CVE-2022-50256

Source
https://cve.org/CVERecord?id=CVE-2022-50256
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50256.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-50256
Downstream
Published
2025-09-15T14:02:39.052Z
Modified
2026-04-02T08:28:22.266864Z
Summary
drm/meson: remove drm bridges at aggregate driver unbind time
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/meson: remove drm bridges at aggregate driver unbind time

drm bridges added by mesonencoderhdmiinit and mesonencodercvbsinit were not manually removed at module unload time, which caused dangling references to freed memory to remain linked in the global bridge_list.

When loading the driver modules back in, the same functions would again call drmbridgeadd, and when traversing the global bridge_list, would end up peeking into freed memory.

Once again KASAN revealed the problem:

[ +0.000095] ============================================================= [ +0.000008] BUG: KASAN: use-after-free in __listaddvalid+0x9c/0x120 [ +0.000018] Read of size 8 at addr ffff00003da291f0 by task modprobe/2483

[ +0.000018] CPU: 3 PID: 2483 Comm: modprobe Tainted: G C O 5.19.0-rc6-lrmbkasan+ #1 [ +0.000011] Hardware name: Hardkernel ODROID-N2Plus (DT) [ +0.000008] Call trace: [ +0.000006] dumpbacktrace+0x1ec/0x280 [ +0.000012] showstack+0x24/0x80 [ +0.000008] dumpstacklvl+0x98/0xd4 [ +0.000011] printaddressdescription.constprop.0+0x80/0x520 [ +0.000011] printreport+0x128/0x260 [ +0.000008] kasanreport+0xb8/0xfc [ +0.000008] __asanreportload8_noabort+0x3c/0x50 [ +0.000009] __listaddvalid+0x9c/0x120 [ +0.000009] drmbridgeadd+0x6c/0x104 [drm] [ +0.000165] dwhdmiprobe+0x1900/0x2360 [dwhdmi] [ +0.000022] mesondwhdmibind+0x520/0x814 [mesondwhdmi] [ +0.000014] componentbind+0x174/0x520 [ +0.000012] componentbindall+0x1a8/0x38c [ +0.000010] mesondrvbindmaster+0x5e8/0xb74 [mesondrm] [ +0.000032] mesondrvbind+0x20/0x2c [mesondrm] [ +0.000027] trytobringupaggregatedevice+0x19c/0x390 [ +0.000010] componentmasteraddwithmatch+0x1c8/0x284 [ +0.000009] mesondrvprobe+0x274/0x280 [mesondrm] [ +0.000026] platformprobe+0xd0/0x220 [ +0.000009] reallyprobe+0x3ac/0xa80 [ +0.000009] __driverprobedevice+0x1f8/0x400 [ +0.000009] driverprobedevice+0x68/0x1b0 [ +0.000009] __driverattach+0x20c/0x480 [ +0.000008] busforeachdev+0x114/0x1b0 [ +0.000009] driverattach+0x48/0x64 [ +0.000008] busadddriver+0x390/0x564 [ +0.000009] driverregister+0x1a8/0x3e4 [ +0.000009] __platformdriverregister+0x6c/0x94 [ +0.000008] mesondrmplatformdriverinit+0x3c/0x1000 [mesondrm] [ +0.000027] dooneinitcall+0xc4/0x2b0 [ +0.000011] doinitmodule+0x154/0x570 [ +0.000011] loadmodule+0x1a78/0x1ea4 [ +0.000008] __dosysinit_module+0x184/0x1cc [ +0.000009] __arm64sysinitmodule+0x78/0xb0 [ +0.000009] invokesyscall+0x74/0x260 [ +0.000009] el0svccommon.constprop.0+0xcc/0x260 [ +0.000008] doel0svc+0x50/0x70 [ +0.000007] el0svc+0x68/0x1a0 [ +0.000012] el0t64synchandler+0x11c/0x150 [ +0.000008] el0t64sync+0x18c/0x190

[ +0.000016] Allocated by task 879: [ +0.000008] kasansavestack+0x2c/0x5c [ +0.000011] __kasan_kmalloc+0x90/0xd0 [ +0.000007] __kmalloc+0x278/0x4a0 [ +0.000011] mpiresize+0x13c/0x1d0 [ +0.000011] mpipowm+0xd24/0x1570 [ +0.000009] rsaenc+0x1a4/0x30c [ +0.000009] pkcs1padverify+0x3f0/0x580 [ +0.000009] public_keyverifysignature+0x7a8/0xba4 [ +0.000010] publickeyverifysignature2+0x40/0x60 [ +0.000008] verifysignature+0xb4/0x114 [ +0.000008] pkcs7validatetrustone.constprop.0+0x3b8/0x574 [ +0.000009] pkcs7validatetrust+0xb8/0x15c [ +0.000008] verifypkcs7messagesig+0xec/0x1b0 [ +0.000012] verifypkcs7signature+0x78/0xac [ +0.000007] modverifysig+0x110/0x190 [ +0.000009] modulesigcheck+0x114/0x1e0 [ +0.000009] loadmodule+0xa0/0x1ea4 [ +0.000008] __dosysinit_module+0x184/0x1cc [ +0.000008] _arm64sysinitmodule+0x78/0xb0 [ +0.000008] invokesyscall+0x74/0x260 [ +0.000009] el0svccommon.constprop.0+0x1a8/0x260 [ +0.000008] doel0svc+0x50/0x70 [ +0.000007] el0svc+0x68/0x1a0 [ +0.000009] el0t64synchandler+0x11c/0x150 [ +0.000009] el0t64 ---truncated---

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50256.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
bbbe775ec5b5dace43a35886da9924837da09ddd
Fixed
de2b6ebe0cb7746b5b6b35d79e150d934392b958
Fixed
fc1fd114dde3d2623ac37676df3d74ffeedb0da8
Fixed
09847723c12fc2753749cec3939a02ee92dac468

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50256.json"