{"id":"CVE-2022-50144","summary":"soundwire: revisit driver bind/unbind and callbacks","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nsoundwire: revisit driver bind/unbind and callbacks\n\nIn the SoundWire probe, we store a pointer from the driver ops into\nthe 'slave' structure. This can lead to kernel oopses when unbinding\ncodec drivers, e.g. with the following sequence to remove machine\ndriver and codec driver.\n\n/sbin/modprobe -r snd_soc_sof_sdw\n/sbin/modprobe -r snd_soc_rt711\n\nThe full details can be found in the BugLink below, for reference the\ntwo following examples show different cases of driver ops/callbacks\nbeing invoked after the driver .remove().\n\nkernel: BUG: kernel NULL pointer dereference, address: 0000000000000150\nkernel: Workqueue: events cdns_update_slave_status_work [soundwire_cadence]\nkernel: RIP: 0010:mutex_lock+0x19/0x30\nkernel: Call Trace:\nkernel:  ? sdw_handle_slave_status+0x426/0xe00 [soundwire_bus 94ff184bf398570c3f8ff7efe9e32529f532e4ae]\nkernel:  ? newidle_balance+0x26a/0x400\nkernel:  ? cdns_update_slave_status_work+0x1e9/0x200 [soundwire_cadence 1bcf98eebe5ba9833cd433323769ac923c9c6f82]\n\nkernel: BUG: unable to handle page fault for address: ffffffffc07654c8\nkernel: Workqueue: pm pm_runtime_work\nkernel: RIP: 0010:sdw_bus_prep_clk_stop+0x6f/0x160 [soundwire_bus]\nkernel: Call Trace:\nkernel:  \u003cTASK\u003e\nkernel:  sdw_cdns_clock_stop+0xb5/0x1b0 [soundwire_cadence 1bcf98eebe5ba9833cd433323769ac923c9c6f82]\nkernel:  intel_suspend_runtime+0x5f/0x120 [soundwire_intel aca858f7c87048d3152a4a41bb68abb9b663a1dd]\nkernel:  ? dpm_sysfs_remove+0x60/0x60\n\nThis was not detected earlier in Intel tests since the tests first\nremove the parent PCI device and shut down the bus. The sequence\nabove is a corner case which keeps the bus operational but without a\ndriver bound.\n\nWhile trying to solve this kernel oopses, it became clear that the\nexisting SoundWire bus does not deal well with the unbind case.\n\nCommit 528be501b7d4a (\"soundwire: sdw_slave: add probe_complete structure and new fields\")\nadded a 'probed' status variable and a 'probe_complete'\nstruct completion. This status is however not reset on remove and\nlikewise the 'probe complete' is not re-initialized, so the\nbind/unbind/bind test cases would fail. The timeout used before the\n'update_status' callback was also a bad idea in hindsight, there\nshould really be no timing assumption as to if and when a driver is\nbound to a device.\n\nAn initial draft was based on device_lock() and device_unlock() was\ntested. This proved too complicated, with deadlocks created during the\nsuspend-resume sequences, which also use the same device_lock/unlock()\nas the bind/unbind sequences. On a CometLake device, a bad DSDT/BIOS\ncaused spurious resumes and the use of device_lock() caused hangs\nduring suspend. After multiple weeks or testing and painful\nreverse-engineering of deadlocks on different devices, we looked for\nalternatives that did not interfere with the device core.\n\nA bus notifier was used successfully to keep track of DRIVER_BOUND and\nDRIVER_UNBIND events. This solved the bind-unbind-bind case in tests,\nbut it can still be defeated with a theoretical corner case where the\nmemory is freed by a .remove while the callback is in use. The\nnotifier only helps make sure the driver callbacks are valid, but not\nthat the memory allocated in probe remains valid while the callbacks\nare invoked.\n\nThis patch suggests the introduction of a new 'sdw_dev_lock' mutex\nprotecting probe/remove and all driver callbacks. Since this mutex is\n'local' to SoundWire only, it does not interfere with existing locks\nand does not create deadlocks. In addition, this patch removes the\n'probe_complete' completion, instead we directly invoke the\n'update_status' from the probe routine. That removes any sort of\ntiming dependency and a much better support for the device/driver\nmodel, the driver could be bound before the bus started, or eons after\nthe bus started and the hardware would be properly initialized in all\ncases.\n\nBugLink: https://github.com/thesofproject/linux/is\n---truncated---","modified":"2026-04-03T13:14:25.479860799Z","published":"2025-06-18T11:03:05.638Z","related":["SUSE-SU-2025:02264-1","SUSE-SU-2025:02321-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50144.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/250b46505175889c6b5958c3829f610f52199f5f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/432b30f08ca3303d2ebb22352cb04c4b6cfefe65"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8fd6b03646b9a9e16d1ec19bd724cd6bd78e0ea5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bd29c00edd0a5dac8b6e7332bb470cd50f92e893"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50144.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-50144"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"56d4fe31af77f684bed62fb8201e6327e6ddf4e6"},{"fixed":"250b46505175889c6b5958c3829f610f52199f5f"},{"fixed":"8fd6b03646b9a9e16d1ec19bd724cd6bd78e0ea5"},{"fixed":"432b30f08ca3303d2ebb22352cb04c4b6cfefe65"},{"fixed":"bd29c00edd0a5dac8b6e7332bb470cd50f92e893"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50144.json"}}],"schema_version":"1.7.5"}