{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2022-48759","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-06-20T11:09:39.059Z","datePublished":"2024-06-20T11:13:37.872Z","dateUpdated":"2025-05-04T08:22:30.247Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T08:22:30.247Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nrpmsg: char: Fix race between the release of rpmsg_ctrldev and cdev\n\nstruct rpmsg_ctrldev contains a struct cdev. The current code frees\nthe rpmsg_ctrldev struct in rpmsg_ctrldev_release_device(), but the\ncdev is a managed object, therefore its release is not predictable\nand the rpmsg_ctrldev could be freed before the cdev is entirely\nreleased, as in the backtrace below.\n\n[   93.625603] ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x7c\n[   93.636115] WARNING: CPU: 0 PID: 12 at lib/debugobjects.c:488 debug_print_object+0x13c/0x1b0\n[   93.644799] Modules linked in: veth xt_cgroup xt_MASQUERADE rfcomm algif_hash algif_skcipher af_alg uinput ip6table_nat fuse uvcvideo videobuf2_vmalloc venus_enc venus_dec videobuf2_dma_contig hci_uart btandroid btqca snd_soc_rt5682_i2c bluetooth qcom_spmi_temp_alarm snd_soc_rt5682v\n[   93.715175] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G    B             5.4.163-lockdep #26\n[   93.723855] Hardware name: Google Lazor (rev3 - 8) with LTE (DT)\n[   93.730055] Workqueue: events kobject_delayed_cleanup\n[   93.735271] pstate: 60c00009 (nZCv daif +PAN +UAO)\n[   93.740216] pc : debug_print_object+0x13c/0x1b0\n[   93.744890] lr : debug_print_object+0x13c/0x1b0\n[   93.749555] sp : ffffffacf5bc7940\n[   93.752978] x29: ffffffacf5bc7940 x28: dfffffd000000000\n[   93.758448] x27: ffffffacdb11a800 x26: dfffffd000000000\n[   93.763916] x25: ffffffd0734f856c x24: dfffffd000000000\n[   93.769389] x23: 0000000000000000 x22: ffffffd0733c35b0\n[   93.774860] x21: ffffffd0751994a0 x20: ffffffd075ec27c0\n[   93.780338] x19: ffffffd075199100 x18: 00000000000276e0\n[   93.785814] x17: 0000000000000000 x16: dfffffd000000000\n[   93.791291] x15: ffffffffffffffff x14: 6e6968207473696c\n[   93.796768] x13: 0000000000000000 x12: ffffffd075e2b000\n[   93.802244] x11: 0000000000000001 x10: 0000000000000000\n[   93.807723] x9 : d13400dff1921900 x8 : d13400dff1921900\n[   93.813200] x7 : 0000000000000000 x6 : 0000000000000000\n[   93.818676] x5 : 0000000000000080 x4 : 0000000000000000\n[   93.824152] x3 : ffffffd0732a0fa4 x2 : 0000000000000001\n[   93.829628] x1 : ffffffacf5bc7580 x0 : 0000000000000061\n[   93.835104] Call trace:\n[   93.837644]  debug_print_object+0x13c/0x1b0\n[   93.841963]  __debug_check_no_obj_freed+0x25c/0x3c0\n[   93.846987]  debug_check_no_obj_freed+0x18/0x20\n[   93.851669]  slab_free_freelist_hook+0xbc/0x1e4\n[   93.856346]  kfree+0xfc/0x2f4\n[   93.859416]  rpmsg_ctrldev_release_device+0x78/0xb8\n[   93.864445]  device_release+0x84/0x168\n[   93.868310]  kobject_cleanup+0x12c/0x298\n[   93.872356]  kobject_delayed_cleanup+0x10/0x18\n[   93.876948]  process_one_work+0x578/0x92c\n[   93.881086]  worker_thread+0x804/0xcf8\n[   93.884963]  kthread+0x2a8/0x314\n[   93.888303]  ret_from_fork+0x10/0x18\n\nThe cdev_device_add/del() API was created to address this issue (see\ncommit '233ed09d7fda (\"chardev: add helper function to register char\ndevs with a struct device\")'), use it instead of cdev add/del()."