cve/published/2024/CVE-2024-56575.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-56575: media: imx-jpeg: Ensure power suppliers be suspended before detach them

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 media: imx-jpeg: Ensure power suppliers be suspended before detach them

 The power suppliers are always requested to suspend asynchronously,
 dev_pm_domain_detach() requires the caller to ensure proper
 synchronization of this function with power management callbacks.
 otherwise the detach may led to kernel panic, like below:

 [ 1457.107934] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000040
 [ 1457.116777] Mem abort info:
 [ 1457.119589]   ESR = 0x0000000096000004
 [ 1457.123358]   EC = 0x25: DABT (current EL), IL = 32 bits
 [ 1457.128692]   SET = 0, FnV = 0
 [ 1457.131764]   EA = 0, S1PTW = 0
 [ 1457.134920]   FSC = 0x04: level 0 translation fault
 [ 1457.139812] Data abort info:
 [ 1457.142707]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
 [ 1457.148196]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
 [ 1457.153256]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
 [ 1457.158563] user pgtable: 4k pages, 48-bit VAs, pgdp=00000001138b6000
 [ 1457.165000] [0000000000000040] pgd=0000000000000000, p4d=0000000000000000
 [ 1457.171792] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
 [ 1457.178045] Modules linked in: v4l2_jpeg wave6_vpu_ctrl(-) [last unloaded: mxc_jpeg_encdec]
 [ 1457.186383] CPU: 0 PID: 51938 Comm: kworker/0:3 Not tainted 6.6.36-gd23d64eea511 #66
 [ 1457.194112] Hardware name: NXP i.MX95 19X19 board (DT)
 [ 1457.199236] Workqueue: pm pm_runtime_work
 [ 1457.203247] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
 [ 1457.210188] pc : genpd_runtime_suspend+0x20/0x290
 [ 1457.214886] lr : __rpm_callback+0x48/0x1d8
 [ 1457.218968] sp : ffff80008250bc50
 [ 1457.222270] x29: ffff80008250bc50 x28: 0000000000000000 x27: 0000000000000000
 [ 1457.229394] x26: 0000000000000000 x25: 0000000000000008 x24: 00000000000f4240
 [ 1457.236518] x23: 0000000000000000 x22: ffff00008590f0e4 x21: 0000000000000008
 [ 1457.243642] x20: ffff80008099c434 x19: ffff00008590f000 x18: ffffffffffffffff
 [ 1457.250766] x17: 5300326563697665 x16: 645f676e696c6f6f x15: 63343a6d726f6674
 [ 1457.257890] x14: 0000000000000004 x13: 00000000000003a4 x12: 0000000000000002
 [ 1457.265014] x11: 0000000000000000 x10: 0000000000000a60 x9 : ffff80008250bbb0
 [ 1457.272138] x8 : ffff000092937200 x7 : ffff0003fdf6af80 x6 : 0000000000000000
 [ 1457.279262] x5 : 00000000410fd050 x4 : 0000000000200000 x3 : 0000000000000000
 [ 1457.286386] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff00008590f000
 [ 1457.293510] Call trace:
 [ 1457.295946]  genpd_runtime_suspend+0x20/0x290
 [ 1457.300296]  __rpm_callback+0x48/0x1d8
 [ 1457.304038]  rpm_callback+0x6c/0x78
 [ 1457.307515]  rpm_suspend+0x10c/0x570
 [ 1457.311077]  pm_runtime_work+0xc4/0xc8
 [ 1457.314813]  process_one_work+0x138/0x248
 [ 1457.318816]  worker_thread+0x320/0x438
 [ 1457.322552]  kthread+0x110/0x114
 [ 1457.325767]  ret_from_fork+0x10/0x20

 The Linux kernel CVE team has assigned CVE-2024-56575 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.13 with commit 2db16c6ed72ce644d5639b3ed15e5817442db4ba and fixed in 5.15.174 with commit f3c4e088ec01cae45931a18ddf7cae0f4d72e1c5
 	Issue introduced in 5.13 with commit 2db16c6ed72ce644d5639b3ed15e5817442db4ba and fixed in 6.1.120 with commit 12914fd765ba4f9d6a9a50439e8dd2e9f91423f2
 	Issue introduced in 5.13 with commit 2db16c6ed72ce644d5639b3ed15e5817442db4ba and fixed in 6.6.64 with commit b7a830bbc25da0f641e3ef2bac3b1766b2777a8b
 	Issue introduced in 5.13 with commit 2db16c6ed72ce644d5639b3ed15e5817442db4ba and fixed in 6.12.4 with commit 2f86d104539fab9181ea7b5721f40e7b92a8bf67
 	Issue introduced in 5.13 with commit 2db16c6ed72ce644d5639b3ed15e5817442db4ba and fixed in 6.13 with commit fd0af4cd35da0eb550ef682b71cda70a4e36f6b9

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-56575
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/f3c4e088ec01cae45931a18ddf7cae0f4d72e1c5
 	https://git.kernel.org/stable/c/12914fd765ba4f9d6a9a50439e8dd2e9f91423f2
 	https://git.kernel.org/stable/c/b7a830bbc25da0f641e3ef2bac3b1766b2777a8b
 	https://git.kernel.org/stable/c/2f86d104539fab9181ea7b5721f40e7b92a8bf67
 	https://git.kernel.org/stable/c/fd0af4cd35da0eb550ef682b71cda70a4e36f6b9
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-56575: media: imx-jpeg: Ensure power suppliers be suspended before detach them

