{"id":"CVE-2022-50560","summary":"drm/meson: explicitly remove aggregate driver at module unload time","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/meson: explicitly remove aggregate driver at module unload time\n\nBecause component_master_del wasn't being called when unloading the\nmeson_drm module, the aggregate device would linger forever in the global\naggregate_devices list. That means when unloading and reloading the\nmeson_dw_hdmi module, component_add would call into\ntry_to_bring_up_aggregate_device and find the unbound meson_drm aggregate\ndevice.\n\nThis would in turn dereference some of the aggregate_device's struct\nentries which point to memory automatically freed by the devres API when\nunbinding the aggregate device from meson_drv_unbind, and trigger an\nuse-after-free bug:\n\n[  +0.000014] =============================================================\n[  +0.000007] BUG: KASAN: use-after-free in find_components+0x468/0x500\n[  +0.000017] Read of size 8 at addr ffff000006731688 by task modprobe/2536\n[  +0.000018] CPU: 4 PID: 2536 Comm: modprobe Tainted: G         C O      5.19.0-rc6-lrmbkasan+ #1\n[  +0.000010] Hardware name: Hardkernel ODROID-N2Plus (DT)\n[  +0.000008] Call trace:\n[  +0.000005]  dump_backtrace+0x1ec/0x280\n[  +0.000011]  show_stack+0x24/0x80\n[  +0.000007]  dump_stack_lvl+0x98/0xd4\n[  +0.000010]  print_address_description.constprop.0+0x80/0x520\n[  +0.000011]  print_report+0x128/0x260\n[  +0.000007]  kasan_report+0xb8/0xfc\n[  +0.000007]  __asan_report_load8_noabort+0x3c/0x50\n[  +0.000009]  find_components+0x468/0x500\n[  +0.000008]  try_to_bring_up_aggregate_device+0x64/0x390\n[  +0.000009]  __component_add+0x1dc/0x49c\n[  +0.000009]  component_add+0x20/0x30\n[  +0.000008]  meson_dw_hdmi_probe+0x28/0x34 [meson_dw_hdmi]\n[  +0.000013]  platform_probe+0xd0/0x220\n[  +0.000008]  really_probe+0x3ac/0xa80\n[  +0.000008]  __driver_probe_device+0x1f8/0x400\n[  +0.000008]  driver_probe_device+0x68/0x1b0\n[  +0.000008]  __driver_attach+0x20c/0x480\n[  +0.000009]  bus_for_each_dev+0x114/0x1b0\n[  +0.000007]  driver_attach+0x48/0x64\n[  +0.000009]  bus_add_driver+0x390/0x564\n[  +0.000007]  driver_register+0x1a8/0x3e4\n[  +0.000009]  __platform_driver_register+0x6c/0x94\n[  +0.000007]  meson_dw_hdmi_platform_driver_init+0x30/0x1000 [meson_dw_hdmi]\n[  +0.000014]  do_one_initcall+0xc4/0x2b0\n[  +0.000008]  do_init_module+0x154/0x570\n[  +0.000010]  load_module+0x1a78/0x1ea4\n[  +0.000008]  __do_sys_init_module+0x184/0x1cc\n[  +0.000008]  __arm64_sys_init_module+0x78/0xb0\n[  +0.000008]  invoke_syscall+0x74/0x260\n[  +0.000008]  el0_svc_common.constprop.0+0xcc/0x260\n[  +0.000009]  do_el0_svc+0x50/0x70\n[  +0.000008]  el0_svc+0x68/0x1a0\n[  +0.000009]  el0t_64_sync_handler+0x11c/0x150\n[  +0.000009]  el0t_64_sync+0x18c/0x190\n\n[  +0.000014] Allocated by task 902:\n[  +0.000007]  kasan_save_stack+0x2c/0x5c\n[  +0.000009]  __kasan_kmalloc+0x90/0xd0\n[  +0.000007]  __kmalloc_node+0x240/0x580\n[  +0.000010]  memcg_alloc_slab_cgroups+0xa4/0x1ac\n[  +0.000010]  memcg_slab_post_alloc_hook+0xbc/0x4c0\n[  +0.000008]  kmem_cache_alloc_node+0x1d0/0x490\n[  +0.000009]  __alloc_skb+0x1d4/0x310\n[  +0.000010]  alloc_skb_with_frags+0x8c/0x620\n[  +0.000008]  sock_alloc_send_pskb+0x5ac/0x6d0\n[  +0.000010]  unix_dgram_sendmsg+0x2e0/0x12f0\n[  +0.000010]  sock_sendmsg+0xcc/0x110\n[  +0.000007]  sock_write_iter+0x1d0/0x304\n[  +0.000008]  new_sync_write+0x364/0x460\n[  +0.000007]  vfs_write+0x420/0x5ac\n[  +0.000008]  ksys_write+0x19c/0x1f0\n[  +0.000008]  __arm64_sys_write+0x78/0xb0\n[  +0.000007]  invoke_syscall+0x74/0x260\n[  +0.000008]  el0_svc_common.constprop.0+0x1a8/0x260\n[  +0.000009]  do_el0_svc+0x50/0x70\n[  +0.000007]  el0_svc+0x68/0x1a0\n[  +0.000008]  el0t_64_sync_handler+0x11c/0x150\n[  +0.000008]  el0t_64_sync+0x18c/0x190\n\n[  +0.000013] Freed by task 2509:\n[  +0.000008]  kasan_save_stack+0x2c/0x5c\n[  +0.000007]  kasan_set_track+0x2c/0x40\n[  +0.000008]  kasan_set_free_info+0x28/0x50\n[  +0.000008]  ____kasan_slab_free+0x128/0x1d4\n[  +0.000008]  __kasan_slab_free+0x18/0x24\n[  +0.000007]  slab_free_freelist_hook+0x108/0x230\n[  +0.000010] \n---truncated---","modified":"2026-04-02T08:28:38.357947Z","published":"2025-10-22T13:23:20.117Z","related":["SUSE-SU-2025:4111-1","SUSE-SU-2025:4139-1","SUSE-SU-2025:4149-1","SUSE-SU-2025:4320-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50560.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/587c7da877219e6185217bf64418e62e114dab1e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6ef20de2fe0ee1decedbfabb17782897ca27bfe5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8616f2a0589a80e08434212324250eb22f6a66ce"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8a427a22839daacd36531a62c83d5c9cd6f20657"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f11aa996fc01888f870be0e79ba71526888c0d8a"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50560.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-50560"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"bbbe775ec5b5dace43a35886da9924837da09ddd"},{"fixed":"8a427a22839daacd36531a62c83d5c9cd6f20657"},{"fixed":"587c7da877219e6185217bf64418e62e114dab1e"},{"fixed":"f11aa996fc01888f870be0e79ba71526888c0d8a"},{"fixed":"6ef20de2fe0ee1decedbfabb17782897ca27bfe5"},{"fixed":"8616f2a0589a80e08434212324250eb22f6a66ce"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50560.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.10.0"},{"fixed":"5.10.150"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.75"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"5.19.17"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.20.0"},{"fixed":"6.0.3"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50560.json"}}],"schema_version":"1.7.5"}