cve/published/2025/CVE-2025-22028.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-22028: media: vimc: skip .s_stream() for stopped entities

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 media: vimc: skip .s_stream() for stopped entities

 Syzbot reported [1] a warning prompted by a check in call_s_stream()
 that checks whether .s_stream() operation is warranted for unstarted
 or stopped subdevs.

 Add a simple fix in vimc_streamer_pipeline_terminate() ensuring that
 entities skip a call to .s_stream() unless they have been previously
 properly started.

 [1] Syzbot report:
 ------------[ cut here ]------------
 WARNING: CPU: 0 PID: 5933 at drivers/media/v4l2-core/v4l2-subdev.c:460 call_s_stream+0x2df/0x350 drivers/media/v4l2-core/v4l2-subdev.c:460
 Modules linked in:
 CPU: 0 UID: 0 PID: 5933 Comm: syz-executor330 Not tainted 6.13.0-rc2-syzkaller-00362-g2d8308bf5b67 #0
 ...
 Call Trace:
  <TASK>
  vimc_streamer_pipeline_terminate+0x218/0x320 drivers/media/test-drivers/vimc/vimc-streamer.c:62
  vimc_streamer_pipeline_init drivers/media/test-drivers/vimc/vimc-streamer.c:101 [inline]
  vimc_streamer_s_stream+0x650/0x9a0 drivers/media/test-drivers/vimc/vimc-streamer.c:203
  vimc_capture_start_streaming+0xa1/0x130 drivers/media/test-drivers/vimc/vimc-capture.c:256
  vb2_start_streaming+0x15f/0x5a0 drivers/media/common/videobuf2/videobuf2-core.c:1789
  vb2_core_streamon+0x2a7/0x450 drivers/media/common/videobuf2/videobuf2-core.c:2348
  vb2_streamon drivers/media/common/videobuf2/videobuf2-v4l2.c:875 [inline]
  vb2_ioctl_streamon+0xf4/0x170 drivers/media/common/videobuf2/videobuf2-v4l2.c:1118
  __video_do_ioctl+0xaf0/0xf00 drivers/media/v4l2-core/v4l2-ioctl.c:3122
  video_usercopy+0x4d2/0x1620 drivers/media/v4l2-core/v4l2-ioctl.c:3463
  v4l2_ioctl+0x1ba/0x250 drivers/media/v4l2-core/v4l2-dev.c:366
  vfs_ioctl fs/ioctl.c:51 [inline]
  __do_sys_ioctl fs/ioctl.c:906 [inline]
  __se_sys_ioctl fs/ioctl.c:892 [inline]
  __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x77/0x7f
 RIP: 0033:0x7f2b85c01b19
 ...

 The Linux kernel CVE team has assigned CVE-2025-22028 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.1 with commit adc589d2a20808fb99d46a78175cd023f2040338 and fixed in 6.6.89 with commit a505075730d23ccc19fc4ac382a0ed73b630c057
 	Issue introduced in 5.1 with commit adc589d2a20808fb99d46a78175cd023f2040338 and fixed in 6.12.23 with commit 845e9286ff99ee88cfdeb2b748f730003a512190
 	Issue introduced in 5.1 with commit adc589d2a20808fb99d46a78175cd023f2040338 and fixed in 6.13.11 with commit 6f6064dab4dcfb7e34a395040a0c9dc22cc8765d
 	Issue introduced in 5.1 with commit adc589d2a20808fb99d46a78175cd023f2040338 and fixed in 6.14.2 with commit 7a58d4c4cf8ff60ab1f93399deefaf6057da91c7
 	Issue introduced in 5.1 with commit adc589d2a20808fb99d46a78175cd023f2040338 and fixed in 6.15 with commit 36cef585e2a31e4ddf33a004b0584a7a572246de
 	Issue introduced in 4.14.108 with commit 77fbb561bb09f56877dd84318212da393909975f
 	Issue introduced in 4.19.31 with commit 73236bf581e96eb48808fea522351ed81e24c9cc
 	Issue introduced in 5.0.4 with commit e7ae48ae47227c0302b9f4b15a5bf45934a55673

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-22028
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/media/test-drivers/vimc/vimc-streamer.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/a505075730d23ccc19fc4ac382a0ed73b630c057
 	https://git.kernel.org/stable/c/845e9286ff99ee88cfdeb2b748f730003a512190
 	https://git.kernel.org/stable/c/6f6064dab4dcfb7e34a395040a0c9dc22cc8765d
 	https://git.kernel.org/stable/c/7a58d4c4cf8ff60ab1f93399deefaf6057da91c7
 	https://git.kernel.org/stable/c/36cef585e2a31e4ddf33a004b0584a7a572246de
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-22028: media: vimc: skip .s_stream() for stopped entities

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	media: vimc: skip .s_stream() for stopped entities

	Syzbot reported [1] a warning prompted by a check in call_s_stream()
	that checks whether .s_stream() operation is warranted for unstarted
	or stopped subdevs.

