CVE-2022-48662

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-48662
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-48662.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-48662
Downstream
Related
Published
2024-04-28T13:01:31Z
Modified
2025-10-14T20:09:08.203868Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
drm/i915/gem: Really move i915_gem_context.link under ref protection
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/i915/gem: Really move i915gemcontext.link under ref protection

i915perf assumes that it can use the i915gemcontext reference to protect its i915->gem.contexts.list iteration. However, this requires that we do not remove the context from the list until after we drop the final reference and release the struct. If, as currently, we remove the context from the list during contextclose(), the link.next pointer may be poisoned while we are holding the context reference and cause a GPF:

[ 4070.573157] i915 0000:00:02.0: [drm:i915perfopenioctl [i915]] filtering on ctxid=0x1fffff ctxidmask=0x1fffff [ 4070.574881] general protection fault, probably for non-canonical address 0xdead000000000100: 0000 [#1] PREEMPT SMP [ 4070.574897] CPU: 1 PID: 284392 Comm: amdperformance Tainted: G E 5.17.9 #180 [ 4070.574903] Hardware name: Intel Corporation NUC7i5BNK/NUC7i5BNB, BIOS BNKBL357.86A.0052.2017.0918.1346 09/18/2017 [ 4070.574907] RIP: 0010:oaconfigureallcontexts.isra.0+0x222/0x350 [i915] [ 4070.574982] Code: 08 e8 32 6e 10 e1 4d 8b 6d 50 b8 ff ff ff ff 49 83 ed 50 f0 41 0f c1 04 24 83 f8 01 0f 84 e3 00 00 00 85 c0 0f 8e fa 00 00 00 <49> 8b 45 50 48 8d 70 b0 49 8d 45 50 48 39 44 24 10 0f 85 34 fe ff [ 4070.574990] RSP: 0018:ffffc90002077b78 EFLAGS: 00010202 [ 4070.574995] RAX: 0000000000000002 RBX: 0000000000000002 RCX: 0000000000000000 [ 4070.575000] RDX: 0000000000000001 RSI: ffffc90002077b20 RDI: ffff88810ddc7c68 [ 4070.575004] RBP: 0000000000000001 R08: ffff888103242648 R09: fffffffffffffffc [ 4070.575008] R10: ffffffff82c50bc0 R11: 0000000000025c80 R12: ffff888101bf1860 [ 4070.575012] R13: dead0000000000b0 R14: ffffc90002077c04 R15: ffff88810be5cabc [ 4070.575016] FS: 00007f1ed50c0780(0000) GS:ffff88885ec80000(0000) knlGS:0000000000000000 [ 4070.575021] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4070.575025] CR2: 00007f1ed5590280 CR3: 000000010ef6f005 CR4: 00000000003706e0 [ 4070.575029] Call Trace: [ 4070.575033] <TASK> [ 4070.575037] lrcconfigureallcontexts+0x13e/0x150 [i915] [ 4070.575103] gen8enablemetricset+0x4d/0x90 [i915] [ 4070.575164] i915perfopenioctl+0xbc0/0x1500 [i915] [ 4070.575224] ? asmcommoninterrupt+0x1e/0x40 [ 4070.575232] ? i915oainitregstate+0x110/0x110 [i915] [ 4070.575290] drmioctlkernel+0x85/0x110 [ 4070.575296] ? updateloadavg+0x5f/0x5e0 [ 4070.575302] drmioctl+0x1d3/0x370 [ 4070.575307] ? i915oainitregstate+0x110/0x110 [i915] [ 4070.575382] ? gen8gtirqhandler+0x46/0x130 [i915] [ 4070.575445] _x64sysioctl+0x3c4/0x8d0 [ 4070.575451] ? _dosoftirq+0xaa/0x1d2 [ 4070.575456] dosyscall64+0x35/0x80 [ 4070.575461] entrySYSCALL64afterhwframe+0x44/0xae [ 4070.575467] RIP: 0033:0x7f1ed5c10397 [ 4070.575471] Code: 3c 1c e8 1c ff ff ff 85 c0 79 87 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a9 da 0d 00 f7 d8 64 89 01 48 [ 4070.575478] RSP: 002b:00007ffd65c8d7a8 EFLAGS: 00000246 ORIGRAX: 0000000000000010 [ 4070.575484] RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 00007f1ed5c10397 [ 4070.575488] RDX: 00007ffd65c8d7c0 RSI: 0000000040106476 RDI: 0000000000000006 [ 4070.575492] RBP: 00005620972f9c60 R08: 000000000000000a R09: 0000000000000005 [ 4070.575496] R10: 000000000000000d R11: 0000000000000246 R12: 000000000000000a [ 4070.575500] R13: 000000000000000d R14: 0000000000000000 R15: 00007ffd65c8d7c0 [ 4070.575505] </TASK> [ 4070.575507] Modules linked in: nlsascii(E) nlscp437(E) vfat(E) fat(E) i915(E) x86pkgtempthermal(E) intelpowerclamp(E) crct10difpclmul(E) crc32pclmul(E) crc32cintel(E) aesniintel(E) cryptosimd(E) intelgtt(E) cryptd(E) ttm(E) rapl(E) intelcstate(E) drmkmshelper(E) cfbfillrect(E) syscopyarea(E) cfbimgblt(E) inteluncore(E) sysfillrect(E) meime(E) sysimgblt(E) i2ci801(E) fbsysfops(E) mei(E) intelpchthermal(E) i2csmbus ---truncated---

