CVE-2022-50398 - Vulnerability Details

Link	Providers
https://git.kernel.org/stable/c/3a661247967a6f3c99a95a8ba4c8073c5846ea4b
https://git.kernel.org/stable/c/d106b866439c63a618d020477bfbe7b46c759657

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: drm/msm/dp: add atomic_check to bridge ops DRM commit_tails() will disable downstream crtc/encoder/bridge if both disable crtc is required and crtc->active is set before pushing a new frame downstream. There is a rare case that user space display manager issue an extra screen update immediately followed by close DRM device while down stream display interface is disabled. This extra screen update will timeout due to the downstream interface is disabled but will cause crtc->active be set. Hence the followed commit_tails() called by drm_release() will pass the disable downstream crtc/encoder/bridge conditions checking even downstream interface is disabled. This cause the crash to happen at dp_bridge_disable() due to it trying to access the main link register to push the idle pattern out while main link clocks is disabled. This patch adds atomic_check to prevent the extra frame will not be pushed down if display interface is down so that crtc->active will not be set neither. This will fail the conditions checking of disabling down stream crtc/encoder/bridge which prevent drm_release() from calling dp_bridge_disable() so that crash at dp_bridge_disable() prevented. There is no protection in the DRM framework to check if the display pipeline has been already disabled before trying again. The only check is the crtc_state->active but this is controlled by usermode using UAPI. Hence if the usermode sets this and then crashes, the driver needs to protect against double disable. SError Interrupt on CPU7, code 0x00000000be000411 -- SError CPU: 7 PID: 3878 Comm: Xorg Not tainted 5.19.0-stb-cbq #19 Hardware name: Google Lazor (rev3 - 8) (DT) pstate: a04000c9 (NzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __cmpxchg_case_acq_32+0x14/0x2c lr : do_raw_spin_lock+0xa4/0xdc sp : ffffffc01092b6a0 x29: ffffffc01092b6a0 x28: 0000000000000028 x27: 0000000000000038 x26: 0000000000000004 x25: ffffffd2973dce48 x24: 0000000000000000 x23: 00000000ffffffff x22: 00000000ffffffff x21: ffffffd2978d0008 x20: ffffffd2978d0008 x19: ffffff80ff759fc0 x18: 0000000000000000 x17: 004800a501260460 x16: 0441043b04600438 x15: 04380000089807d0 x14: 07b0089807800780 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000438 x10: 00000000000007d0 x9 : ffffffd2973e09e4 x8 : ffffff8092d53300 x7 : ffffff808902e8b8 x6 : 0000000000000001 x5 : ffffff808902e880 x4 : 0000000000000000 x3 : ffffff80ff759fc0 x2 : 0000000000000001 x1 : 0000000000000000 x0 : ffffff80ff759fc0 Kernel panic - not syncing: Asynchronous SError Interrupt CPU: 7 PID: 3878 Comm: Xorg Not tainted 5.19.0-stb-cbq #19 Hardware name: Google Lazor (rev3 - 8) (DT) Call trace: dump_backtrace.part.0+0xbc/0xe4 show_stack+0x24/0x70 dump_stack_lvl+0x68/0x84 dump_stack+0x18/0x34 panic+0x14c/0x32c nmi_panic+0x58/0x7c arm64_serror_panic+0x78/0x84 do_serror+0x40/0x64 el1h_64_error_handler+0x30/0x48 el1h_64_error+0x68/0x6c __cmpxchg_case_acq_32+0x14/0x2c _raw_spin_lock_irqsave+0x38/0x4c lock_timer_base+0x40/0x78 __mod_timer+0xf4/0x25c schedule_timeout+0xd4/0xfc __wait_for_common+0xac/0x140 wait_for_completion_timeout+0x2c/0x54 dp_ctrl_push_idle+0x40/0x88 dp_bridge_disable+0x24/0x30 drm_atomic_bridge_chain_disable+0x90/0xbc drm_atomic_helper_commit_modeset_disables+0x198/0x444 msm_atomic_commit_tail+0x1d0/0x374 commit_tail+0x80/0x108 