cve/published/2025/CVE-2025-21821.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-21821: fbdev: omap: use threaded IRQ for LCD DMA

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 fbdev: omap: use threaded IRQ for LCD DMA

 When using touchscreen and framebuffer, Nokia 770 crashes easily with:

     BUG: scheduling while atomic: irq/144-ads7846/82/0x00010000
     Modules linked in: usb_f_ecm g_ether usb_f_rndis u_ether libcomposite configfs omap_udc ohci_omap ohci_hcd
     CPU: 0 UID: 0 PID: 82 Comm: irq/144-ads7846 Not tainted 6.12.7-770 #2
     Hardware name: Nokia 770
     Call trace:
      unwind_backtrace from show_stack+0x10/0x14
      show_stack from dump_stack_lvl+0x54/0x5c
      dump_stack_lvl from __schedule_bug+0x50/0x70
      __schedule_bug from __schedule+0x4d4/0x5bc
      __schedule from schedule+0x34/0xa0
      schedule from schedule_preempt_disabled+0xc/0x10
      schedule_preempt_disabled from __mutex_lock.constprop.0+0x218/0x3b4
      __mutex_lock.constprop.0 from clk_prepare_lock+0x38/0xe4
      clk_prepare_lock from clk_set_rate+0x18/0x154
      clk_set_rate from sossi_read_data+0x4c/0x168
      sossi_read_data from hwa742_read_reg+0x5c/0x8c
      hwa742_read_reg from send_frame_handler+0xfc/0x300
      send_frame_handler from process_pending_requests+0x74/0xd0
      process_pending_requests from lcd_dma_irq_handler+0x50/0x74
      lcd_dma_irq_handler from __handle_irq_event_percpu+0x44/0x130
      __handle_irq_event_percpu from handle_irq_event+0x28/0x68
      handle_irq_event from handle_level_irq+0x9c/0x170
      handle_level_irq from generic_handle_domain_irq+0x2c/0x3c
      generic_handle_domain_irq from omap1_handle_irq+0x40/0x8c
      omap1_handle_irq from generic_handle_arch_irq+0x28/0x3c
      generic_handle_arch_irq from call_with_stack+0x1c/0x24
      call_with_stack from __irq_svc+0x94/0xa8
     Exception stack(0xc5255da0 to 0xc5255de8)
     5da0: 00000001 c22fc620 00000000 00000000 c08384a8 c106fc00 00000000 c240c248
     5dc0: c113a600 c3f6ec30 00000001 00000000 c22fc620 c5255df0 c22fc620 c0279a94
     5de0: 60000013 ffffffff
      __irq_svc from clk_prepare_lock+0x4c/0xe4
      clk_prepare_lock from clk_get_rate+0x10/0x74
      clk_get_rate from uwire_setup_transfer+0x40/0x180
      uwire_setup_transfer from spi_bitbang_transfer_one+0x2c/0x9c
      spi_bitbang_transfer_one from spi_transfer_one_message+0x2d0/0x664
      spi_transfer_one_message from __spi_pump_transfer_message+0x29c/0x498
      __spi_pump_transfer_message from __spi_sync+0x1f8/0x2e8
      __spi_sync from spi_sync+0x24/0x40
      spi_sync from ads7846_halfd_read_state+0x5c/0x1c0
      ads7846_halfd_read_state from ads7846_irq+0x58/0x348
      ads7846_irq from irq_thread_fn+0x1c/0x78
      irq_thread_fn from irq_thread+0x120/0x228
      irq_thread from kthread+0xc8/0xe8
      kthread from ret_from_fork+0x14/0x28

 As a quick fix, switch to a threaded IRQ which provides a stable system.

 The Linux kernel CVE team has assigned CVE-2025-21821 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 6.1.129 with commit 7bbbd311dd503653a2cc86d9226740883051dc92
 	Fixed in 6.6.79 with commit fb6a5edb60921887d7d10619fcdcbee9759552cb
 	Fixed in 6.12.16 with commit aa8e22cbedeb626f2a6bda0aea362353d627cd0a
 	Fixed in 6.13.4 with commit 8392ea100f0b86c234c739c6662f39f0ccc0cefd
 	Fixed in 6.14 with commit e4b6b665df815b4841e71b72f06446884e8aad40

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-21821
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/video/fbdev/omap/lcd_dma.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/7bbbd311dd503653a2cc86d9226740883051dc92
 	https://git.kernel.org/stable/c/fb6a5edb60921887d7d10619fcdcbee9759552cb
 	https://git.kernel.org/stable/c/aa8e22cbedeb626f2a6bda0aea362353d627cd0a
 	https://git.kernel.org/stable/c/8392ea100f0b86c234c739c6662f39f0ccc0cefd
 	https://git.kernel.org/stable/c/e4b6b665df815b4841e71b72f06446884e8aad40
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-21821: fbdev: omap: use threaded IRQ for LCD DMA