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
f8246cf4d9a9025d26c609bb2195e7c0a9ce5c40
Fixed
713fa3e4591f65f804bdc88e8648e219fabc9ee1
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
f8246cf4d9a9025d26c609bb2195e7c0a9ce5c40
Fixed
f799e0568d6c153368b177e0bbbde7dcc4ce7f1d
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
f8246cf4d9a9025d26c609bb2195e7c0a9ce5c40
Fixed
d119888b09bd567e07c6b93a07f175df88857e02

Affected versions

v5.*

v5.10
v5.10-rc4
v5.10-rc5
v5.10-rc6
v5.10-rc7
v5.11
v5.11-rc1
v5.11-rc2
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.11
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.22
v5.15.23
v5.15.24
v5.15.25
v5.15.26
v5.15.27
v5.15.28
v5.15.29
v5.15.3
v5.15.30
v5.15.31
v5.15.32
v5.15.33
v5.15.34
v5.15.35
v5.15.36
v5.15.37
v5.15.38
v5.15.39
v5.15.4
v5.15.40
v5.15.41
v5.15.42
v5.15.43
v5.15.44
v5.15.45
v5.15.46
v5.15.47
v5.15.48
v5.15.49
v5.15.5
v5.15.50
v5.15.51
v5.15.52
v5.15.53
v5.15.54
v5.15.55
v5.15.56
v5.15.57
v5.15.58
v5.15.59
v5.15.6
v5.15.60
v5.15.61
v5.15.62
v5.15.63
v5.15.64
v5.15.65
v5.15.66
v5.15.67
v5.15.68
v5.15.69
v5.15.7
v5.15.70
v5.15.71
v5.15.8
v5.15.9
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8
v5.19.1
v5.19.10
v5.19.11
v5.19.2
v5.19.3
v5.19.4
v5.19.5
v5.19.6
v5.19.7
v5.19.8
v5.19.9

