CVE-2022-48633

In the Linux kernel, the following vulnerability has been resolved:

drm/gma500: Fix WARN_ON(lock->magic != lock) error

psbgemunpin() calls dmaresvlock() but the underlying wwmutex gets destroyed by drmgemobjectrelease() move the drmgemobjectrelease() call in psbgemfreeobject() to after the unpin to fix the below warning:

[ 79.693962] ------------[ cut here ]------------ [ 79.693992] DEBUGLOCKSWARNON(lock->magic != lock) [ 79.694015] WARNING: CPU: 0 PID: 240 at kernel/locking/mutex.c:582 wwmutexlock.constprop.0+0x569/0xfb0 [ 79.694052] Modules linked in: rfcomm sndseqdummy sndhrtimer qrtr bnep ath9k ath9kcommon ath9khw sndhdacodecrealtek sndhdacodecgeneric ledtrigaudio sndhdacodechdmi sndhdaintel ath3k sndinteldspcfg mac80211 sndintelsdwacpi btusb sndhdacodec btrtl btbcm btintel btmtk bluetooth at24 sndhdacore sndhwdep uvcvideo sndseq libarc4 videobuf2vmalloc ath videobuf2memops videobuf2v4l2 videobuf2common sndseqdevice videodev acerwmi intelpowerclamp coretemp mc sndpcm joydev sparsekeymap ecdhgeneric pcspkr wmibmof cfg80211 i2ci801 i2csmbus sndtimer snd r8169 rfkill lpcich soundcore acpicpufreq zram rtsxpcisdmmc mmccore serioraw rtsxpci gma500gfx(E) video wmi ip6tables iptables i2cdev fuse [ 79.694436] CPU: 0 PID: 240 Comm: plymouthd Tainted: G W E 6.0.0-rc3+ #490 [ 79.694457] Hardware name: Packard Bell dot s/SJE01CT, BIOS V1.10 07/23/2013 [ 79.694469] RIP: 0010:wwmutexlock.constprop.0+0x569/0xfb0 [ 79.694496] Code: ff 85 c0 0f 84 15 fb ff ff 8b 05 ca 3c 11 01 85 c0 0f 85 07 fb ff ff 48 c7 c6 30 cb 84 aa 48 c7 c7 a3 e1 82 aa e8 ac 29 f8 ff <0f> 0b e9 ed fa ff ff e8 5b 83 8a ff 85 c0 74 10 44 8b 0d 98 3c 11 [ 79.694513] RSP: 0018:ffffad1dc048bbe0 EFLAGS: 00010282 [ 79.694623] RAX: 0000000000000028 RBX: 0000000000000000 RCX: 0000000000000000 [ 79.694636] RDX: 0000000000000001 RSI: ffffffffaa8b0ffc RDI: 00000000ffffffff [ 79.694650] RBP: ffffad1dc048bc80 R08: 0000000000000000 R09: ffffad1dc048ba90 [ 79.694662] R10: 0000000000000003 R11: ffffffffaad62fe8 R12: ffff9ff302103138 [ 79.694675] R13: ffff9ff306ec8000 R14: ffff9ff307779078 R15: ffff9ff3014c0270 [ 79.694690] FS: 00007ff1cccf1740(0000) GS:ffff9ff3bc200000(0000) knlGS:0000000000000000 [ 79.694705] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 79.694719] CR2: 0000559ecbcb4420 CR3: 0000000013210000 CR4: 00000000000006f0 [ 79.694734] Call Trace: [ 79.694749] <TASK> [ 79.694761] ? _schedule+0x47f/0x1670 [ 79.694796] ? psbgemunpin+0x27/0x1a0 [gma500gfx] [ 79.694830] ? lockisheldtype+0xe3/0x140 [ 79.694864] ? wwmutexlock+0x38/0xa0 [ 79.694885] ? _condresched+0x1c/0x30 [ 79.694902] wwmutexlock+0x38/0xa0 [ 79.694925] psbgemunpin+0x27/0x1a0 [gma500gfx] [ 79.694964] psbgemunpin+0x199/0x1a0 [gma500gfx] [ 79.694996] drmgemobjectreleasehandle+0x50/0x60 [ 79.695020] ? drmgemobjecthandleputunlocked+0xf0/0xf0 [ 79.695042] idrforeach+0x4b/0xb0 [ 79.695066] ? rawspinunlockirqrestore+0x30/0x60 [ 79.695095] drmgemrelease+0x1c/0x30 [ 79.695118] drmfilefree.part.0+0x1ea/0x260 [ 79.695150] drmrelease+0x6a/0x120 [ 79.695175] _fput+0x9f/0x260 [ 79.695203] taskworkrun+0x59/0xa0 [ 79.695227] doexit+0x387/0xbe0 [ 79.695250] ? seqcountlockdepreaderaccess.constprop.0+0x82/0x90 [ 79.695275] ? lockdephardirqson+0x7d/0x100 [ 79.695304] dogroupexit+0x33/0xb0 [ 79.695331] _x64sysexitgroup+0x14/0x20 [ 79.695353] dosyscall64+0x58/0x80 [ 79.695376] ? upread+0x17/0x20 [ 79.695401] ? lockisheldtype+0xe3/0x140 [ 79.695429] ? asmexcpagefault+0x22/0x30 [ 79.695450] ? lockdephardirqson+0x7d/0x100 [ 79.695473] entrySYSCALL64after_hwframe+0x63/0xcd [ 79.695493] RIP: 0033:0x7ff1ccefe3f1 [ 79.695516] Code: Unable to access opcode bytes at RIP 0x7ff1ccefe3c7. [ 79.695607] RSP: 002b:00007ffed4413378 EFLAGS: ---truncated---