CVE-2025-40165
- Source
- https://cve.org/CVERecord?id=CVE-2025-40165
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40165.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-40165
- Aliases
- Downstream
- Published
- 2025-11-12T10:26:23.806Z
- Modified
- 2026-02-10T04:26:25.515183Z
- Summary
- media: nxp: imx8-isi: m2m: Fix streaming cleanup on release
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
media: nxp: imx8-isi: m2m: Fix streaming cleanup on release
If streamon/streamoff calls are imbalanced, such as when exiting an application with Ctrl+C when streaming, the m2m usagecount will never reach zero and the ISI channel won't be freed. Besides from that, if the input line width is more than 2K, it will trigger a WARNON():
[ 59.222120] ------------[ cut here ]------------ [ 59.226758] WARNING: drivers/media/platform/nxp/imx8-isi/imx8-isi-hw.c:631 at mxcisichannelchain+0xa4/0x120, CPU#4: v4l2-ctl/654 [ 59.238569] Modules linked in: ap1302 [ 59.242231] CPU: 4 UID: 0 PID: 654 Comm: v4l2-ctl Not tainted 6.16.0-rc4-next-20250704-06511-gff0e002d480a-dirty #258 PREEMPT [ 59.253597] Hardware name: NXP i.MX95 15X15 board (DT) [ 59.258720] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 59.265669] pc : mxcisichannelchain+0xa4/0x120 [ 59.270358] lr : mxcisichannelchain+0x44/0x120 [ 59.275047] sp : ffff8000848c3b40 [ 59.278348] x29: ffff8000848c3b40 x28: ffff0000859b4c98 x27: ffff800081939f00 [ 59.285472] x26: 000000000000000a x25: ffff0000859b4cb8 x24: 0000000000000001 [ 59.292597] x23: ffff0000816f4760 x22: ffff0000816f4258 x21: ffff000084ceb780 [ 59.299720] x20: ffff000084342ff8 x19: ffff000084340000 x18: 0000000000000000 [ 59.306845] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffdb369e1c [ 59.313969] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 59.321093] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 [ 59.328217] x8 : ffff8000848c3d48 x7 : ffff800081930b30 x6 : ffff800081930b30 [ 59.335340] x5 : ffff0000859b6000 x4 : ffff80008193ae80 x3 : ffff800081022420 [ 59.342464] x2 : ffff0000852f6900 x1 : 0000000000000001 x0 : ffff000084341000 [ 59.349590] Call trace: [ 59.352025] mxcisichannelchain+0xa4/0x120 (P) [ 59.356722] mxcisim2mstreamon+0x160/0x20c [ 59.361072] v4lstreamon+0x24/0x30 [ 59.364556] _videodoioctl+0x40c/0x4a0 [ 59.368560] videousercopy+0x2bc/0x690 [ 59.372382] videoioctl2+0x18/0x24 [ 59.375857] v4l2ioctl+0x40/0x60 [ 59.379168] _arm64sysioctl+0xac/0x104 [ 59.383172] invokesyscall+0x48/0x104 [ 59.386916] el0svccommon.constprop.0+0xc0/0xe0 [ 59.391613] doel0svc+0x1c/0x28 [ 59.394915] el0svc+0x34/0xf4 [ 59.397966] el0t64synchandler+0xa0/0xe4 [ 59.402143] el0t64sync+0x198/0x19c [ 59.405801] ---[ end trace 0000000000000000 ]---
Address this issue by moving the streaming preparation and cleanup to the vb2 .preparestreaming() and .unpreparestreaming() operations. This also simplifies the driver by allowing direct usage of the v4l2m2mioctlstreamon() and v4l2m2mioctlstreamoff() helpers.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40165.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/178aa3360220231dd91e7dbc2eb984525886c9c1
- https://git.kernel.org/stable/c/50c721be2cff2bf8c9a5f1f4add35c2bbb1df302
- https://git.kernel.org/stable/c/b0d438c7b43314f9128e0dda5f83789e593e684a
- https://git.kernel.org/stable/c/e8b5f4d80775835cf8192d65138e9be1ff202847
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40165.json
- https://nvd.nist.gov/vuln/detail/CVE-2025-40165
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedcf21f328fcafacf4f96e7a30ef9dceede1076378Fixed50c721be2cff2bf8c9a5f1f4add35c2bbb1df302Fixede8b5f4d80775835cf8192d65138e9be1ff202847Fixedb0d438c7b43314f9128e0dda5f83789e593e684aFixed178aa3360220231dd91e7dbc2eb984525886c9c1