CVE-2022-49458

In the Linux kernel, the following vulnerability has been resolved:

drm/msm: don't free the IRQ if it was not requested

As msmdrmuninit() is called from the msmdrminit() error path, additional care should be necessary as not to call the freeirq() for the IRQ that was not requested before (because an error occured earlier than the requestirq() call).

This fixed the issue reported with the following backtrace:

[ 8.571329] Trying to free already-free IRQ 187 [ 8.571339] WARNING: CPU: 0 PID: 76 at kernel/irq/manage.c:1895 freeirq+0x1e0/0x35c [ 8.588746] Modules linked in: pmicglink pdrinterface fastrpc qrtrsmd sndsochdmicodec msm fsa4480 gpusched drmdpauxbus qrtr i2cqcomgeni crct10difce qcomstats qcomq6v5pas drmdisplayhelper gpi qcompilinfo drmkmshelper qcomq6v5 qcomsysmon qcomcommon qcomglinksmem qcomrng mdtloader qmihelpers phyqcomqmp ufsqcom typec qnocsm8350 socinfo rmtfsmem fuse drm ipv6 [ 8.624154] CPU: 0 PID: 76 Comm: kworker/u16:2 Not tainted 5.18.0-rc5-next-20220506-00033-g6cee8cab6089-dirty #419 [ 8.624161] Hardware name: Qualcomm Technologies, Inc. SM8350 HDK (DT) [ 8.641496] Workqueue: eventsunbound deferredprobeworkfunc [ 8.647510] pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 8.654681] pc : freeirq+0x1e0/0x35c [ 8.658454] lr : freeirq+0x1e0/0x35c [ 8.662228] sp : ffff800008ab3950 [ 8.665642] x29: ffff800008ab3950 x28: 0000000000000000 x27: ffff16350f56a700 [ 8.672994] x26: ffff1635025df080 x25: ffff16350251badc x24: ffff16350251bb90 [ 8.680343] x23: 0000000000000000 x22: 00000000000000bb x21: ffff16350e8f9800 [ 8.687690] x20: ffff16350251ba00 x19: ffff16350cbd5880 x18: ffffffffffffffff [ 8.695039] x17: 0000000000000000 x16: ffffa2dd12179434 x15: ffffa2dd1431d02d [ 8.702391] x14: 0000000000000000 x13: ffffa2dd1431d028 x12: 662d79646165726c [ 8.709740] x11: ffffa2dd13fd2438 x10: 000000000000000a x9 : 00000000000000bb [ 8.717111] x8 : ffffa2dd13fd23f0 x7 : ffff800008ab3750 x6 : 00000000fffff202 [ 8.724487] x5 : ffff16377e870a18 x4 : 00000000fffff202 x3 : ffff735a6ae1b000 [ 8.731851] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff1635015f8000 [ 8.739217] Call trace: [ 8.741755] freeirq+0x1e0/0x35c [ 8.745198] msmdrmuninit.isra.0+0x14c/0x294 [msm] [ 8.750548] msmdrmbind+0x28c/0x5d0 [msm] [ 8.755081] trytobringupaggregatedevice+0x164/0x1d0 [ 8.760657] _componentadd+0xa0/0x170 [ 8.764626] componentadd+0x14/0x20 [ 8.768337] dpdisplayprobe+0x2a4/0x464 [msm] [ 8.773242] platformprobe+0x68/0xe0 [ 8.777043] reallyprobe.part.0+0x9c/0x28c [ 8.781368] _driverprobedevice+0x98/0x144 [ 8.785871] driverprobedevice+0x40/0x140 [ 8.790191] _deviceattachdriver+0xb4/0x120 [ 8.794788] busforeachdrv+0x78/0xd0 [ 8.798751] _deviceattach+0xdc/0x184 [ 8.802713] deviceinitialprobe+0x14/0x20 [ 8.807031] busprobedevice+0x9c/0xa4 [ 8.810991] deferredprobeworkfunc+0x88/0xc0 [ 8.815667] processonework+0x1d0/0x320 [ 8.819809] workerthread+0x14c/0x444 [ 8.823688] kthread+0x10c/0x110 [ 8.827036] retfromfork+0x10/0x20

Patchwork: https://patchwork.freedesktop.org/patch/485422/