CVE-2023-52856

In the Linux kernel, the following vulnerability has been resolved:

drm/bridge: lt8912b: Fix crash on bridge detach

The lt8912b driver, in its bridge detach function, calls drmconnectorunregister() and drmconnectorcleanup().

drmconnectorunregister() should be called only for connectors explicitly registered with drmconnectorregister(), which is not the case in lt8912b.

The driver's drmconnectorfuncs.destroy hook is set to drmconnectorcleanup().

Thus the driver should not call either drmconnectorunregister() nor drmconnectorcleanup() in its lt8912bridgedetach(), as they cause a crash on bridge detach:

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x0000000096000006 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=00000000858f3000 [0000000000000000] pgd=0800000085918003, p4d=0800000085918003, pud=0800000085431003, pmd=0000000000000000 Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP Modules linked in: tidss(-) displayconnector lontiumlt8912b tc358768 panellvds panelsimple drmdmahelper drmkmshelper drm drmpanelorientationquirks CPU: 3 PID: 462 Comm: rmmod Tainted: G W 6.5.0-rc2+ #2 Hardware name: Toradex Verdin AM62 on Verdin Development Board (DT) pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : drmconnectorcleanup+0x78/0x2d4 [drm] lr : lt8912bridgedetach+0x54/0x6c [lontiumlt8912b] sp : ffff800082ed3a90 x29: ffff800082ed3a90 x28: ffff0000040c1940 x27: 0000000000000000 x26: 0000000000000000 x25: dead000000000122 x24: dead000000000122 x23: dead000000000100 x22: ffff000003fb6388 x21: 0000000000000000 x20: 0000000000000000 x19: ffff000003fb6260 x18: fffffffffffe56e8 x17: 0000000000000000 x16: 0010000000000000 x15: 0000000000000038 x14: 0000000000000000 x13: ffff800081914b48 x12: 000000000000040e x11: 000000000000015a x10: ffff80008196ebb8 x9 : ffff800081914b48 x8 : 00000000ffffefff x7 : ffff0000040c1940 x6 : ffff80007aa649d0 x5 : 0000000000000000 x4 : 0000000000000001 x3 : ffff80008159e008 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: drmconnectorcleanup+0x78/0x2d4 [drm] lt8912bridgedetach+0x54/0x6c [lontiumlt8912b] drmbridgedetach+0x44/0x84 [drm] drmencodercleanup+0x40/0xb8 [drm] drmmencoderallocrelease+0x1c/0x30 [drm] drmmanagedrelease+0xac/0x148 [drm] drmdevput.part.0+0x88/0xb8 [drm] devmdrmdevinitrelease+0x14/0x24 [drm] devmactionrelease+0x14/0x20 releasenodes+0x5c/0x90 devresreleaseall+0x8c/0xe0 deviceunbindcleanup+0x18/0x68 devicereleasedriverinternal+0x208/0x23c driverdetach+0x4c/0x94 busremovedriver+0x70/0xf4 driverunregister+0x30/0x60 platformdriverunregister+0x14/0x20 tidssplatformdriver_exit+0x18/0xb2c [tidss] __arm64sysdeletemodule+0x1a0/0x2b4 invokesyscall+0x48/0x110 el0svccommon.constprop.0+0x60/0x10c doel0svccompat+0x1c/0x40 el0svccompat+0x40/0xac el0t32synchandler+0xb0/0x138 el0t32sync+0x194/0x198 Code: 9104a276 f2fbd5b7 aa0203e1 91008af8 (f85c0420)