ghsa-9pg5-vgmp-j2j8
Vulnerability from github
Published
2025-10-01 12:30
Modified
2025-10-01 12:30
Details

In the Linux kernel, the following vulnerability has been resolved:

media: vsp1: Replace vb2_is_streaming() with vb2_start_streaming_called()

The vsp1 driver uses the vb2_is_streaming() function in its .buf_queue() handler to check if the .start_streaming() operation has been called, and decide whether to just add the buffer to an internal queue, or also trigger a hardware run. vb2_is_streaming() relies on the vb2_queue structure's streaming field, which used to be set only after calling the .start_streaming() operation.

Commit a10b21532574 ("media: vb2: add (un)prepare_streaming queue ops") changed this, setting the .streaming field in vb2_core_streamon() before enqueuing buffers to the driver and calling .start_streaming(). This broke the vsp1 driver which now believes that .start_streaming() has been called when it hasn't, leading to a crash:

[ 881.058705] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 [ 881.067495] Mem abort info: [ 881.070290] ESR = 0x0000000096000006 [ 881.074042] EC = 0x25: DABT (current EL), IL = 32 bits [ 881.079358] SET = 0, FnV = 0 [ 881.082414] EA = 0, S1PTW = 0 [ 881.085558] FSC = 0x06: level 2 translation fault [ 881.090439] Data abort info: [ 881.093320] ISV = 0, ISS = 0x00000006 [ 881.097157] CM = 0, WnR = 0 [ 881.100126] user pgtable: 4k pages, 48-bit VAs, pgdp=000000004fa51000 [ 881.106573] [0000000000000020] pgd=080000004f36e003, p4d=080000004f36e003, pud=080000004f7ec003, pmd=0000000000000000 [ 881.117217] Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP [ 881.123494] Modules linked in: rcar_fdp1 v4l2_mem2mem [ 881.128572] CPU: 0 PID: 1271 Comm: yavta Tainted: G B 6.2.0-rc1-00023-g6c94e2e99343 #556 [ 881.138061] Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT) [ 881.145981] pstate: 400000c5 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 881.152951] pc : vsp1_dl_list_add_body+0xa8/0xe0 [ 881.157580] lr : vsp1_dl_list_add_body+0x34/0xe0 [ 881.162206] sp : ffff80000c267710 [ 881.165522] x29: ffff80000c267710 x28: ffff000010938ae8 x27: ffff000013a8dd98 [ 881.172683] x26: ffff000010938098 x25: ffff000013a8dc00 x24: ffff000010ed6ba8 [ 881.179841] x23: ffff00000faa4000 x22: 0000000000000000 x21: 0000000000000020 [ 881.186998] x20: ffff00000faa4000 x19: 0000000000000000 x18: 0000000000000000 [ 881.194154] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [ 881.201309] x14: 0000000000000000 x13: 746e696174206c65 x12: ffff70000157043d [ 881.208465] x11: 1ffff0000157043c x10: ffff70000157043c x9 : dfff800000000000 [ 881.215622] x8 : ffff80000ab821e7 x7 : 00008ffffea8fbc4 x6 : 0000000000000001 [ 881.222779] x5 : ffff80000ab821e0 x4 : ffff70000157043d x3 : 0000000000000020 [ 881.229936] x2 : 0000000000000020 x1 : ffff00000e4f6400 x0 : 0000000000000000 [ 881.237092] Call trace: [ 881.239542] vsp1_dl_list_add_body+0xa8/0xe0 [ 881.243822] vsp1_video_pipeline_run+0x270/0x2a0 [ 881.248449] vsp1_video_buffer_queue+0x1c0/0x1d0 [ 881.253076] __enqueue_in_driver+0xbc/0x260 [ 881.257269] vb2_start_streaming+0x48/0x200 [ 881.261461] vb2_core_streamon+0x13c/0x280 [ 881.265565] vb2_streamon+0x3c/0x90 [ 881.269064] vsp1_video_streamon+0x2fc/0x3e0 [ 881.273344] v4l_streamon+0x50/0x70 [ 881.276844] __video_do_ioctl+0x2bc/0x5d0 [ 881.280861] video_usercopy+0x2a8/0xc80 [ 881.284704] video_ioctl2+0x20/0x40 [ 881.288201] v4l2_ioctl+0xa4/0xc0 [ 881.291525] __arm64_sys_ioctl+0xe8/0x110 [ 881.295543] invoke_syscall+0x68/0x190 [ 881.299303] el0_svc_common.constprop.0+0x88/0x170 [ 881.304105] do_el0_svc+0x4c/0xf0 [ 881.307430] el0_svc+0x4c/0xa0 [ 881.310494] el0t_64_sync_handler+0xbc/0x140 [ 881.314773] el0t_64_sync+0x190/0x194 [ 881.318450] Code: d50323bf d65f03c0 91008263 f9800071 (885f7c60) [ 881.324551] ---[ end trace 0000000000000000 ]--- [ 881.329173] note: yavta[1271] exited with preempt_count 1