drm_atomic_helper_commit+0x118/0x11c drm_atomic_commit+0xb4/0xe0 drm_client_modeset_commit_atomic+0x184/0x224 drm_client_modeset_commit_locked+0x58/0x160 drm_client_modeset_commit+0x3c/0x64 __drm_fb_helper_restore_fbdev_mode_unlocked+0x98/0xac drm_fb_helper_set_par+0x74/0x80 drm_fb_helper_hotplug_event+0xdc/0xe0 __drm_fb_helper_restore_fbdev_mode_unlocked+0x7c/0xac drm_fb_helper_restore_fbdev_mode_unlocked+0x20/0x2c drm_fb_helper_lastclose+0x20/0x2c drm_lastclose+0x44/0x6c drm_release+0x88/0xd4 __fput+0x104/0x220 ____fput+0x1c/0x28 task_work_run+0x8c/0x100 d ---truncated---
Title		drm/msm/dp: add atomic_check to bridge ops
References		https://git.kernel.org/stable/c/3a661247967a6f3c99a95a8ba4c8073c5846ea4b https://git.kernel.org/stable/c/d106b866439c63a618d020477bfbe7b46c759657

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-50398", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-09-17T14:53:06.999Z", "datePublished": "2025-09-18T13:33:15.877Z", "dateUpdated": "2025-09-18T13:33:15.877Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-09-18T13:33:15.877Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dp: add atomic_check to bridge ops\n\nDRM commit_tails() will disable downstream crtc/encoder/bridge if\nboth disable crtc is required and crtc->active is set before pushing\na new frame downstream.\n\nThere is a rare case that user space display manager issue an extra\nscreen update immediately followed by close DRM device while down\nstream display interface is disabled. This extra screen update will\ntimeout due to the downstream interface is disabled but will cause\ncrtc->active be set. Hence the followed commit_tails() called by\ndrm_release() will pass the disable downstream crtc/encoder/bridge\nconditions checking even downstream interface is disabled.\nThis cause the crash to happen at dp_bridge_disable() due to it trying\nto access the main link register to push the idle pattern out while main\nlink clocks is disabled.\n\nThis patch adds atomic_check to prevent the extra frame will not\nbe pushed down if display interface is down so that crtc->active\nwill not be set neither. This will fail the conditions checking\nof disabling down stream crtc/encoder/bridge which prevent\ndrm_release() from calling dp_bridge_disable() so that crash\nat dp_bridge_disable() prevented.\n\nThere is no protection in the DRM framework to check if the display\npipeline has been already disabled before trying again. The only\ncheck is the crtc_state->active but this is controlled by usermode\nusing UAPI. Hence if the usermode sets this and then crashes, the\ndriver needs to protect against double disable.\n\nSError Interrupt on CPU7, code 0x00000000be000411 -- SError\nCPU: 7 PID: 3878 Comm: Xorg Not tainted 5.19.0-stb-cbq #19\nHardware name: Google Lazor (rev3 - 8) (DT)\npstate: a04000c9 (NzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : __cmpxchg_case_acq_32+0x14/0x2c\nlr : do_raw_spin_lock+0xa4/0xdc\nsp : ffffffc01092b6a0\nx29: ffffffc01092b6a0 x28: 0000000000000028 x27: 0000000000000038\nx26: 0000000000000004 x25: ffffffd2973dce48 x24: 0000000000000000\nx23: 00000000ffffffff x22: 00000000ffffffff x21: ffffffd2978d0008\nx20: ffffffd2978d0008 x19: ffffff80ff759fc0 x18: 0000000000000000\nx17: 004800a501260460 x16: 0441043b04600438 x15: 04380000089807d0\nx14: 07b0089807800780 x13: 0000000000000000 x12: 0000000000000000\nx11: 0000000000000438 x10: 00000000000007d0 x9 : ffffffd2973e09e4\nx8 : ffffff8092d53300 x7 : ffffff808902e8b8 x6 : 0000000000000001\nx5 : ffffff808902e880 x4 : 