In the Linux kernel, the following vulnerability has been resolved:
drm/gma500/oaktrail_lvds: fix hang on init failure
The LVDS init code looks up an I2C adapter using i2c_get_adapter() and tries to read the EDID before falling back to allocating and registering its own adapter.
The error handling does not separate these cases so on a late init failure it will try to deregister and free also an adapter that had previously been registered. Since i2c_get_adapter() takes another reference to the adapter, deregistration hangs indefinitely while waiting for the reference to be released.
Fix this by only destroying adapters allocated during LVDS init on errors.
References
- https://git.kernel.org/stable/c/4e04b564c005c9900643c56656d751ad677889be
- https://git.kernel.org/stable/c/5fe9f505d8578852c30668567bc3ce52e776e8c7
- https://git.kernel.org/stable/c/657a091ab6d01d0091b77660c75cfed573c9a53e
- https://git.kernel.org/stable/c/7877f7e231a8bd5c817af1491276550a5e195cd7
- https://git.kernel.org/stable/c/ab9256936b58eb178caddcf5b5b1638f079909d2
- https://git.kernel.org/stable/c/f6fc44af3bbd5ab0fb6bdec6f47decca11b38425