CVE-2022-50398

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-50398
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50398.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-50398
Downstream
Related
Published
2025-09-18T13:33:15Z
Modified
2025-10-15T02:06:35.289329Z
Summary
drm/msm/dp: add atomic_check to bridge ops
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/msm/dp: add atomic_check to bridge ops

DRM commit_tails() will disable downstream crtc/encoder/bridge if both disable crtc is required and crtc->active is set before pushing a new frame downstream.

There is a rare case that user space display manager issue an extra screen update immediately followed by close DRM device while down stream display interface is disabled. This extra screen update will timeout due to the downstream interface is disabled but will cause crtc->active be set. Hence the followed committails() called by drmrelease() will pass the disable downstream crtc/encoder/bridge conditions checking even downstream interface is disabled. This cause the crash to happen at dpbridgedisable() due to it trying to access the main link register to push the idle pattern out while main link clocks is disabled.

This patch adds atomiccheck to prevent the extra frame will not be pushed down if display interface is down so that crtc->active will not be set neither. This will fail the conditions checking of disabling down stream crtc/encoder/bridge which prevent drmrelease() from calling dpbridgedisable() so that crash at dpbridgedisable() prevented.

There is no protection in the DRM framework to check if the display pipeline has been already disabled before trying again. The only check is the crtc_state->active but this is controlled by usermode using UAPI. Hence if the usermode sets this and then crashes, the driver needs to protect against double disable.

SError Interrupt on CPU7, code 0x00000000be000411 -- SError CPU: 7 PID: 3878 Comm: Xorg Not tainted 5.19.0-stb-cbq #19 Hardware name: Google Lazor (rev3 - 8) (DT) pstate: a04000c9 (NzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : cmpxchgcaseacq32+0x14/0x2c lr : dorawspinlock+0xa4/0xdc sp : ffffffc01092b6a0 x29: ffffffc01092b6a0 x28: 0000000000000028 x27: 0000000000000038 x26: 0000000000000004 x25: ffffffd2973dce48 x24: 0000000000000000 x23: 00000000ffffffff x22: 00000000ffffffff x21: ffffffd2978d0008 x20: ffffffd2978d0008 x19: ffffff80ff759fc0 x18: 0000000000000000 x17: 004800a501260460 x16: 0441043b04600438 x15: 04380000089807d0 x14: 07b0089807800780 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000438 x10: 00000000000007d0 x9 : ffffffd2973e09e4 x8 : ffffff8092d53300 x7 : ffffff808902e8b8 x6 : 0000000000000001 x5 : ffffff808902e880 x4 : 0000000000000000 x3 : ffffff80ff759fc0 x2 : 0000000000000001 x1 : 0000000000000000 x0 : ffffff80ff759fc0 Kernel panic - not syncing: Asynchronous SError Interrupt CPU: 7 PID: 3878 Comm: Xorg Not tainted 5.19.0-stb-cbq #19 Hardware name: Google Lazor (rev3 - 8) (DT) Call trace: dumpbacktrace.part.0+0xbc/0xe4 showstack+0x24/0x70 dumpstacklvl+0x68/0x84 dumpstack+0x18/0x34 panic+0x14c/0x32c nmipanic+0x58/0x7c arm64serrorpanic+0x78/0x84 doserror+0x40/0x64 el1h64errorhandler+0x30/0x48 el1h64error+0x68/0x6c _cmpxchgcaseacq32+0x14/0x2c rawspinlockirqsave+0x38/0x4c locktimerbase+0x40/0x78 _modtimer+0xf4/0x25c scheduletimeout+0xd4/0xfc _waitforcommon+0xac/0x140 waitforcompletiontimeout+0x2c/0x54 dpctrlpushidle+0x40/0x88 dpbridgedisable+0x24/0x30 drmatomicbridgechaindisable+0x90/0xbc drmatomichelpercommitmodesetdisables+0x198/0x444 msmatomiccommittail+0x1d0/0x374 committail+0x80/0x108 drmatomichelpercommit+0x118/0x11c drmatomiccommit+0xb4/0xe0 drmclientmodesetcommitatomic+0x184/0x224 drmclientmodesetcommitlocked+0x58/0x160 drmclientmodesetcommit+0x3c/0x64 _drmfbhelperrestorefbdevmodeunlocked+0x98/0xac drmfbhelpersetpar+0x74/0x80 drmfbhelperhotplugevent+0xdc/0xe0 _drmfbhelperrestorefbdevmodeunlocked+0x7c/0xac drmfbhelperrestorefbdevmodeunlocked+0x20/0x2c drmfbhelperlastclose+0x20/0x2c drmlastclose+0x44/0x6c drmrelease+0x88/0xd4 _fput+0x104/0x220 _fput+0x1c/0x28 taskworkrun+0x8c/0x100 d ---truncated---

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
8a3b4c17f863cde8e8743edd8faffe916c49b960
Fixed
d106b866439c63a618d020477bfbe7b46c759657
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
8a3b4c17f863cde8e8743edd8faffe916c49b960
Fixed
3a661247967a6f3c99a95a8ba4c8073c5846ea4b

Affected versions

v5.*

v5.16
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8

v6.*

v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.0.1
v6.0.2
v6.0.3
v6.0.4
v6.0.5
v6.0.6

Database specific 

{
    "vanir_signatures": [
        {
            "digest": {
                "line_hashes": [
                    "110672329013985970349674904616550446271",
                    "286037450396778374132461860445123940072",
                    "172248486184421990453647128848570016900",
                    "2117752049512094067680152834191203637",
                    "54822260451445082757418894655337096803",
                    "263970568702375544242609409728999165903",
                    "181553294939405475065047514239919517525",
                    "248184698280265398480066017181851798627",
                    "273587874012936697723691638345647387337",
                    "239903787552723912904366212992065801579",
                    "138732377436119516909278989699156447554"
                ],
                "threshold": 0.9
            },
            "target": {
                "file": "drivers/gpu/drm/msm/dp/dp_drm.c"
            },
            "signature_type": "Line",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3a661247967a6f3c99a95a8ba4c8073c5846ea4b",
            "deprecated": false,
            "signature_version": "v1",
            "id": "CVE-2022-50398-1c581c68"
        },
        {
            "digest": {
                "line_hashes": [
                    "110672329013985970349674904616550446271",
                    "286037450396778374132461860445123940072",
                    "172248486184421990453647128848570016900",
                    "2117752049512094067680152834191203637",
                    "54822260451445082757418894655337096803",
                    "263970568702375544242609409728999165903",
                    "181553294939405475065047514239919517525",
                    "248184698280265398480066017181851798627",
                    "273587874012936697723691638345647387337",
                    "239903787552723912904366212992065801579",
                    "138732377436119516909278989699156447554"
                ],
                "threshold": 0.9
            },
            "target": {
                "file": "drivers/gpu/drm/msm/dp/dp_drm.c"
            },
            "signature_type": "Line",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d106b866439c63a618d020477bfbe7b46c759657",
            "deprecated": false,
            "signature_version": "v1",
            "id": "CVE-2022-50398-ce414e42"
        }
    ]
}

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.17.0
Fixed
6.0.7