0000000000000000 x3 : ffffff80ff759fc0\nx2 : 0000000000000001 x1 : 0000000000000000 x0 : ffffff80ff759fc0\nKernel panic - not syncing: Asynchronous SError Interrupt\nCPU: 7 PID: 3878 Comm: Xorg Not tainted 5.19.0-stb-cbq #19\nHardware name: Google Lazor (rev3 - 8) (DT)\nCall trace:\n dump_backtrace.part.0+0xbc/0xe4\n show_stack+0x24/0x70\n dump_stack_lvl+0x68/0x84\n dump_stack+0x18/0x34\n panic+0x14c/0x32c\n nmi_panic+0x58/0x7c\n arm64_serror_panic+0x78/0x84\n do_serror+0x40/0x64\n el1h_64_error_handler+0x30/0x48\n el1h_64_error+0x68/0x6c\n __cmpxchg_case_acq_32+0x14/0x2c\n _raw_spin_lock_irqsave+0x38/0x4c\n lock_timer_base+0x40/0x78\n __mod_timer+0xf4/0x25c\n schedule_timeout+0xd4/0xfc\n __wait_for_common+0xac/0x140\n wait_for_completion_timeout+0x2c/0x54\n dp_ctrl_push_idle+0x40/0x88\n dp_bridge_disable+0x24/0x30\n drm_atomic_bridge_chain_disable+0x90/0xbc\n drm_atomic_helper_commit_modeset_disables+0x198/0x444\n msm_atomic_commit_tail+0x1d0/0x374\n commit_tail+0x80/0x108\n drm_atomic_helper_commit+0x118/0x11c\n drm_atomic_commit+0xb4/0xe0\n drm_client_modeset_commit_atomic+0x184/0x224\n drm_client_modeset_commit_locked+0x58/0x160\n drm_client_modeset_commit+0x3c/0x64\n __drm_fb_helper_restore_fbdev_mode_unlocked+0x98/0xac\n drm_fb_helper_set_par+0x74/0x80\n drm_fb_helper_hotplug_event+0xdc/0xe0\n __drm_fb_helper_restore_fbdev_mode_unlocked+0x7c/0xac\n drm_fb_helper_restore_fbdev_mode_unlocked+0x20/0x2c\n drm_fb_helper_lastclose+0x20/0x2c\n drm_lastclose+0x44/0x6c\n drm_release+0x88/0xd4\n __fput+0x104/0x220\n ____fput+0x1c/0x28\n task_work_run+0x8c/0x100\n d\n---truncated---"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/msm/dp/dp_drm.c"], "versions": [{"version": "8a3b4c17f863cde8e8743edd8faffe916c49b960", "lessThan": "d106b866439c63a618d020477bfbe7b46c759657", "status": "affected", "versionType": "git"}, {"version": "8a3b4c17f863cde8e8743edd8faffe916c49b960", "lessThan": "3a661247967a6f3c99a95a8ba4c8073c5846ea4b", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/msm/dp/dp_drm.c"], "versions": [{"version": "5.17", "status": "affected"}, {"version": "0", "lessThan": "5.17", "status": "unaffected", "versionType": "semver"}, {"version": "6.0.7", "lessThanOrEqual": "6.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.17", "versionEndExcluding": "6.0.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.17", "versionEndExcluding": "6.1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/d106b866439c63a618d020477bfbe7b46c759657"}, {"url": "https://git.kernel.org/stable/c/3a661247967a6f3c99a95a8ba4c8073c5846ea4b"}], "title": "drm/msm/dp: add atomic_check to bridge ops", "x_generator": {"engine": "bippy-1.2.0"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dp: add atomic_check to bridge ops\n\nDRM commit_tails() will disable downstream crtc/encoder/bridge if\nboth disable crtc is required and crtc->active is set before pushing\na new frame downstream.\n\nThere is a rare case that user space display manager issue an extra\nscreen update immediately followed by close DRM device while down\nstream display interface is disabled. This extra screen update will\ntimeout due to the downstream interface is disabled but will cause\ncrtc->active be set. Hence the followed commit_tails() called by\ndrm_release() will pass the disable downstream crtc/encoder/bridge\nconditions checking even downstream interface is disabled.\nThis cause the crash to happen at dp_bridge_disable() due to it trying\nto access the main link register to push the idle pattern out while main\nlink clocks is disabled.