	Add a simple fix in vimc_streamer_pipeline_terminate() ensuring that
	entities skip a call to .s_stream() unless they have been previously
	properly started.

	[1] Syzbot report:
	------------[ cut here ]------------
	WARNING: CPU: 0 PID: 5933 at drivers/media/v4l2-core/v4l2-subdev.c:460 call_s_stream+0x2df/0x350 drivers/media/v4l2-core/v4l2-subdev.c:460
	Modules linked in:
	CPU: 0 UID: 0 PID: 5933 Comm: syz-executor330 Not tainted 6.13.0-rc2-syzkaller-00362-g2d8308bf5b67 #0
	...
	Call Trace:
	<TASK>
	vimc_streamer_pipeline_terminate+0x218/0x320 drivers/media/test-drivers/vimc/vimc-streamer.c:62
	vimc_streamer_pipeline_init drivers/media/test-drivers/vimc/vimc-streamer.c:101 [inline]
	vimc_streamer_s_stream+0x650/0x9a0 drivers/media/test-drivers/vimc/vimc-streamer.c:203
	vimc_capture_start_streaming+0xa1/0x130 drivers/media/test-drivers/vimc/vimc-capture.c:256
	vb2_start_streaming+0x15f/0x5a0 drivers/media/common/videobuf2/videobuf2-core.c:1789
	vb2_core_streamon+0x2a7/0x450 drivers/media/common/videobuf2/videobuf2-core.c:2348
	vb2_streamon drivers/media/common/videobuf2/videobuf2-v4l2.c:875 [inline]
	vb2_ioctl_streamon+0xf4/0x170 drivers/media/common/videobuf2/videobuf2-v4l2.c:1118
	__video_do_ioctl+0xaf0/0xf00 drivers/media/v4l2-core/v4l2-ioctl.c:3122
	video_usercopy+0x4d2/0x1620 drivers/media/v4l2-core/v4l2-ioctl.c:3463
	v4l2_ioctl+0x1ba/0x250 drivers/media/v4l2-core/v4l2-dev.c:366
	vfs_ioctl fs/ioctl.c:51 [inline]
	__do_sys_ioctl fs/ioctl.c:906 [inline]
	__se_sys_ioctl fs/ioctl.c:892 [inline]
	__x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x77/0x7f
	RIP: 0033:0x7f2b85c01b19
	...

	The Linux kernel CVE team has assigned CVE-2025-22028 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.1 with commit adc589d2a20808fb99d46a78175cd023f2040338 and fixed in 6.6.89 with commit a505075730d23ccc19fc4ac382a0ed73b630c057
	Issue introduced in 5.1 with commit adc589d2a20808fb99d46a78175cd023f2040338 and fixed in 6.12.23 with commit 845e9286ff99ee88cfdeb2b748f730003a512190
	Issue introduced in 5.1 with commit adc589d2a20808fb99d46a78175cd023f2040338 and fixed in 6.13.11 with commit 6f6064dab4dcfb7e34a395040a0c9dc22cc8765d
	Issue introduced in 5.1 with commit adc589d2a20808fb99d46a78175cd023f2040338 and fixed in 6.14.2 with commit 7a58d4c4cf8ff60ab1f93399deefaf6057da91c7
	Issue introduced in 5.1 with commit adc589d2a20808fb99d46a78175cd023f2040338 and fixed in 6.15 with commit 36cef585e2a31e4ddf33a004b0584a7a572246de
	Issue introduced in 4.14.108 with commit 77fbb561bb09f56877dd84318212da393909975f
	Issue introduced in 4.19.31 with commit 73236bf581e96eb48808fea522351ed81e24c9cc
	Issue introduced in 5.0.4 with commit e7ae48ae47227c0302b9f4b15a5bf45934a55673

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-22028
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/media/test-drivers/vimc/vimc-streamer.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/a505075730d23ccc19fc4ac382a0ed73b630c057
	https://git.kernel.org/stable/c/845e9286ff99ee88cfdeb2b748f730003a512190
	https://git.kernel.org/stable/c/6f6064dab4dcfb7e34a395040a0c9dc22cc8765d
	https://git.kernel.org/stable/c/7a58d4c4cf8ff60ab1f93399deefaf6057da91c7
	https://git.kernel.org/stable/c/36cef585e2a31e4ddf33a004b0584a7a572246de