{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-50037","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-10-21T12:17:06.070Z","datePublished":"2024-10-21T19:39:37.787Z","dateUpdated":"2025-05-04T09:44:23.639Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T09:44:23.639Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/fbdev-dma: Only cleanup deferred I/O if necessary\n\nCommit 5a498d4d06d6 (\"drm/fbdev-dma: Only install deferred I/O if\nnecessary\") initializes deferred I/O only if it is used.\ndrm_fbdev_dma_fb_destroy() however calls fb_deferred_io_cleanup()\nunconditionally with struct fb_info.fbdefio == NULL. KASAN with the\nout-of-tree Apple silicon display driver posts following warning from\n__flush_work() of a random struct work_struct instead of the expected\nNULL pointer derefs.\n\n[   22.053799] ------------[ cut here ]------------\n[   22.054832] WARNING: CPU: 2 PID: 1 at kernel/workqueue.c:4177 __flush_work+0x4d8/0x580\n[   22.056597] Modules linked in: uhid bnep uinput nls_ascii ip6_tables ip_tables i2c_dev loop fuse dm_multipath nfnetlink zram hid_magicmouse btrfs xor xor_neon brcmfmac_wcc raid6_pq hci_bcm4377 bluetooth brcmfmac hid_apple brcmutil nvmem_spmi_mfd simple_mfd_spmi dockchannel_hid cfg80211 joydev regmap_spmi nvme_apple ecdh_generic ecc macsmc_hid rfkill dwc3 appledrm snd_soc_macaudio macsmc_power nvme_core apple_isp phy_apple_atc apple_sart apple_rtkit_helper apple_dockchannel tps6598x macsmc_hwmon snd_soc_cs42l84 videobuf2_v4l2 spmi_apple_controller nvmem_apple_efuses videobuf2_dma_sg apple_z2 videobuf2_memops spi_nor panel_summit videobuf2_common asahi videodev pwm_apple apple_dcp snd_soc_apple_mca apple_admac spi_apple clk_apple_nco i2c_pasemi_platform snd_pcm_dmaengine mc i2c_pasemi_core mux_core ofpart adpdrm drm_dma_helper apple_dart apple_soc_cpufreq leds_pwm phram\n[   22.073768] CPU: 2 UID: 0 PID: 1 Comm: systemd-shutdow Not tainted 6.11.2-asahi+ #asahi-dev\n[   22.075612] Hardware name: Apple MacBook Pro (13-inch, M2, 2022) (DT)\n[   22.077032] pstate: 01400005 (nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[   22.078567] pc : __flush_work+0x4d8/0x580\n[   22.079471] lr : __flush_work+0x54/0x580\n[   22.080345] sp : ffffc000836ef820\n[   22.081089] x29: ffffc000836ef880 x28: 0000000000000000 x27: ffff80002ddb7128\n[   22.082678] x26: dfffc00000000000 x25: 1ffff000096f0c57 x24: ffffc00082d3e358\n[   22.084263] x23: ffff80004b7862b8 x22: dfffc00000000000 x21: ffff80005aa1d470\n[   22.085855] x20: ffff80004b786000 x19: ffff80004b7862a0 x18: 0000000000000000\n[   22.087439] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000005\n[   22.089030] x14: 1ffff800106ddf0a x13: 0000000000000000 x12: 0000000000000000\n[   22.090618] x11: ffffb800106ddf0f x10: dfffc00000000000 x9 : 1ffff800106ddf0e\n[   22.092206] x8 : 0000000000000000 x7 : aaaaaaaaaaaaaaaa x6 : 0000000000000001\n[   22.093790] x5 : ffffc000836ef728 x4 : 0000000000000000 x3 : 0000000000000020\n[   22.095368] x2 : 0000000000000008 x1 : 00000000000000aa x0 : 0000000000000000\n[   22.096955] Call trace:\n[   22.097505]  __flush_work+0x4d8/0x580\n[   22.098330]  flush_delayed_work+0x80/0xb8\n[   22.099231]  fb_deferred_io_cleanup+0x3c/0x130\n[   22.100217]  drm_fbdev_dma_fb_destroy+0x6c/0xe0 [drm_dma_helper]\n[   22.101559]  unregister_framebuffer+0x210/0x2f0\n[   22.102575]  drm_fb_helper_unregister_info+0x48/0x60\n[   22.103683]  drm_fbdev_dma_client_unregister+0x4c/0x80 [drm_dma_helper]\n[   22.105147]  drm_client_dev_unregister+0x1cc/0x230\n[   22.106217]  drm_dev_unregister+0x58/0x570\n[   22.107125]  apple_drm_unbind+0x50/0x98 [appledrm]\n[   22.108199]  component_del+0x1f8/0x3a8\n[   22.109042]  dcp_platform_shutdown+0x24/0x38 [apple_dcp]\n[   22.110357]  platform_shutdown+0x70/0x90\n[   22.111219]  device_shutdown+0x368/0x4d8\n[   22.112095]  kernel_restart+0x6c/0x1d0\n[   22.112946]  __arm64_sys_reboot+0x1c8/0x328\n[   22.113868]  invoke_syscall+0x78/0x1a8\n[   22.114703]  do_el0_svc+0x124/0x1a0\n[   22.115498]  el0_svc+0x3c/0xe0\n[   22.116181]  el0t_64_sync_handler+0x70/0xc0\n[   22.117110]  el0t_64_sync+0x190/0x198\n[   22.117931] ---[ end trace 0000000000000000 ]---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/gpu/drm/drm_fbdev_dma.c"],"versions":[{"version":"5a498d4d06d6d9bad76d8a50a7f8fe01670ad46f","lessThan":"5a4a8ea14c54c651ec532a480bd560d0c6e52f3d","status":"affected","versionType":"git"},{"version":"5a498d4d06d6d9bad76d8a50a7f8fe01670ad46f","lessThan":"fcddc71ec7ecf15b4df3c41288c9cf0b8e886111","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/gpu/drm/drm_fbdev_dma.c"],"versions":[{"version":"6.11","status":"affected"},{"version":"0","lessThan":"6.11","status":"unaffected","versionType":"semver"},{"version":"6.11.4","lessThanOrEqual":"6.11.*","status":"unaffected","versionType":"semver"},{"version":"6.12","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.11","versionEndExcluding":"6.11.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.11","versionEndExcluding":"6.12"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/5a4a8ea14c54c651ec532a480bd560d0c6e52f3d"},{"url":"https://git.kernel.org/stable/c/fcddc71ec7ecf15b4df3c41288c9cf0b8e886111"}],"title":"drm/fbdev-dma: Only cleanup deferred I/O if necessary","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2024-50037","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-10-22T13:25:17.714484Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-10-22T13:28:44.766Z"}}]}}