Bug 2395436 (CVE-2022-50317) - CVE-2022-50317 kernel: drm/bridge: megachips: Fix a null pointer dereference bug
Summary: CVE-2022-50317 kernel: drm/bridge: megachips: Fix a null pointer dereference bug
Keywords:
Status: NEW
Alias: CVE-2022-50317
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-09-15 15:13 UTC by OSIDB Bzimport
Modified: 2025-09-18 15:13 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-09-15 15:13:45 UTC 
In the Linux kernel, the following vulnerability has been resolved:

drm/bridge: megachips: Fix a null pointer dereference bug

When removing the module we will get the following warning:

[   31.911505] i2c-core: driver [stdp2690-ge-b850v3-fw] unregistered
[   31.912484] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI
[   31.913338] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
[   31.915280] RIP: 0010:drm_bridge_remove+0x97/0x130
[   31.921825] Call Trace:
[   31.922533]  stdp4028_ge_b850v3_fw_remove+0x34/0x60 [megachips_stdpxxxx_ge_b850v3_fw]
[   31.923139]  i2c_device_remove+0x181/0x1f0

The two bridges (stdp2690, stdp4028) do not probe at the same time, so
the driver does not call ge_b850v3_resgiter() when probing, causing the
driver to try to remove the object that has not been initialized.

Fix this by checking whether both the bridges are probed.
Comment 1 Jon Moroney 2025-09-15 16:09:34 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025091552-CVE-2022-50317-6b3b@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.