\n\nThis patch adds atomic_check to prevent the extra frame will not\nbe pushed down if display interface is down so that crtc->active\nwill not be set neither. This will fail the conditions checking\nof disabling down stream crtc/encoder/bridge which prevent\ndrm_release() from calling dp_bridge_disable() so that crash\nat dp_bridge_disable() prevented.\n\nThere is no protection in the DRM framework to check if the display\npipeline has been already disabled before trying again. The only\ncheck is the crtc_state->active but this is controlled by usermode\nusing UAPI. Hence if the usermode sets this and then crashes, the\ndriver needs to protect against double disable.\n\nSError Interrupt on CPU7, code 0x00000000be000411 -- SError\nCPU: 7 PID: 3878 Comm: Xorg Not tainted 5.19.0-stb-cbq #19\nHardware name: Google Lazor (rev3 - 8) (DT)\npstate: a04000c9 (NzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : __cmpxchg_case_acq_32+0x14/0x2c\nlr : do_raw_spin_lock+0xa4/0xdc\nsp : ffffffc01092b6a0\nx29: ffffffc01092b6a0 x28: 0000000000000028 x27: 0000000000000038\nx26: 0000000000000004 x25: ffffffd2973dce48 x24: 0000000000000000\nx23: 00000000ffffffff x22: 00000000ffffffff x21: ffffffd2978d0008\nx20: ffffffd2978d0008 x19: ffffff80ff759fc0 x18: 0000000000000000\nx17: 004800a501260460 x16: 0441043b04600438 x15: 04380000089807d0\nx14: 07b0089807800780 x13: 0000000000000000 x12: 0000000000000000\nx11: 0000000000000438 x10: 00000000000007d0 x9 : ffffffd2973e09e4\nx8 : ffffff8092d53300 x7 : ffffff808902e8b8 x6 : 0000000000000001\nx5 : ffffff808902e880 x4 : 0000000000000000 x3 : ffffff80ff759fc0\nx2 : 0000000000000001 x1 : 0000000000000000 x0 : ffffff80ff759fc0\nKernel panic - not syncing: Asynchronous SError Interrupt\nCPU: 7 PID: 3878 Comm: Xorg Not tainted 5.19.0-stb-cbq #19\nHardware name: Google Lazor (rev3 - 8) (DT)\nCall trace:\n dump_backtrace.part.0+0xbc/0xe4\n show_stack+0x24/0x70\n dump_stack_lvl+0x68/0x84\n dump_stack+0x18/0x34\n panic+0x14c/0x32c\n nmi_panic+0x58/0x7c\n arm64_serror_panic+0x78/0x84\n do_serror+0x40/0x64\n el1h_64_error_handler+0x30/0x48\n el1h_64_error+0x68/0x6c\n __cmpxchg_case_acq_32+0x14/0x2c\n _raw_spin_lock_irqsave+0x38/0x4c\n lock_timer_base+0x40/0x78\n __mod_timer+0xf4/0x25c\n schedule_timeout+0xd4/0xfc\n __wait_for_common+0xac/0x140\n wait_for_completion_timeout+0x2c/0x54\n dp_ctrl_push_idle+0x40/0x88\n dp_bridge_disable+0x24/0x30\n drm_atomic_bridge_chain_disable+0x90/0xbc\n drm_atomic_helper_commit_modeset_disables+0x198/0x444\n msm_atomic_commit_tail+0x1d0/0x374\n commit_tail+0x80/0x108\n drm_atomic_helper_commit+0x118/0x11c\n drm_atomic_commit+0xb4/0xe0\n drm_client_modeset_commit_atomic+0x184/0x224\n drm_client_modeset_commit_locked+0x58/0x160\n drm_client_modeset_commit+0x3c/0x64\n __drm_fb_helper_restore_fbdev_mode_unlocked+0x98/0xac\n drm_fb_helper_set_par+0x74/0x80\n drm_fb_helper_hotplug_event+0xdc/0xe0\n __drm_fb_helper_restore_fbdev_mode_unlocked+0x7c/0xac\n drm_fb_helper_restore_fbdev_mode_unlocked+0x20/0x2c\n drm_fb_helper_lastclose+0x20/0x2c\n drm_lastclose+0x44/0x6c\n drm_release+0x88/0xd4\n __fput+0x104/0x220\n ____fput+0x1c/0x28\n task_work_run+0x8c/0x100\n d\n---truncated---"}], "id": "CVE-2022-50398", "lastModified": "2025-09-18T14:15:39.000", "metrics": {}, "published": "2025-09-18T14:15:39.000", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3a661247967a6f3c99a95a8ba4c8073c5846ea4b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d106b866439c63a618d020477bfbe7b46c759657"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object