ghsa-2pph-66px-9x3w
Vulnerability from github
Published
2025-08-22 18:31
Modified
2025-08-22 18:31
Details

In the Linux kernel, the following vulnerability has been resolved:

media: ti: j721e-csi2rx: fix list_del corruption

If ti_csi2rx_start_dma() fails in ti_csi2rx_dma_callback(), the buffer is marked done with VB2_BUF_STATE_ERROR but is not removed from the DMA queue. This causes the same buffer to be retried in the next iteration, resulting in a double list_del() and eventual list corruption.

Fix this by removing the buffer from the queue before calling vb2_buffer_done() on error.

This resolves a crash due to list_del corruption: [ 37.811243] j721e-csi2rx 30102000.ticsi2rx: Failed to queue the next buffer for DMA [ 37.832187] slab kmalloc-2k start ffff00000255b000 pointer offset 1064 size 2048 [ 37.839761] list_del corruption. next->prev should be ffff00000255bc28, but was ffff00000255d428. (next=ffff00000255b428) [ 37.850799] ------------[ cut here ]------------ [ 37.855424] kernel BUG at lib/list_debug.c:65! [ 37.859876] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [ 37.866061] Modules linked in: i2c_dev usb_f_rndis u_ether libcomposite dwc3 udc_core usb_common aes_ce_blk aes_ce_cipher ghash_ce gf128mul sha1_ce cpufreq_dt dwc3_am62 phy_gmii_sel sa2ul [ 37.882830] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.16.0-rc3+ #28 VOLUNTARY [ 37.890851] Hardware name: Bosch STLA-GSRV2-B0 (DT) [ 37.895737] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 37.902703] pc : __list_del_entry_valid_or_report+0xdc/0x114 [ 37.908390] lr : __list_del_entry_valid_or_report+0xdc/0x114 [ 37.914059] sp : ffff800080003db0 [ 37.917375] x29: ffff800080003db0 x28: 0000000000000007 x27: ffff800080e50000 [ 37.924521] x26: 0000000000000000 x25: ffff0000016abb50 x24: dead000000000122 [ 37.931666] x23: ffff0000016abb78 x22: ffff0000016ab080 x21: ffff800080003de0 [ 37.938810] x20: ffff00000255bc00 x19: ffff00000255b800 x18: 000000000000000a [ 37.945956] x17: 20747562202c3832 x16: 6362353532303030 x15: 0720072007200720 [ 37.953101] x14: 0720072007200720 x13: 0720072007200720 x12: 00000000ffffffea [ 37.960248] x11: ffff800080003b18 x10: 00000000ffffefff x9 : ffff800080f5b568 [ 37.967396] x8 : ffff800080f5b5c0 x7 : 0000000000017fe8 x6 : c0000000ffffefff [ 37.974542] x5 : ffff00000fea6688 x4 : 0000000000000000 x3 : 0000000000000000 [ 37.981686] x2 : 0000000000000000 x1 : ffff800080ef2b40 x0 : 000000000000006d [ 37.988832] Call trace: [ 37.991281] __list_del_entry_valid_or_report+0xdc/0x114 (P) [ 37.996959] ti_csi2rx_dma_callback+0x84/0x1c4 [ 38.001419] udma_vchan_complete+0x1e0/0x344 [ 38.005705] tasklet_action_common+0x118/0x310 [ 38.010163] tasklet_action+0x30/0x3c [ 38.013832] handle_softirqs+0x10c/0x2e0 [ 38.017761] __do_softirq+0x14/0x20 [ 38.021256] _dosoftirq+0x10/0x20 [ 38.024931] call_on_irq_stack+0x24/0x60 [ 38.028873] do_softirq_own_stack+0x1c/0x40 [ 38.033064] irq_exit_rcu+0x130/0x15c [ 38.036909] irq_exit_rcu+0x10/0x20 [ 38.040403] el1_interrupt+0x38/0x60 [ 38.043987] el1h_64_irq_handler+0x18/0x24 [ 38.048091] el1h_64_irq+0x6c/0x70 [ 38.051501] default_idle_call+0x34/0xe0 (P) [ 38.055783] do_idle+0x1f8/0x250 [ 38.059021] cpu_startup_entry+0x34/0x3c [ 38.062951] rest_init+0xb4/0xc0 [ 38.066186] console_on_rootfs+0x0/0x6c [ 38.070031] __primary_switched+0x88/0x90 [ 38.074059] Code: b00037e0 91378000 f9400462 97e9bf49 (d4210000) [ 38.080168] ---[ end trace 0000000000000000 ]--- [ 38.084795] Kernel panic - not syncing: Oops - BUG: Fatal exception in interrupt [ 38.092197] SMP: stopping secondary CPUs [ 38.096139] Kernel Offset: disabled [ 38.099631] CPU features: 0x0000,00002000,02000801,0400420b [ 38.105202] Memory Limit: none [ 38.108260] ---[ end Kernel panic - not syncing: Oops - BUG: Fatal exception in interrupt ]---

