cve/published/2022/CVE-2022-49490.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49490: drm/msm/mdp5: Return error code in mdp5_pipe_release when deadlock is detected

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 drm/msm/mdp5: Return error code in mdp5_pipe_release when deadlock is detected

 mdp5_get_global_state runs the risk of hitting a -EDEADLK when acquiring
 the modeset lock, but currently mdp5_pipe_release doesn't check for if
 an error is returned. Because of this, there is a possibility of
 mdp5_pipe_release hitting a NULL dereference error.

 To avoid this, let's have mdp5_pipe_release check if
 mdp5_get_global_state returns an error and propogate that error.

 Changes since v1:
 - Separated declaration and initialization of *new_state to avoid
   compiler warning
 - Fixed some spelling mistakes in commit message

 Changes since v2:
 - Return 0 in case where hwpipe is NULL as this is considered normal
   behavior
 - Added 2nd patch in series to fix a similar NULL dereference issue in
   mdp5_mixer_release

 Patchwork: https://patchwork.freedesktop.org/patch/485179/

 The Linux kernel CVE team has assigned CVE-2022-49490 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.18 with commit 7907a0d77cb461f58045763c205a5830be72e97c and fixed in 4.19.247 with commit 776f5c58bfe16cf322d71eeed3c5dda1eeac7e6b
 	Issue introduced in 4.18 with commit 7907a0d77cb461f58045763c205a5830be72e97c and fixed in 5.4.198 with commit b2aa2c4efe93e2580d6a8774b04fe2b99756a322
 	Issue introduced in 4.18 with commit 7907a0d77cb461f58045763c205a5830be72e97c and fixed in 5.10.121 with commit 49dc28b4b2e28ef7564e355c91487996c1cbebd7
 	Issue introduced in 4.18 with commit 7907a0d77cb461f58045763c205a5830be72e97c and fixed in 5.15.46 with commit 04bef5f1ba8ea6d7c1c8f5f65e0395c62db59cb8
 	Issue introduced in 4.18 with commit 7907a0d77cb461f58045763c205a5830be72e97c and fixed in 5.17.14 with commit 19964dfb39bda4d7716a71009488f0668ecbcf52
 	Issue introduced in 4.18 with commit 7907a0d77cb461f58045763c205a5830be72e97c and fixed in 5.18.3 with commit 33dc5aac46e0fad8f5eb193e5906ed0eb6b66ceb
 	Issue introduced in 4.18 with commit 7907a0d77cb461f58045763c205a5830be72e97c and fixed in 5.19 with commit d59be579fa932c46b908f37509f319cbd4ca9a68

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49490
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/gpu/drm/msm/disp/mdp5/mdp5_pipe.c
 	drivers/gpu/drm/msm/disp/mdp5/mdp5_pipe.h
 	drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/776f5c58bfe16cf322d71eeed3c5dda1eeac7e6b
 	https://git.kernel.org/stable/c/b2aa2c4efe93e2580d6a8774b04fe2b99756a322
 	https://git.kernel.org/stable/c/49dc28b4b2e28ef7564e355c91487996c1cbebd7
 	https://git.kernel.org/stable/c/04bef5f1ba8ea6d7c1c8f5f65e0395c62db59cb8
 	https://git.kernel.org/stable/c/19964dfb39bda4d7716a71009488f0668ecbcf52
 	https://git.kernel.org/stable/c/33dc5aac46e0fad8f5eb193e5906ed0eb6b66ceb
 	https://git.kernel.org/stable/c/d59be579fa932c46b908f37509f319cbd4ca9a68
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49490: drm/msm/mdp5: Return error code in mdp5_pipe_release when deadlock is detected

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	drm/msm/mdp5: Return error code in mdp5_pipe_release when deadlock is detected

	mdp5_get_global_state runs the risk of hitting a -EDEADLK when acquiring
	the modeset lock, but currently mdp5_pipe_release doesn't check for if
	an error is returned. Because of this, there is a possibility of
	mdp5_pipe_release hitting a NULL dereference error.

	To avoid this, let's have mdp5_pipe_release check if
	mdp5_get_global_state returns an error and propogate that error.

	Changes since v1:
	- Separated declaration and initialization of *new_state to avoid
	compiler warning
	- Fixed some spelling mistakes in commit message

	Changes since v2:
	- Return 0 in case where hwpipe is NULL as this is considered normal
	behavior
	- Added 2nd patch in series to fix a similar NULL dereference issue in
	mdp5_mixer_release

	Patchwork: https://patchwork.freedesktop.org/patch/485179/

	The Linux kernel CVE team has assigned CVE-2022-49490 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.18 with commit 7907a0d77cb461f58045763c205a5830be72e97c and fixed in 4.19.247 with commit 776f5c58bfe16cf322d71eeed3c5dda1eeac7e6b
	Issue introduced in 4.18 with commit 7907a0d77cb461f58045763c205a5830be72e97c and fixed in 5.4.198 with commit b2aa2c4efe93e2580d6a8774b04fe2b99756a322
	Issue introduced in 4.18 with commit 7907a0d77cb461f58045763c205a5830be72e97c and fixed in 5.10.121 with commit 49dc28b4b2e28ef7564e355c91487996c1cbebd7
	Issue introduced in 4.18 with commit 7907a0d77cb461f58045763c205a5830be72e97c and fixed in 5.15.46 with commit 04bef5f1ba8ea6d7c1c8f5f65e0395c62db59cb8
	Issue introduced in 4.18 with commit 7907a0d77cb461f58045763c205a5830be72e97c and fixed in 5.17.14 with commit 19964dfb39bda4d7716a71009488f0668ecbcf52
	Issue introduced in 4.18 with commit 7907a0d77cb461f58045763c205a5830be72e97c and fixed in 5.18.3 with commit 33dc5aac46e0fad8f5eb193e5906ed0eb6b66ceb
	Issue introduced in 4.18 with commit 7907a0d77cb461f58045763c205a5830be72e97c and fixed in 5.19 with commit d59be579fa932c46b908f37509f319cbd4ca9a68

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49490
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/gpu/drm/msm/disp/mdp5/mdp5_pipe.c
	drivers/gpu/drm/msm/disp/mdp5/mdp5_pipe.h
	drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/776f5c58bfe16cf322d71eeed3c5dda1eeac7e6b
	https://git.kernel.org/stable/c/b2aa2c4efe93e2580d6a8774b04fe2b99756a322
	https://git.kernel.org/stable/c/49dc28b4b2e28ef7564e355c91487996c1cbebd7
	https://git.kernel.org/stable/c/04bef5f1ba8ea6d7c1c8f5f65e0395c62db59cb8
	https://git.kernel.org/stable/c/19964dfb39bda4d7716a71009488f0668ecbcf52
	https://git.kernel.org/stable/c/33dc5aac46e0fad8f5eb193e5906ed0eb6b66ceb
	https://git.kernel.org/stable/c/d59be579fa932c46b908f37509f319cbd4ca9a68