A different r ---truncated---

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2023-53497"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-01T12:15:53Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vsp1: Replace vb2_is_streaming() with vb2_start_streaming_called()\n\nThe vsp1 driver uses the vb2_is_streaming() function in its .buf_queue()\nhandler to check if the .start_streaming() operation has been called,\nand decide whether to just add the buffer to an internal queue, or also\ntrigger a hardware run. vb2_is_streaming() relies on the vb2_queue\nstructure\u0027s streaming field, which used to be set only after calling the\n.start_streaming() operation.\n\nCommit a10b21532574 (\"media: vb2: add (un)prepare_streaming queue ops\")\nchanged this, setting the .streaming field in vb2_core_streamon() before\nenqueuing buffers to the driver and calling .start_streaming(). This\nbroke the vsp1 driver which now believes that .start_streaming() has\nbeen called when it hasn\u0027t, leading to a crash:\n\n[  881.058705] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020\n[  881.067495] Mem abort info:\n[  881.070290]   ESR = 0x0000000096000006\n[  881.074042]   EC = 0x25: DABT (current EL), IL = 32 bits\n[  881.079358]   SET = 0, FnV = 0\n[  881.082414]   EA = 0, S1PTW = 0\n[  881.085558]   FSC = 0x06: level 2 translation fault\n[  881.090439] Data abort info:\n[  881.093320]   ISV = 0, ISS = 0x00000006\n[  881.097157]   CM = 0, WnR = 0\n[  881.100126] user pgtable: 4k pages, 48-bit VAs, pgdp=000000004fa51000\n[  881.106573] [0000000000000020] pgd=080000004f36e003, p4d=080000004f36e003, pud=080000004f7ec003, pmd=0000000000000000\n[  881.117217] Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP\n[  881.123494] Modules linked in: rcar_fdp1 v4l2_mem2mem\n[  881.128572] CPU: 0 PID: 1271 Comm: yavta Tainted: G    B              6.2.0-rc1-00023-g6c94e2e99343 #556\n[  881.138061] Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT)\n[  881.145981] pstate: 400000c5 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[  881.152951] pc : vsp1_dl_list_add_body+0xa8/0xe0\n[  881.157580] lr : vsp1_dl_list_add_body+0x34/0xe0\n[  881.162206] sp : ffff80000c267710\n[  881.165522] x29: ffff80000c267710 x28: ffff000010938ae8 x27: ffff000013a8dd98\n[  881.172683] x26: ffff000010938098 x25: ffff000013a8dc00 x24: ffff000010ed6ba8\n[  881.179841] x23: ffff00000faa4000 x22: 0000000000000000 x21: 0000000000000020\n[  881.186998] x20: ffff00000faa4000 x19: 0000000000000000 x18: 0000000000000000\n[  881.194154] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\n[  881.201309] x14: 0000000000000000 x13: 746e696174206c65 x12: ffff70000157043d\n[  881.208465] x11: 1ffff0000157043c x10: ffff70000157043c x9 : dfff800000000000\n[  881.215622] x8 : ffff80000ab821e7 x7 : 00008ffffea8fbc4 x6 : 0000000000000001\n[  881.222779] x5 : ffff80000ab821e0 x4 : ffff70000157043d x3 : 0000000000000020\n[  881.229936] x2 : 0000000000000020 x1 : ffff00000e4f6400 x0 : 0000000000000000\n[  881.237092] Call trace:\n[  881.239542]  vsp1_dl_list_add_body+0xa8/0xe0\n[  881.243822]  vsp1_video_pipeline_run+0x270/0x2a0\n[  881.248449]  vsp1_video_buffer_queue+0x1c0/0x1d0\n[  881.253076]  __enqueue_in_driver+0xbc/0x260\n[  881.257269]  vb2_start_streaming+0x48/0x200\n[  881.261461]  vb2_core_streamon+0x13c/0x280\n[  881.265565]  vb2_streamon+0x3c/0x90\n[  881.269064]  vsp1_video_streamon+0x2fc/0x3e0\n[  881.273344]  v4l_streamon+0x50/0x70\n[  881.276844]  __video_do_ioctl+0x2bc/0x5d0\n[  881.280861]  video_usercopy+0x2a8/0xc80\n[  881.284704]  video_ioctl2+0x20/0x40\n[  881.288201]  v4l2_ioctl+0xa4/0xc0\n[  881.291525]  __arm64_sys_ioctl+0xe8/0x110\n[  881.295543]  invoke_syscall+0x68/0x190\n[  881.299303]  el0_svc_common.constprop.0+0x88/0x170\n[  881.304105]  do_el0_svc+0x4c/0xf0\n[  881.307430]  el0_svc+0x4c/0xa0\n[  881.310494]  el0t_64_sync_handler+0xbc/0x140\n[  881.314773]  el0t_64_sync+0x190/0x194\n[  881.318450] Code: d50323bf d65f03c0 91008263 f9800071 (885f7c60)\n[  881.324551] ---[ end trace 0000000000000000 ]---\n[  881.329173] note: yavta[1271] exited with preempt_count 1\n\nA different r\n---truncated---",
  "id": "GHSA-9pg5-vgmp-j2j8",
  "modified": "2025-10-01T12:30:30Z",
  "published": "2025-10-01T12:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53497"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/52d8caca3d533cc499f1255be25576ffd936ec95"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/960dc0aa4aa149f6f39125394f4feb51b7addc60"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b54f74214adf4e77cba6badf488c564dd353b491"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.