{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-50560", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-10-22T13:20:23.759Z", "datePublished": "2025-10-22T13:23:20.117Z", "dateUpdated": "2025-10-22T13:23:20.117Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-10-22T13:23:20.117Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/meson: explicitly remove aggregate driver at module unload time\n\nBecause component_master_del wasn't being called when unloading the\nmeson_drm module, the aggregate device would linger forever in the global\naggregate_devices list. That means when unloading and reloading the\nmeson_dw_hdmi module, component_add would call into\ntry_to_bring_up_aggregate_device and find the unbound meson_drm aggregate\ndevice.\n\nThis would in turn dereference some of the aggregate_device's struct\nentries which point to memory automatically freed by the devres API when\nunbinding the aggregate device from meson_drv_unbind, and trigger an\nuse-after-free bug:\n\n[ +0.000014] =============================================================\n[ +0.000007] BUG: KASAN: use-after-free in find_components+0x468/0x500\n[ +0.000017] Read of size 8 at addr ffff000006731688 by task modprobe/2536\n[ +0.000018] CPU: 4 PID: 2536 Comm: modprobe Tainted: G C O 5.19.0-rc6-lrmbkasan+ #1\n[ +0.000010] Hardware name: Hardkernel ODROID-N2Plus (DT)\n[ +0.000008] Call trace:\n[ +0.000005] dump_backtrace+0x1ec/0x280\n[ +0.000011] show_stack+0x24/0x80\n[ +0.000007] dump_stack_lvl+0x98/0xd4\n[ +0.000010] print_address_description.constprop.0+0x80/0x520\n[ +0.000011] print_report+0x128/0x260\n[ +0.000007] kasan_report+0xb8/0xfc\n[ +0.000007] __asan_report_load8_noabort+0x3c/0x50\n[ +0.000009] find_components+0x468/0x500\n[ +0.000008] try_to_bring_up_aggregate_device+0x64/0x390\n[ +0.000009] __component_add+0x1dc/0x49c\n[ +0.000009] component_add+0x20/0x30\n[ +0.000008] meson_dw_hdmi_probe+0x28/0x34 [meson_dw_hdmi]\n[ +0.000013] platform_probe+0xd0/0x220\n[ +0.000008] really_probe+0x3ac/0xa80\n[ +0.000008] __driver_probe_device+0x1f8/0x400\n[ +0.000008] driver_probe_device+0x68/0x1b0\n[ +0.000008] __driver_attach+0x20c/0x480\n[ +0.000009] bus_for_each_dev+0x114/0x1b0\n[ +0.000007] driver_attach+0x48/0x64\n[ +0.000009] bus_add_driver+0x390/0x564\n[ +0.000007] driver_register+0x1a8/0x3e4\n[ +0.000009] __platform_driver_register+0x6c/0x94\n[ +0.000007] meson_dw_hdmi_platform_driver_init+0x30/0x1000 [meson_dw_hdmi]\n[ +0.000014] do_one_initcall+0xc4/0x2b0\n[ +0.000008] do_init_module+0x154/0x570\n[ +0.000010] load_module+0x1a78/0x1ea4\n[ +0.000008] __do_sys_init_module+0x184/0x1cc\n[ +0.000008] __arm64_sys_init_module+0x78/0xb0\n[ +0.000008] invoke_syscall+0x74/0x260\n[ +0.000008] el0_svc_common.constprop.0+0xcc/0x260\n[ +0.000009] do_el0_svc+0x50/0x70\n[ +0.000008] el0_svc+0x68/0x1a0\n[ +0.000009] el0t_64_sync_handler+0x11c/0x150\n[ +0.000009] el0t_64_sync+0x18c/0x190\n\n[ +0.000014] Allocated by task 902:\n[ +0.000007] kasan_save_stack+0x2c/0x5c\n[ +0.000009] __kasan_kmalloc+0x90/0xd0\n[ +0.000007] __kmalloc_node+0x240/0x580\n[ +0.000010] memcg_alloc_slab_cgroups+0xa4/0x1ac\n[ +0.000010] memcg_slab_post_alloc_hook+0xbc/0x4c0\n[ +0.000008] kmem_cache_alloc_node+0x1d0/0x490\n[ +0.000009] __alloc_skb+0x1d4/0x310\n[ +0.000010] alloc_skb_with_frags+0x8c/0x620\n[ +0.000008] sock_alloc_send_pskb+0x5ac/0x6d0\n[ +0.000010] unix_dgram_sendmsg+0x2e0/0x12f0\n[ +0.000010] sock_sendmsg+0xcc/0x110\n[ +0.000007] sock_write_iter+0x1d0/0x304\n[ +0.000008] new_sync_write+0x364/0x460\n[ +0.000007] vfs_write+0x420/0x5ac\n[ +0.000008] ksys_write+0x19c/0x1f0\n[ +0.000008] __arm64_sys_write+0x78/0xb0\n[ +0.000007] invoke_syscall+0x74/0x260\n[ +0.000008] el0_svc_common.constprop.0+0x1a8/0x260\n[ +0.000009] do_el0_svc+0x50/0x70\n[ +0.000007] el0_svc+0x68/0x1a0\n[ +0.000008] el0t_64_sync_handler+0x11c/0x150\n[ +0.000008] el0t_64_sync+0x18c/0x190\n\n[ +0.000013] Freed by task 2509:\n[ +0.000008] kasan_save_stack+0x2c/0x5c\n[ +0.000007] kasan_set_track+0x2c/0x40\n[ +0.000008] kasan_set_free_info+0x28/0x50\n[ +0.000008] ____kasan_slab_free+0x128/0x1d4\n[ +0.000008] __kasan_slab_free+0x18/0x24\n[ +0.000007] slab_free_freelist_hook+0x108/0x230\n[ +0.000010] \n---truncated---"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/meson/meson_drv.c"], "versions": [{"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "8a427a22839daacd36531a62c83d5c9cd6f20657", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "587c7da877219e6185217bf64418e62e114dab1e", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "f11aa996fc01888f870be0e79ba71526888c0d8a", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "6ef20de2fe0ee1decedbfabb17782897ca27bfe5", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "8616f2a0589a80e08434212324250eb22f6a66ce", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/meson/meson_drv.c"], "versions": [{"version": "5.10.150", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.75", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.19.17", "lessThanOrEqual": "5.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.0.3", "lessThanOrEqual": "6.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.150"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.75"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.19.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.0.3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/8a427a22839daacd36531a62c83d5c9cd6f20657"}, {"url": "https://git.kernel.org/stable/c/587c7da877219e6185217bf64418e62e114dab1e"}, {"url": "https://git.kernel.org/stable/c/f11aa996fc01888f870be0e79ba71526888c0d8a"}, {"url": "https://git.kernel.org/stable/c/6ef20de2fe0ee1decedbfabb17782897ca27bfe5"}, {"url": "https://git.kernel.org/stable/c/8616f2a0589a80e08434212324250eb22f6a66ce"}], "title": "drm/meson: explicitly remove aggregate driver at module unload time", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/meson: explicitly remove aggregate driver at module unload time\n\nBecause component_master_del wasn't being called when unloading the\nmeson_drm module, the aggregate device would linger forever in the global\naggregate_devices list. That means when unloading and reloading the\nmeson_dw_hdmi module, component_add would call into\ntry_to_bring_up_aggregate_device and find the unbound meson_drm aggregate\ndevice.\n\nThis would in turn dereference some of the aggregate_device's struct\nentries which point to memory automatically freed by the devres API when\nunbinding the aggregate device from meson_drv_unbind, and trigger an\nuse-after-free bug:\n\n[ +0.000014] =============================================================\n[ +0.000007] BUG: KASAN: use-after-free in find_components+0x468/0x500\n[ +0.000017] Read of size 8 at addr ffff000006731688 by task modprobe/2536\n[ +0.000018] CPU: 4 PID: 2536 Comm: modprobe Tainted: G C O 5.19.0-rc6-lrmbkasan+ #1\n[ +0.000010] Hardware name: Hardkernel ODROID-N2Plus (DT)\n[ +0.000008] Call trace:\n[ +0.000005] dump_backtrace+0x1ec/0x280\n[ +0.000011] show_stack+0x24/0x80\n[ +0.000007] dump_stack_lvl+0x98/0xd4\n[ +0.000010] print_address_description.constprop.0+0x80/0x520\n[ +0.000011] print_report+0x128/0x260\n[ +0.000007] kasan_report+0xb8/0xfc\n[ +0.000007] __asan_report_load8_noabort+0x3c/0x50\n[ +0.000009] find_components+0x468/0x500\n[ +0.000008] try_to_bring_up_aggregate_device+0x64/0x390\n[ +0.000009] __component_add+0x1dc/0x49c\n[ +0.000009] component_add+0x20/0x30\n[ +0.000008] meson_dw_hdmi_probe+0x28/0x34 [meson_dw_hdmi]\n[ +0.000013] platform_probe+0xd0/0x220\n[ +0.000008] really_probe+0x3ac/0xa80\n[ +0.000008] __driver_probe_device+0x1f8/0x400\n[ +0.000008] driver_probe_device+0x68/0x1b0\n[ +0.000008] __driver_attach+0x20c/0x480\n[ +0.000009] bus_for_each_dev+0x114/0x1b0\n[ +0.000007] driver_attach+0x48/0x64\n[ +0.000009] bus_add_driver+0x390/0x564\n[ +0.000007] driver_register+0x1a8/0x3e4\n[ +0.000009] __platform_driver_register+0x6c/0x94\n[ +0.000007] meson_dw_hdmi_platform_driver_init+0x30/0x1000 [meson_dw_hdmi]\n[ +0.000014] do_one_initcall+0xc4/0x2b0\n[ +0.000008] do_init_module+0x154/0x570\n[ +0.000010] load_module+0x1a78/0x1ea4\n[ +0.000008] __do_sys_init_module+0x184/0x1cc\n[ +0.000008] __arm64_sys_init_module+0x78/0xb0\n[ +0.000008] invoke_syscall+0x74/0x260\n[ +0.000008] el0_svc_common.constprop.0+0xcc/0x260\n[ +0.000009] do_el0_svc+0x50/0x70\n[ +0.000008] el0_svc+0x68/0x1a0\n[ +0.000009] el0t_64_sync_handler+0x11c/0x150\n[ +0.000009] el0t_64_sync+0x18c/0x190\n\n[ +0.000014] Allocated by task 902:\n[ +0.000007] kasan_save_stack+0x2c/0x5c\n[ +0.000009] __kasan_kmalloc+0x90/0xd0\n[ +0.000007] __kmalloc_node+0x240/0x580\n[ +0.000010] memcg_alloc_slab_cgroups+0xa4/0x1ac\n[ +0.000010] memcg_slab_post_alloc_hook+0xbc/0x4c0\n[ +0.000008] kmem_cache_alloc_node+0x1d0/0x490\n[ +0.000009] __alloc_skb+0x1d4/0x310\n[ +0.000010] alloc_skb_with_frags+0x8c/0x620\n[ +0.000008] sock_alloc_send_pskb+0x5ac/0x6d0\n[ +0.000010] unix_dgram_sendmsg+0x2e0/0x12f0\n[ +0.000010] sock_sendmsg+0xcc/0x110\n[ +0.000007] sock_write_iter+0x1d0/0x304\n[ +0.000008] new_sync_write+0x364/0x460\n[ +0.000007] vfs_write+0x420/0x5ac\n[ +0.000008] ksys_write+0x19c/0x1f0\n[ +0.000008] __arm64_sys_write+0x78/0xb0\n[ +0.000007] invoke_syscall+0x74/0x260\n[ +0.000008] el0_svc_common.constprop.0+0x1a8/0x260\n[ +0.000009] do_el0_svc+0x50/0x70\n[ +0.000007] el0_svc+0x68/0x1a0\n[ +0.000008] el0t_64_sync_handler+0x11c/0x150\n[ +0.000008] el0t_64_sync+0x18c/0x190\n\n[ +0.000013] Freed by task 2509:\n[ +0.000008] kasan_save_stack+0x2c/0x5c\n[ +0.000007] kasan_set_track+0x2c/0x40\n[ +0.000008] kasan_set_free_info+0x28/0x50\n[ +0.000008] ____kasan_slab_free+0x128/0x1d4\n[ +0.000008] __kasan_slab_free+0x18/0x24\n[ +0.000007] slab_free_freelist_hook+0x108/0x230\n[ +0.000010] \n---truncated---"}], "id": "CVE-2022-50560", "lastModified": "2025-10-22T21:12:48.953", "metrics": {}, "published": "2025-10-22T14:15:40.737", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/587c7da877219e6185217bf64418e62e114dab1e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6ef20de2fe0ee1decedbfabb17782897ca27bfe5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8616f2a0589a80e08434212324250eb22f6a66ce"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8a427a22839daacd36531a62c83d5c9cd6f20657"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f11aa996fc01888f870be0e79ba71526888c0d8a"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: drm/meson: explicitly remove aggregate driver at module unload time", "id": "2405751", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2405751"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2022-50560", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-10-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-50560\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50560\nhttps://lore.kernel.org/linux-cve-announce/2025102206-CVE-2022-50560-bf0d@gregkh/T"], "threat_severity": "Moderate"}

{}