Fixed
Created: Mar 6, 2025
Updated: Mar 7, 2025
Resolved Date: Mar 7, 2025
Found In Version: 10.24.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 24
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:staging: media: max96712: fix kernel oops when removing moduleThe following kernel oops is thrown when trying to remove the max96712module:Unable to handle kernel paging request at virtual address 00007375746174dbMem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation faultData abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0user pgtable: 4k pages, 48-bit VAs, pgdp=000000010af8900000007375746174db] pgd=0000000000000000, p4d=0000000000000000Internal error: Oops: 0000000096000004 [#1] PREEMPT SMPModules linked in: crct10dif_ce polyval_ce mxc_jpeg_encdec flexcan snd_soc_fsl_sai snd_soc_fsl_asoc_card snd_soc_fsl_micfil dwc_mipi_csi2 imx_csi_formatter polyval_generic v4l2_jpeg imx_pcm_dma can_dev snd_soc_imx_audmux snd_soc_wm8962 snd_soc_imx_card snd_soc_fsl_utils max96712(C-) rpmsg_ctrl rpmsg_char pwm_fan fuse [last unloaded: imx8_isi]CPU: 0 UID: 0 PID: 754 Comm: rmmod Tainted: G C 6.12.0-rc6-06364-g327fec852c31 #17Tainted: [C]=CRAPHardware name: NXP i.MX95 19X19 board (DT)pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : led_put+0x1c/0x40lr : v4l2_subdev_put_privacy_led+0x48/0x58sp : ffff80008699bbb0x29: ffff80008699bbb0 x28: ffff00008ac233c0 x27: 0000000000000000x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000x23: ffff000080cf1170 x22: ffff00008b53bd00 x21: ffff8000822ad1c8x20: ffff000080ff5c00 x19: ffff00008b53be40 x18: 0000000000000000x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000x14: 0000000000000004 x13: ffff0000800f8010 x12: 0000000000000000x11: ffff000082acf5c0 x10: ffff000082acf478 x9 : ffff0000800f8010x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff6364626dx5 : 8080808000000000 x4 : 0000000000000020 x3 : 00000000553a3dc1x2 : ffff00008ac233c0 x1 : ffff00008ac233c0 x0 : ff00737574617473Call trace: led_put+0x1c/0x40 v4l2_subdev_put_privacy_led+0x48/0x58 v4l2_async_unregister_subdev+0x2c/0x1a4 max96712_remove+0x1c/0x38 [max96712] i2c_device_remove+0x2c/0x9c device_remove+0x4c/0x80 device_release_driver_internal+0x1cc/0x228 driver_detach+0x4c/0x98 bus_remove_driver+0x6c/0xbc driver_unregister+0x30/0x60 i2c_del_driver+0x54/0x64 max96712_i2c_driver_exit+0x18/0x1d0 [max96712] __arm64_sys_delete_module+0x1a4/0x290 invoke_syscall+0x48/0x10c el0_svc_common.constprop.0+0xc0/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xd8 el0t_64_sync_handler+0x120/0x12c el0t_64_sync+0x190/0x194Code: f9000bf3 aa0003f3 f9402800 f9402000 (f9403400)---[ end trace 0000000000000000 ]---This happens because in v4l2_i2c_subdev_init(), the i2c_set_cliendata()is called again and the data is overwritten to point to sd, instead ofpriv. So, in remove(), the wrong pointer is passed tov4l2_async_unregister_subdev(), leading to a crash.
CREATE(Triage):(User=admin) [CVE-2024-58054 (https://nvd.nist.gov/vuln/detail/CVE-2024-58054)
