavestack+0x2c/0x5c [ +0.000007] kasansettrack+0x2c/0x40 [ +0.000008] kasansetfree_info+0x28/0x50 [ +0.000008] ____kasanslabfree+0x128/0x1d4 [ +0.000008] _kasanslabfree+0x18/0x24 [ +0.000007] slabfreefreelisthook+0x108/0x230 [ +0.000010] ---truncated---