CVE-2022-49945 in Linux
Sumário
de VulDB • 20/05/2026
Based on the kernel panic log provided, here is an analysis of the crash:
### **1. Crash Summary** - **Type:** Kernel Oops/Panic (likely an invalid memory access or assertion failure). - **Module:** `gpio_fan` (GPIO-controlled fan driver). - **Function:** `set_fan_speed.part.5` - **Trigger:** Writing to a sysfs attribute (`cur_state_store`), likely via `echo <value> > /sys/class/thermal/.../cur_state` or similar. - **Architecture:** ARM64 (`el0t_64_sync`, `x0-x31` registers).
### **2. Key Evidence** - **Call Trace:** ``` set_fan_speed.part.5+0x34/0x80 [gpio_fan]
gpio_fan_set_cur_state+0x34/0x50 [gpio_fan]
cur_state_store+0x84/0xd0 dev_attr_store+0x20/0x38 sysfs_kf_write+0x4c/0x60 ... ``` This shows the crash occurred while the kernel was trying to set the fan speed state via sysfs.
- **Register State:** - `x0`: `ffff80d0588060` (likely a pointer to a `gpio_fan_data` or similar structure). - `x1`: `1` (likely the new fan state/speed value being set). - `x2`: `e780` (possibly a bitmask or GPIO mask). - `x3`: `ffff800369f2e8` (another pointer, possibly to GPIO descriptors or chip data).
- **Code Snippet (Decoded):** ``` Code: b9403801 f9402800 7100003f 8b35cc00 (b9400416) ``` This is ARM64 assembly. The crash instruction is at offset `0x34` in `set_fan_speed.part.5`. The instruction `b9400416` is a `str` (store register) instruction, which suggests the crash is due to an **invalid memory write** (e.g., null pointer dereference, invalid address, or corrupted structure).
### **3. Likely Causes** 1. **Null Pointer Dereference:** The `gpio_fan_data` structure (pointed to by `x0`) may be invalid or uninitialized. 2. **Invalid GPIO Configuration:** The GPIO pins configured for the fan may not be properly requested or may conflict with other drivers. 3. **Race Condition:** If the fan device is being removed/unloaded while a sysfs write is in progress, the structure may be freed prematurely. 4. **Corrupted Memory:** Less likely, but possible if there’s a broader memory corruption issue.
### **4. Debugging Steps** 1. **Check Kernel Logs:** Look for earlier warnings about `gpio_fan` initialization or GPIO requests: ```bash dmesg | grep -i gpio_fan dmesg | grep -i fan ```
2. **Verify Device Tree:** Ensure the `gpio_fan` node in your device tree is correctly defined: ```dts fan: fan {
compatible = "gpio-fan"; gpios = <&gpio0 10 GPIO_ACTIVE_HIGH>; /* Example */ gpio-fan,speed-map = <0 0 1 1000 2 2000>; /* Example */ }; ```
3. **Reproduce the Crash:** - Try writing to the sysfs file again: ```bash echo 1 > /sys/class/thermal/thermal_zone0/hwmon/hwmon0/pwm1_enable ``` - Check if the crash is consistent.
4. **Check for Driver Updates:** - Ensure you’re using the latest kernel version, as `gpio_fan` bugs may have been fixed.
5. **Enable Debugging:** - Recompile the kernel with `CONFIG_GPIO_FAN_DEBUG` (if available) or add `printk` statements in `set_fan_speed.part.5` to identify which pointer is invalid.
### **5. Workaround** - **Avoid Writing to `cur_state`:** If possible, use `pwm1` or `fan1` sysfs attributes instead of `cur_state`. - **Disable `gpio_fan
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.