CVE-2022-49490 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/mdp5: Return error code in mdp5_pipe_release when deadlock is detected
mdp5_get_global_state runs the risk of hitting a -EDEADLK when acquiring the modeset lock, but currently mdp5_pipe_release doesn't check for if an error is returned. Because of this, there is a possibility of mdp5_pipe_release hitting a NULL dereference error.
To avoid this, let's have mdp5_pipe_release check if mdp5_get_global_state returns an error and propogate that error.
Changes since v1: - Separated declaration and initialization of *new_state to avoid compiler warning - Fixed some spelling mistakes in commit message
Changes since v2: - Return 0 in case where hwpipe is NULL as this is considered normal behavior - Added 2nd patch in series to fix a similar NULL dereference issue in mdp5_mixer_release
Patchwork: https://patchwork.freedesktop.org/patch/485179/
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 10/23/2025
The vulnerability identified as CVE-2022-49490 represents a critical null pointer dereference issue within the Linux kernel's display subsystem, specifically affecting the drm/msm/mdp5 driver component. This flaw exists in the mdp5_pipe_release function which handles cleanup operations for display pipeline resources. The vulnerability stems from insufficient error handling when the mdp5_get_global_state function attempts to acquire a modeset lock, a scenario that can result in a -EDEADLK error code indicating a deadlock condition. When this error condition occurs, the mdp5_pipe_release function fails to properly check for error returns from mdp5_get_global_state, creating a path where the function continues execution without proper validation, ultimately leading to a NULL pointer dereference that can cause system instability or potential privilege escalation.
The technical implementation of this vulnerability demonstrates a classic error propagation failure pattern where an error condition is not properly handled in a function call chain. The mdp5_get_global_state function, which manages global state for the MDP5 display processing unit, can legitimately return -EDEADLK when attempting to acquire the modeset lock under certain deadlock conditions. However, the mdp5_pipe_release function does not check for this error return value before proceeding with operations that assume successful state acquisition. This design flaw creates a scenario where a deadlock detection mechanism, intended to prevent system hangs, becomes a vector for system crashes due to improper error handling. The vulnerability specifically affects the msm (mobile system manager) display driver used in Qualcomm-based mobile devices and embedded systems where the MDP5 (Mobile Display Processor 5) hardware is present.
The operational impact of this vulnerability extends beyond simple system crashes to potentially enable privilege escalation attacks within the kernel space. When the NULL dereference occurs during mdp5_pipe_release execution, it can cause the kernel to panic and reboot the system, creating denial of service conditions that may be exploited by malicious actors. In environments where kernel-level access is possible, this vulnerability could be leveraged to gain elevated privileges by manipulating the display subsystem to trigger the error condition. The vulnerability affects systems running Linux kernel versions where the drm/msm/mdp5 driver is present, particularly those utilizing Qualcomm Snapdragon processors or similar mobile SoC platforms that employ MDP5 hardware for display processing. This presents a significant concern for mobile device manufacturers and embedded system providers who rely on these kernel components for display functionality.
Mitigation strategies for CVE-2022-49490 focus on implementing proper error handling within the affected kernel driver components. The fix involves modifying the mdp5_pipe_release function to check for error returns from mdp5_get_global_state and properly propagate these error conditions instead of proceeding with operations that assume successful state acquisition. This approach aligns with security best practices for kernel development and follows the principle of defensive programming where all function calls that can fail must be checked for error conditions before proceeding. The patch series addresses not only the primary vulnerability but also includes a secondary fix for a similar NULL dereference issue in mdp5_mixer_release, demonstrating the comprehensive nature of the security update. System administrators should apply the kernel patches provided by the Linux kernel maintainers to ensure protection against this vulnerability, which is classified under CWE-476 as NULL Pointer Dereference and may be categorized under ATT&CK technique T1068 for Exploitation for Privilege Escalation. The fix ensures that error conditions are properly handled throughout the display subsystem, preventing both system crashes and potential security exploits that could arise from improper error propagation in kernel space operations.