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	fbdev: omap: use threaded IRQ for LCD DMA

	When using touchscreen and framebuffer, Nokia 770 crashes easily with:

	BUG: scheduling while atomic: irq/144-ads7846/82/0x00010000
	Modules linked in: usb_f_ecm g_ether usb_f_rndis u_ether libcomposite configfs omap_udc ohci_omap ohci_hcd
	CPU: 0 UID: 0 PID: 82 Comm: irq/144-ads7846 Not tainted 6.12.7-770 #2
	Hardware name: Nokia 770
	Call trace:
	unwind_backtrace from show_stack+0x10/0x14
	show_stack from dump_stack_lvl+0x54/0x5c
	dump_stack_lvl from __schedule_bug+0x50/0x70
	__schedule_bug from __schedule+0x4d4/0x5bc
	__schedule from schedule+0x34/0xa0
	schedule from schedule_preempt_disabled+0xc/0x10
	schedule_preempt_disabled from __mutex_lock.constprop.0+0x218/0x3b4
	__mutex_lock.constprop.0 from clk_prepare_lock+0x38/0xe4
	clk_prepare_lock from clk_set_rate+0x18/0x154
	clk_set_rate from sossi_read_data+0x4c/0x168
	sossi_read_data from hwa742_read_reg+0x5c/0x8c
	hwa742_read_reg from send_frame_handler+0xfc/0x300
	send_frame_handler from process_pending_requests+0x74/0xd0
	process_pending_requests from lcd_dma_irq_handler+0x50/0x74
	lcd_dma_irq_handler from __handle_irq_event_percpu+0x44/0x130
	__handle_irq_event_percpu from handle_irq_event+0x28/0x68
	handle_irq_event from handle_level_irq+0x9c/0x170
	handle_level_irq from generic_handle_domain_irq+0x2c/0x3c
	generic_handle_domain_irq from omap1_handle_irq+0x40/0x8c
	omap1_handle_irq from generic_handle_arch_irq+0x28/0x3c
	generic_handle_arch_irq from call_with_stack+0x1c/0x24
	call_with_stack from __irq_svc+0x94/0xa8
	Exception stack(0xc5255da0 to 0xc5255de8)
	5da0: 00000001 c22fc620 00000000 00000000 c08384a8 c106fc00 00000000 c240c248
	5dc0: c113a600 c3f6ec30 00000001 00000000 c22fc620 c5255df0 c22fc620 c0279a94
	5de0: 60000013 ffffffff
	__irq_svc from clk_prepare_lock+0x4c/0xe4
	clk_prepare_lock from clk_get_rate+0x10/0x74
	clk_get_rate from uwire_setup_transfer+0x40/0x180
	uwire_setup_transfer from spi_bitbang_transfer_one+0x2c/0x9c
	spi_bitbang_transfer_one from spi_transfer_one_message+0x2d0/0x664
	spi_transfer_one_message from __spi_pump_transfer_message+0x29c/0x498
	__spi_pump_transfer_message from __spi_sync+0x1f8/0x2e8
	__spi_sync from spi_sync+0x24/0x40
	spi_sync from ads7846_halfd_read_state+0x5c/0x1c0
	ads7846_halfd_read_state from ads7846_irq+0x58/0x348
	ads7846_irq from irq_thread_fn+0x1c/0x78
	irq_thread_fn from irq_thread+0x120/0x228
	irq_thread from kthread+0xc8/0xe8
	kthread from ret_from_fork+0x14/0x28

	As a quick fix, switch to a threaded IRQ which provides a stable system.

	The Linux kernel CVE team has assigned CVE-2025-21821 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 6.1.129 with commit 7bbbd311dd503653a2cc86d9226740883051dc92
	Fixed in 6.6.79 with commit fb6a5edb60921887d7d10619fcdcbee9759552cb
	Fixed in 6.12.16 with commit aa8e22cbedeb626f2a6bda0aea362353d627cd0a
	Fixed in 6.13.4 with commit 8392ea100f0b86c234c739c6662f39f0ccc0cefd
	Fixed in 6.14 with commit e4b6b665df815b4841e71b72f06446884e8aad40

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21821
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/video/fbdev/omap/lcd_dma.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/7bbbd311dd503653a2cc86d9226740883051dc92
	https://git.kernel.org/stable/c/fb6a5edb60921887d7d10619fcdcbee9759552cb
	https://git.kernel.org/stable/c/aa8e22cbedeb626f2a6bda0aea362353d627cd0a
	https://git.kernel.org/stable/c/8392ea100f0b86c234c739c6662f39f0ccc0cefd
	https://git.kernel.org/stable/c/e4b6b665df815b4841e71b72f06446884e8aad40