DEBIAN-CVE-2022-49900

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2022-49900
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2022-49900.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2022-49900
Upstream
Published
2025-05-01T15:16:15Z
Modified
2025-09-25T03:20:43.790070Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved: i2c: piix4: Fix adapter not be removed in piix4remove() In piix4probe(), the piix4 adapter will be registered in: piix4probe() piix4addadapterssb800() / piix4addadapter() i2caddadapter() Based on the probed device type, piix4addadapterssb800() or single piix4addadapter() will be called. For the former case, piix4adaptercount is set as the number of adapters, while for antoher case it is not set and kept default *zero*. When piix4 is removed, piix4remove() removes the adapters added in piix4probe(), basing on the piix4adaptercount value. Because the count is zero for the single adapter case, the adapter won't be removed and makes the sources allocated for adapter leaked, such as the i2c client and device. These sources can still be accessed by i2c or bus and cause problems. An easily reproduced case is that if a new adapter is registered, i2c will get the leaked adapter and try to call smbusalgorithm, which was already freed: Triggered by: rmmod i2cpiix4 && modprobe max31730 BUG: unable to handle page fault for address: ffffffffc053d860 #PF: supervisor read access in kernel mode #PF: errorcode(0x0000) - not-present page Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 3752 Comm: modprobe Tainted: G Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) RIP: 0010:i2cdefaultprobe (drivers/i2c/i2c-core-base.c:2259) i2ccore RSP: 0018:ffff888107477710 EFLAGS: 00000246 ... <TASK> i2cdetect (drivers/i2c/i2c-core-base.c:2302) i2ccore _processnewdriver (drivers/i2c/i2c-core-base.c:1336) i2ccore busforeachdev (drivers/base/bus.c:301) i2cforeachdev (drivers/i2c/i2c-core-base.c:1823) i2ccore i2cregisterdriver (drivers/i2c/i2c-core-base.c:1861) i2ccore dooneinitcall (init/main.c:1296) doinitmodule (kernel/module/main.c:2455) ... </TASK> ---[ end trace 0000000000000000 ]--- Fix this problem by correctly set piix4adapter_count as 1 for the single adapter so it can be normally removed.

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.158-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1
5.10.113-1
5.10.120-1~bpo10+1
5.10.120-1
5.10.127-1
5.10.127-2~bpo10+1
5.10.127-2
5.10.136-1
5.10.140-1
5.10.148-1
5.10.149-1
5.10.149-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.8-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.8-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:14 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.8-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}