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-38619"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-22T16:15:35Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ti: j721e-csi2rx: fix list_del corruption\n\nIf ti_csi2rx_start_dma() fails in ti_csi2rx_dma_callback(), the buffer is\nmarked done with VB2_BUF_STATE_ERROR but is not removed from the DMA queue.\nThis causes the same buffer to be retried in the next iteration, resulting\nin a double list_del() and eventual list corruption.\n\nFix this by removing the buffer from the queue before calling\nvb2_buffer_done() on error.\n\nThis resolves a crash due to list_del corruption:\n[   37.811243] j721e-csi2rx 30102000.ticsi2rx: Failed to queue the next buffer for DMA\n[   37.832187]  slab kmalloc-2k start ffff00000255b000 pointer offset 1064 size 2048\n[   37.839761] list_del corruption. next-\u003eprev should be ffff00000255bc28, but was ffff00000255d428. (next=ffff00000255b428)\n[   37.850799] ------------[ cut here ]------------\n[   37.855424] kernel BUG at lib/list_debug.c:65!\n[   37.859876] Internal error: Oops - BUG: 00000000f2000800 [#1]  SMP\n[   37.866061] Modules linked in: i2c_dev usb_f_rndis u_ether libcomposite dwc3 udc_core usb_common aes_ce_blk aes_ce_cipher ghash_ce gf128mul sha1_ce cpufreq_dt dwc3_am62 phy_gmii_sel sa2ul\n[   37.882830] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.16.0-rc3+ #28 VOLUNTARY\n[   37.890851] Hardware name: Bosch STLA-GSRV2-B0 (DT)\n[   37.895737] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[   37.902703] pc : __list_del_entry_valid_or_report+0xdc/0x114\n[   37.908390] lr : __list_del_entry_valid_or_report+0xdc/0x114\n[   37.914059] sp : ffff800080003db0\n[   37.917375] x29: ffff800080003db0 x28: 0000000000000007 x27: ffff800080e50000\n[   37.924521] x26: 0000000000000000 x25: ffff0000016abb50 x24: dead000000000122\n[   37.931666] x23: ffff0000016abb78 x22: ffff0000016ab080 x21: ffff800080003de0\n[   37.938810] x20: ffff00000255bc00 x19: ffff00000255b800 x18: 000000000000000a\n[   37.945956] x17: 20747562202c3832 x16: 6362353532303030 x15: 0720072007200720\n[   37.953101] x14: 0720072007200720 x13: 0720072007200720 x12: 00000000ffffffea\n[   37.960248] x11: ffff800080003b18 x10: 00000000ffffefff x9 : ffff800080f5b568\n[   37.967396] x8 : ffff800080f5b5c0 x7 : 0000000000017fe8 x6 : c0000000ffffefff\n[   37.974542] x5 : ffff00000fea6688 x4 : 0000000000000000 x3 : 0000000000000000\n[   37.981686] x2 : 0000000000000000 x1 : ffff800080ef2b40 x0 : 000000000000006d\n[   37.988832] Call trace:\n[   37.991281]  __list_del_entry_valid_or_report+0xdc/0x114 (P)\n[   37.996959]  ti_csi2rx_dma_callback+0x84/0x1c4\n[   38.001419]  udma_vchan_complete+0x1e0/0x344\n[   38.005705]  tasklet_action_common+0x118/0x310\n[   38.010163]  tasklet_action+0x30/0x3c\n[   38.013832]  handle_softirqs+0x10c/0x2e0\n[   38.017761]  __do_softirq+0x14/0x20\n[   38.021256]  ____do_softirq+0x10/0x20\n[   38.024931]  call_on_irq_stack+0x24/0x60\n[   38.028873]  do_softirq_own_stack+0x1c/0x40\n[   38.033064]  __irq_exit_rcu+0x130/0x15c\n[   38.036909]  irq_exit_rcu+0x10/0x20\n[   38.040403]  el1_interrupt+0x38/0x60\n[   38.043987]  el1h_64_irq_handler+0x18/0x24\n[   38.048091]  el1h_64_irq+0x6c/0x70\n[   38.051501]  default_idle_call+0x34/0xe0 (P)\n[   38.055783]  do_idle+0x1f8/0x250\n[   38.059021]  cpu_startup_entry+0x34/0x3c\n[   38.062951]  rest_init+0xb4/0xc0\n[   38.066186]  console_on_rootfs+0x0/0x6c\n[   38.070031]  __primary_switched+0x88/0x90\n[   38.074059] Code: b00037e0 91378000 f9400462 97e9bf49 (d4210000)\n[   38.080168] ---[ end trace 0000000000000000 ]---\n[   38.084795] Kernel panic - not syncing: Oops - BUG: Fatal exception in interrupt\n[   38.092197] SMP: stopping secondary CPUs\n[   38.096139] Kernel Offset: disabled\n[   38.099631] CPU features: 0x0000,00002000,02000801,0400420b\n[   38.105202] Memory Limit: none\n[   38.108260] ---[ end Kernel panic - not syncing: Oops - BUG: Fatal exception in interrupt ]---",
  "id": "GHSA-2pph-66px-9x3w",
  "modified": "2025-08-22T18:31:21Z",
  "published": "2025-08-22T18:31:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38619"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/68e5579f4de12207b23c41b44a4c0778b6c2858f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/92d0188f36ca8082af7989d743eb5b44c2d259f7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a4a8cb0889927d59ebd839458c8f038bc5298ef9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ae42c6fe531425ef2f47e82f96851427d24bbf6b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.