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	media: imx-jpeg: Ensure power suppliers be suspended before detach them

	The power suppliers are always requested to suspend asynchronously,
	dev_pm_domain_detach() requires the caller to ensure proper
	synchronization of this function with power management callbacks.
	otherwise the detach may led to kernel panic, like below:

	[ 1457.107934] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000040
	[ 1457.116777] Mem abort info:
	[ 1457.119589] ESR = 0x0000000096000004
	[ 1457.123358] EC = 0x25: DABT (current EL), IL = 32 bits
	[ 1457.128692] SET = 0, FnV = 0
	[ 1457.131764] EA = 0, S1PTW = 0
	[ 1457.134920] FSC = 0x04: level 0 translation fault
	[ 1457.139812] Data abort info:
	[ 1457.142707] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
	[ 1457.148196] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
	[ 1457.153256] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
	[ 1457.158563] user pgtable: 4k pages, 48-bit VAs, pgdp=00000001138b6000
	[ 1457.165000] [0000000000000040] pgd=0000000000000000, p4d=0000000000000000
	[ 1457.171792] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
	[ 1457.178045] Modules linked in: v4l2_jpeg wave6_vpu_ctrl(-) [last unloaded: mxc_jpeg_encdec]
	[ 1457.186383] CPU: 0 PID: 51938 Comm: kworker/0:3 Not tainted 6.6.36-gd23d64eea511 #66
	[ 1457.194112] Hardware name: NXP i.MX95 19X19 board (DT)
	[ 1457.199236] Workqueue: pm pm_runtime_work
	[ 1457.203247] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
	[ 1457.210188] pc : genpd_runtime_suspend+0x20/0x290
	[ 1457.214886] lr : __rpm_callback+0x48/0x1d8
	[ 1457.218968] sp : ffff80008250bc50
	[ 1457.222270] x29: ffff80008250bc50 x28: 0000000000000000 x27: 0000000000000000
	[ 1457.229394] x26: 0000000000000000 x25: 0000000000000008 x24: 00000000000f4240
	[ 1457.236518] x23: 0000000000000000 x22: ffff00008590f0e4 x21: 0000000000000008
	[ 1457.243642] x20: ffff80008099c434 x19: ffff00008590f000 x18: ffffffffffffffff
	[ 1457.250766] x17: 5300326563697665 x16: 645f676e696c6f6f x15: 63343a6d726f6674
	[ 1457.257890] x14: 0000000000000004 x13: 00000000000003a4 x12: 0000000000000002
	[ 1457.265014] x11: 0000000000000000 x10: 0000000000000a60 x9 : ffff80008250bbb0
	[ 1457.272138] x8 : ffff000092937200 x7 : ffff0003fdf6af80 x6 : 0000000000000000
	[ 1457.279262] x5 : 00000000410fd050 x4 : 0000000000200000 x3 : 0000000000000000
	[ 1457.286386] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff00008590f000
	[ 1457.293510] Call trace:
	[ 1457.295946] genpd_runtime_suspend+0x20/0x290
	[ 1457.300296] __rpm_callback+0x48/0x1d8
	[ 1457.304038] rpm_callback+0x6c/0x78
	[ 1457.307515] rpm_suspend+0x10c/0x570
	[ 1457.311077] pm_runtime_work+0xc4/0xc8
	[ 1457.314813] process_one_work+0x138/0x248
	[ 1457.318816] worker_thread+0x320/0x438
	[ 1457.322552] kthread+0x110/0x114
	[ 1457.325767] ret_from_fork+0x10/0x20

	The Linux kernel CVE team has assigned CVE-2024-56575 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.13 with commit 2db16c6ed72ce644d5639b3ed15e5817442db4ba and fixed in 5.15.174 with commit f3c4e088ec01cae45931a18ddf7cae0f4d72e1c5
	Issue introduced in 5.13 with commit 2db16c6ed72ce644d5639b3ed15e5817442db4ba and fixed in 6.1.120 with commit 12914fd765ba4f9d6a9a50439e8dd2e9f91423f2
	Issue introduced in 5.13 with commit 2db16c6ed72ce644d5639b3ed15e5817442db4ba and fixed in 6.6.64 with commit b7a830bbc25da0f641e3ef2bac3b1766b2777a8b
	Issue introduced in 5.13 with commit 2db16c6ed72ce644d5639b3ed15e5817442db4ba and fixed in 6.12.4 with commit 2f86d104539fab9181ea7b5721f40e7b92a8bf67
	Issue introduced in 5.13 with commit 2db16c6ed72ce644d5639b3ed15e5817442db4ba and fixed in 6.13 with commit fd0af4cd35da0eb550ef682b71cda70a4e36f6b9

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-56575
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/f3c4e088ec01cae45931a18ddf7cae0f4d72e1c5
	https://git.kernel.org/stable/c/12914fd765ba4f9d6a9a50439e8dd2e9f91423f2
	https://git.kernel.org/stable/c/b7a830bbc25da0f641e3ef2bac3b1766b2777a8b
	https://git.kernel.org/stable/c/2f86d104539fab9181ea7b5721f40e7b92a8bf67
	https://git.kernel.org/stable/c/fd0af4cd35da0eb550ef682b71cda70a4e36f6b9