CVE-2024-50037

In the Linux kernel, the following vulnerability has been resolved:

drm/fbdev-dma: Only cleanup deferred I/O if necessary

Commit 5a498d4d06d6 ("drm/fbdev-dma: Only install deferred I/O if necessary") initializes deferred I/O only if it is used. drmfbdevdmafbdestroy() however calls fbdeferrediocleanup() unconditionally with struct fbinfo.fbdefio == NULL. KASAN with the out-of-tree Apple silicon display driver posts following warning from _flushwork() of a random struct work_struct instead of the expected NULL pointer derefs.

[ 22.053799] ------------[ cut here ]------------ [ 22.054832] WARNING: CPU: 2 PID: 1 at kernel/workqueue.c:4177 _flushwork+0x4d8/0x580 [ 22.056597] Modules linked in: uhid bnep uinput nlsascii ip6tables iptables i2cdev loop fuse dmmultipath nfnetlink zram hidmagicmouse btrfs xor xorneon brcmfmacwcc raid6pq hcibcm4377 bluetooth brcmfmac hidapple brcmutil nvmemspmimfd simplemfdspmi dockchannelhid cfg80211 joydev regmapspmi nvmeapple ecdhgeneric ecc macsmchid rfkill dwc3 appledrm sndsocmacaudio macsmcpower nvmecore appleisp phyappleatc applesart applertkithelper appledockchannel tps6598x macsmchwmon sndsoccs42l84 videobuf2v4l2 spmiapplecontroller nvmemappleefuses videobuf2dmasg applez2 videobuf2memops spinor panelsummit videobuf2common asahi videodev pwmapple appledcp sndsocapplemca appleadmac spiapple clkapplenco i2cpasemiplatform sndpcmdmaengine mc i2cpasemicore muxcore ofpart adpdrm drmdmahelper appledart applesoccpufreq ledspwm phram [ 22.073768] CPU: 2 UID: 0 PID: 1 Comm: systemd-shutdow Not tainted 6.11.2-asahi+ #asahi-dev [ 22.075612] Hardware name: Apple MacBook Pro (13-inch, M2, 2022) (DT) [ 22.077032] pstate: 01400005 (nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 22.078567] pc : _flushwork+0x4d8/0x580 [ 22.079471] lr : _flushwork+0x54/0x580 [ 22.080345] sp : ffffc000836ef820 [ 22.081089] x29: ffffc000836ef880 x28: 0000000000000000 x27: ffff80002ddb7128 [ 22.082678] x26: dfffc00000000000 x25: 1ffff000096f0c57 x24: ffffc00082d3e358 [ 22.084263] x23: ffff80004b7862b8 x22: dfffc00000000000 x21: ffff80005aa1d470 [ 22.085855] x20: ffff80004b786000 x19: ffff80004b7862a0 x18: 0000000000000000 [ 22.087439] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000005 [ 22.089030] x14: 1ffff800106ddf0a x13: 0000000000000000 x12: 0000000000000000 [ 22.090618] x11: ffffb800106ddf0f x10: dfffc00000000000 x9 : 1ffff800106ddf0e [ 22.092206] x8 : 0000000000000000 x7 : aaaaaaaaaaaaaaaa x6 : 0000000000000001 [ 22.093790] x5 : ffffc000836ef728 x4 : 0000000000000000 x3 : 0000000000000020 [ 22.095368] x2 : 0000000000000008 x1 : 00000000000000aa x0 : 0000000000000000 [ 22.096955] Call trace: [ 22.097505] _flushwork+0x4d8/0x580 [ 22.098330] flushdelayedwork+0x80/0xb8 [ 22.099231] fbdeferrediocleanup+0x3c/0x130 [ 22.100217] drmfbdevdmafbdestroy+0x6c/0xe0 [drmdmahelper] [ 22.101559] unregisterframebuffer+0x210/0x2f0 [ 22.102575] drmfbhelperunregisterinfo+0x48/0x60 [ 22.103683] drmfbdevdmaclientunregister+0x4c/0x80 [drmdmahelper] [ 22.105147] drmclientdevunregister+0x1cc/0x230 [ 22.106217] drmdevunregister+0x58/0x570 [ 22.107125] appledrmunbind+0x50/0x98 [appledrm] [ 22.108199] componentdel+0x1f8/0x3a8 [ 22.109042] dcpplatformshutdown+0x24/0x38 [appledcp] [ 22.110357] platformshutdown+0x70/0x90 [ 22.111219] deviceshutdown+0x368/0x4d8 [ 22.112095] kernelrestart+0x6c/0x1d0 [ 22.112946] _arm64sysreboot+0x1c8/0x328 [ 22.113868] invokesyscall+0x78/0x1a8 [ 22.114703] doel0svc+0x124/0x1a0 [ 22.115498] el0svc+0x3c/0xe0 [ 22.116181] el0t64synchandler+0x70/0xc0 [ 22.117110] el0t64sync+0x190/0x198 [ 22.117931] ---[ end trace 0000000000000000 ]---