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/rpmsg/rpmsg_char.c"],"versions":[{"version":"c0cdc19f84a4712cf74888f83af286e3c2e14efd","lessThan":"74d85e9fbc7022a4011102c7474a9c7aeb704a35","status":"affected","versionType":"git"},{"version":"c0cdc19f84a4712cf74888f83af286e3c2e14efd","lessThan":"70cb4295ec806b663665e1d2ed15caab6159880e","status":"affected","versionType":"git"},{"version":"c0cdc19f84a4712cf74888f83af286e3c2e14efd","lessThan":"da27b834c1e0222e149e06caddf7718478086d1b","status":"affected","versionType":"git"},{"version":"c0cdc19f84a4712cf74888f83af286e3c2e14efd","lessThan":"1dbb206730f3e5ce90014ad569ddf8167ec4124a","status":"affected","versionType":"git"},{"version":"c0cdc19f84a4712cf74888f83af286e3c2e14efd","lessThan":"85aba11a8ea92a8eef2de95ebbe063086fd62d9c","status":"affected","versionType":"git"},{"version":"c0cdc19f84a4712cf74888f83af286e3c2e14efd","lessThan":"d6cdc6ae542845d4d0ac8b6d99362bde7042a3c7","status":"affected","versionType":"git"},{"version":"c0cdc19f84a4712cf74888f83af286e3c2e14efd","lessThan":"b7fb2dad571d1e21173c06cef0bced77b323990a","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/rpmsg/rpmsg_char.c"],"versions":[{"version":"4.11","status":"affected"},{"version":"0","lessThan":"4.11","status":"unaffected","versionType":"semver"},{"version":"4.14.265","lessThanOrEqual":"4.14.*","status":"unaffected","versionType":"semver"},{"version":"4.19.228","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.176","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.96","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.19","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"5.16.5","lessThanOrEqual":"5.16.*","status":"unaffected","versionType":"semver"},{"version":"5.17","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.11","versionEndExcluding":"4.14.265"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.11","versionEndExcluding":"4.19.228"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.11","versionEndExcluding":"5.4.176"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.11","versionEndExcluding":"5.10.96"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.11","versionEndExcluding":"5.15.19"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.11","versionEndExcluding":"5.16.5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.11","versionEndExcluding":"5.17"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/74d85e9fbc7022a4011102c7474a9c7aeb704a35"},{"url":"https://git.kernel.org/stable/c/70cb4295ec806b663665e1d2ed15caab6159880e"},{"url":"https://git.kernel.org/stable/c/da27b834c1e0222e149e06caddf7718478086d1b"},{"url":"https://git.kernel.org/stable/c/1dbb206730f3e5ce90014ad569ddf8167ec4124a"},{"url":"https://git.kernel.org/stable/c/85aba11a8ea92a8eef2de95ebbe063086fd62d9c"},{"url":"https://git.kernel.org/stable/c/d6cdc6ae542845d4d0ac8b6d99362bde7042a3c7"},{"url":"https://git.kernel.org/stable/c/b7fb2dad571d1e21173c06cef0bced77b323990a"}],"title":"rpmsg: char: Fix race between the release of rpmsg_ctrldev and cdev","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-06-20T15:44:05.243673Z","id":"CVE-2022-48759","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-06-20T15:44:14.329Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-03T15:25:00.922Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/74d85e9fbc7022a4011102c7474a9c7aeb704a35","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/70cb4295ec806b663665e1d2ed15caab6159880e","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/da27b834c1e0222e149e06caddf7718478086d1b","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/1dbb206730f3e5ce90014ad569ddf8167ec4124a","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/85aba11a8ea92a8eef2de95ebbe063086fd62d9c","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/d6cdc6ae542845d4d0ac8b6d99362bde7042a3c7","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/b7fb2dad571d1e21173c06cef0bced77b323990a","tags":["x_transferred"]}]}]}}