CVE-2022-50133

In the Linux kernel, the following vulnerability has been resolved:

usb: xhciplatremove: avoid NULL dereference

Since commit 4736ebd7fcaff1eb8481c140ba494962847d6e0a ("usb: host: xhci-plat: omit shared hcd if either root hub has no ports") xhci->shared_hcd can be NULL, which causes the following Oops on reboot:

[ 710.298861] xhci-hcd xhci-hcd.2.auto: remove, state 4 [ 710.304217] usb usb3: USB disconnect, device number 1 [ 710.317441] xhci-hcd xhci-hcd.2.auto: USB bus 3 deregistered [ 710.323280] xhci-hcd xhci-hcd.2.auto: remove, state 1 [ 710.328401] usb usb2: USB disconnect, device number 1 [ 710.333515] usb 2-3: USB disconnect, device number 2 [ 710.467649] xhci-hcd xhci-hcd.2.auto: USB bus 2 deregistered [ 710.475450] Unable to handle kernel NULL pointer dereference at virtual address 00000000000003b8 [ 710.484425] Mem abort info: [ 710.487265] ESR = 0x0000000096000004 [ 710.491060] EC = 0x25: DABT (current EL), IL = 32 bits [ 710.496427] SET = 0, FnV = 0 [ 710.499525] EA = 0, S1PTW = 0 [ 710.502716] FSC = 0x04: level 0 translation fault [ 710.507648] Data abort info: [ 710.510577] ISV = 0, ISS = 0x00000004 [ 710.514462] CM = 0, WnR = 0 [ 710.517480] user pgtable: 4k pages, 48-bit VAs, pgdp=00000008b0050000 [ 710.523976] [00000000000003b8] pgd=0000000000000000, p4d=0000000000000000 [ 710.530961] Internal error: Oops: 96000004 [#1] PREEMPT SMP [ 710.536551] Modules linked in: rfkill inputleds sndsocsimplecard sndsocsimplecardutils sndsocnau8822 designwarei2s sndsoccore dwhdmiahbaudio sndpcmdmaengine armccn panfrost ac97bus gpusched sndpcm at24 fuse configfs sdhciofdwcmshc sdhcipltfm sdhci nvme ledclass mmccore nvmecore bt1pvt polynomial tpserio sndseqmidi sndseqmidievent sndseq sndtimer sndrawmidi sndseqdevice snd soundcore efivarfs ipv6 [ 710.575286] CPU: 7 PID: 1 Comm: systemd-shutdow Not tainted 5.19.0-rc7-00043-gfd8619f4fd54 #1 [ 710.583822] Hardware name: T-Platforms TF307-MB/BM1BM1-A, BIOS 5.6 07/06/2022 [ 710.590972] pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 710.597949] pc : usbremovehcd+0x34/0x1e4 [ 710.602067] lr : xhciplatremove+0x74/0x140 [ 710.606351] sp : ffff800009f3b7c0 [ 710.609674] x29: ffff800009f3b7c0 x28: ffff000800960040 x27: 0000000000000000 [ 710.616833] x26: ffff800008dc22a0 x25: 0000000000000000 x24: 0000000000000000 [ 710.623992] x23: 0000000000000000 x22: ffff000805465810 x21: ffff000805465800 [ 710.631149] x20: ffff000800f80000 x19: 0000000000000000 x18: ffffffffffffffff [ 710.638307] x17: ffff000805096000 x16: ffff00080633b800 x15: ffff000806537a1c [ 710.645465] x14: 0000000000000001 x13: 0000000000000000 x12: ffff00080378d6f0 [ 710.652621] x11: ffff00080041a900 x10: ffff800009b204e8 x9 : ffff8000088abaa4 [ 710.659779] x8 : ffff000800960040 x7 : ffff800009409000 x6 : 0000000000000001 [ 710.666936] x5 : ffff800009241000 x4 : ffff800009241440 x3 : 0000000000000000 [ 710.674094] x2 : ffff000800960040 x1 : ffff000800960040 x0 : 0000000000000000 [ 710.681251] Call trace: [ 710.683704] usbremovehcd+0x34/0x1e4 [ 710.687467] xhciplatremove+0x74/0x140 [ 710.691400] platformremove+0x34/0x70 [ 710.695165] deviceremove+0x54/0x90 [ 710.698753] devicereleasedriverinternal+0x200/0x270 [ 710.703992] devicereleasedriver+0x24/0x30 [ 710.708273] busremovedevice+0xe0/0x16c [ 710.712293] devicedel+0x178/0x390 [ 710.715797] platformdevicedel.part.0+0x24/0x90 [ 710.720514] platformdeviceunregister+0x30/0x50 [ 710.725232] dwc3hostexit+0x20/0x30 [ 710.728907] dwc3remove+0x174/0x1b0 [ 710.732494] platformremove+0x34/0x70 [ 710.736254] deviceremove+0x54/0x90 [ 710.739840] devicereleasedriverinternal+0x200/0x270 [ 710.745078] devicereleasedriver+0x24/0x30 [ 710.749359] busremovedevice+0xe0/0x16c [ 710.753380] devicedel+0x178/0x390 [ 710.756881] platformdevice_del.part ---truncated---