Bug 2420337 (CVE-2022-50672)

Summary: CVE-2022-50672 kernel: mailbox: zynq-ipi: fix error handling while device_register() fails
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A vulnerability was found in the Xilinx ZynqMP IPI mailbox driver in the Linux kernel. When device_register() fails, two issues occur: the name allocated by dev_set_name() is leaked, and a subsequent call to device_unregister() in zynqmp_ipi_free_mboxes() causes a kernel crash when attempting to remove a device that was never successfully added. This can lead to memory leaks and kernel crashes.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-12-09 02:03:54 UTC 
In the Linux kernel, the following vulnerability has been resolved:

mailbox: zynq-ipi: fix error handling while device_register() fails

If device_register() fails, it has two issues:
1. The name allocated by dev_set_name() is leaked.
2. The parent of device is not NULL, device_unregister() is called
   in zynqmp_ipi_free_mboxes(), it will lead a kernel crash because
   of removing not added device.

Call put_device() to give up the reference, so the name is freed in
kobject_cleanup(). Add device registered check in zynqmp_ipi_free_mboxes()
to avoid null-ptr-deref.
Comment 1 Alexander B 2025-12-09 19:36:49 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025120947-CVE-2022-50672-d9b1@gregkh/T