v6.*

v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6

Database specific

{
    "vanir_signatures": [
        {
            "signature_version": "v1",
            "signature_type": "Function",
            "target": {
                "file": "drivers/gpu/drm/i915/gem/i915_gem_context.c",
                "function": "i915_gem_context_release_work"
            },
            "id": "CVE-2022-48662-44055b1f",
            "digest": {
                "length": 575.0,
                "function_hash": "327907802618551410293056079508823751189"
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f799e0568d6c153368b177e0bbbde7dcc4ce7f1d"
        },
        {
            "signature_version": "v1",
            "signature_type": "Function",
            "target": {
                "file": "drivers/gpu/drm/i915/gem/i915_gem_context.c",
                "function": "context_close"
            },
            "id": "CVE-2022-48662-444e8bac",
            "digest": {
                "length": 731.0,
                "function_hash": "318434159077770832199975871331344849591"
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d119888b09bd567e07c6b93a07f175df88857e02"
        },
        {
            "signature_version": "v1",
            "signature_type": "Function",
            "target": {
                "file": "drivers/gpu/drm/i915/gem/i915_gem_context.c",
                "function": "context_close"
            },
            "id": "CVE-2022-48662-48150c2a",
            "digest": {
                "length": 731.0,
                "function_hash": "318434159077770832199975871331344849591"
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f799e0568d6c153368b177e0bbbde7dcc4ce7f1d"
        },
        {
            "signature_version": "v1",
            "signature_type": "Line",
            "target": {
                "file": "drivers/gpu/drm/i915/gem/i915_gem_context.c"
            },
            "id": "CVE-2022-48662-939b05a9",
            "digest": {
                "line_hashes": [
                    "233985948125687500245012697621896334932",
                    "48970055972133113407613084640486376395",
                    "263316965088519688058614172822467252935",
                    "140661009704716422762445123254218862632",
                    "323684911382871264715415234917525170283",
                    "68376139880739122744158933646782173213",
                    "332313081494285179170663281607872753075",
                    "91839128525315177411417501676394644367",
                    "37490085063548908142131201805379259486"
                ],
                "threshold": 0.9
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d119888b09bd567e07c6b93a07f175df88857e02"
        },
        {
            "signature_version": "v1",
            "signature_type": "Line",
            "target": {
                "file": "drivers/gpu/drm/i915/gem/i915_gem_context.c"
            },
            "id": "CVE-2022-48662-998f6289",
            "digest": {
                "line_hashes": [
                    "233985948125687500245012697621896334932",
                    "48970055972133113407613084640486376395",
                    "263316965088519688058614172822467252935",
                    "140661009704716422762445123254218862632",
                    "323684911382871264715415234917525170283",
                    "68376139880739122744158933646782173213",
                    "332313081494285179170663281607872753075",
                    "91839128525315177411417501676394644367",
                    "37490085063548908142131201805379259486"
                ],
                "threshold": 0.9
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f799e0568d6c153368b177e0bbbde7dcc4ce7f1d"
        },
        {
            "signature_version": "v1",
            "signature_type": "Function",
            "target": {
                "file": "drivers/gpu/drm/i915/gem/i915_gem_context.c",
                "function": "i915_gem_context_release_work"
            },
            "id": "CVE-2022-48662-aadf05a2",
            "digest": {
                "length": 575.0,
                "function_hash": "327907802618551410293056079508823751189"
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d119888b09bd567e07c6b93a07f175df88857e02"
        },
        {
            "signature_version": "v1",
            "signature_type": "Function",
            "target": {
                "file": "drivers/gpu/drm/i915/gem/i915_gem_context.c",
                "function": "context_close"
            },
            "id": "CVE-2022-48662-b5c7fa29",
            "digest": {
                "length": 614.0,
                "function_hash": "166225146568527782915388907166197683399"
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@713fa3e4591f65f804bdc88e8648e219fabc9ee1"
        },
        {
            "signature_version": "v1",
            "signature_type": "Line",
            "target": {
                "file": "drivers/gpu/drm/i915/gem/i915_gem_context.c"
            },
            "id": "CVE-2022-48662-bfd556ea",
            "digest": {
                "line_hashes": [
                    "315648511683256306311834702456330677962",
                    "48970055972133113407613084640486376395",
                    "10768045321169898964829370486011312155",
                    "148738552281544741654646792924271136634",
                    "189340524899724529812759150969987857629",
                    "299165296203364052926688053275297434330",
                    "303900559155090475627967551365582587633",
                    "116871483669255040743004761671890682127",
                    "270013037929022279470258549638207923613"
                ],
                "threshold": 0.9
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@713fa3e4591f65f804bdc88e8648e219fabc9ee1"
        },
        {
            "signature_version": "v1",
            "signature_type": "Function",
            "target": {
                "file": "drivers/gpu/drm/i915/gem/i915_gem_context.c",
                "function": "i915_gem_context_release"
            },
            "id": "CVE-2022-48662-ce2e95c0",
            "digest": {
                "length": 358.0,
                "function_hash": "145325824646254052826031362356385673921"
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@713fa3e4591f65f804bdc88e8648e219fabc9ee1"
        }
    ]
}

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.12.0
Fixed
5.15.72
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
5.19.12

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
f8246cf4d9a9
Fixed
713fa3e4591f
Type
ECOSYSTEM
Events
Introduced
f8246cf4d9a9
Fixed
f799e0568d6c
Type
ECOSYSTEM
Events
Introduced
f8246cf4d9a9
Fixed
d119888b09bd
Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
5.12