DEBIAN-CVE-2023-53497

In the Linux kernel, the following vulnerability has been resolved: media: vsp1: Replace vb2isstreaming() with vb2startstreamingcalled() The vsp1 driver uses the vb2isstreaming() function in its .bufqueue() handler to check if the .startstreaming() operation has been called, and decide whether to just add the buffer to an internal queue, or also trigger a hardware run. vb2isstreaming() relies on the vb2queue structure's streaming field, which used to be set only after calling the .startstreaming() operation. Commit a10b21532574 ("media: vb2: add (un)preparestreaming queue ops") changed this, setting the .streaming field in vb2corestreamon() before enqueuing buffers to the driver and calling .startstreaming(). This broke the vsp1 driver which now believes that .startstreaming() has been called when it hasn't, leading to a crash: [ 881.058705] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 [ 881.067495] Mem abort info: [ 881.070290] ESR = 0x0000000096000006 [ 881.074042] EC = 0x25: DABT (current EL), IL = 32 bits [ 881.079358] SET = 0, FnV = 0 [ 881.082414] EA = 0, S1PTW = 0 [ 881.085558] FSC = 0x06: level 2 translation fault [ 881.090439] Data abort info: [ 881.093320] ISV = 0, ISS = 0x00000006 [ 881.097157] CM = 0, WnR = 0 [ 881.100126] user pgtable: 4k pages, 48-bit VAs, pgdp=000000004fa51000 [ 881.106573] [0000000000000020] pgd=080000004f36e003, p4d=080000004f36e003, pud=080000004f7ec003, pmd=0000000000000000 [ 881.117217] Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP [ 881.123494] Modules linked in: rcarfdp1 v4l2mem2mem [ 881.128572] CPU: 0 PID: 1271 Comm: yavta Tainted: G B 6.2.0-rc1-00023-g6c94e2e99343 #556 [ 881.138061] Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT) [ 881.145981] pstate: 400000c5 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 881.152951] pc : vsp1dllistaddbody+0xa8/0xe0 [ 881.157580] lr : vsp1dllistaddbody+0x34/0xe0 [ 881.162206] sp : ffff80000c267710 [ 881.165522] x29: ffff80000c267710 x28: ffff000010938ae8 x27: ffff000013a8dd98 [ 881.172683] x26: ffff000010938098 x25: ffff000013a8dc00 x24: ffff000010ed6ba8 [ 881.179841] x23: ffff00000faa4000 x22: 0000000000000000 x21: 0000000000000020 [ 881.186998] x20: ffff00000faa4000 x19: 0000000000000000 x18: 0000000000000000 [ 881.194154] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [ 881.201309] x14: 0000000000000000 x13: 746e696174206c65 x12: ffff70000157043d [ 881.208465] x11: 1ffff0000157043c x10: ffff70000157043c x9 : dfff800000000000 [ 881.215622] x8 : ffff80000ab821e7 x7 : 00008ffffea8fbc4 x6 : 0000000000000001 [ 881.222779] x5 : ffff80000ab821e0 x4 : ffff70000157043d x3 : 0000000000000020 [ 881.229936] x2 : 0000000000000020 x1 : ffff00000e4f6400 x0 : 0000000000000000 [ 881.237092] Call trace: [ 881.239542] vsp1dllistaddbody+0xa8/0xe0 [ 881.243822] vsp1videopipelinerun+0x270/0x2a0 [ 881.248449] vsp1videobufferqueue+0x1c0/0x1d0 [ 881.253076] _enqueueindriver+0xbc/0x260 [ 881.257269] vb2startstreaming+0x48/0x200 [ 881.261461] vb2corestreamon+0x13c/0x280 [ 881.265565] vb2streamon+0x3c/0x90 [ 881.269064] vsp1videostreamon+0x2fc/0x3e0 [ 881.273344] v4lstreamon+0x50/0x70 [ 881.276844] _videodoioctl+0x2bc/0x5d0 [ 881.280861] videousercopy+0x2a8/0xc80 [ 881.284704] videoioctl2+0x20/0x40 [ 881.288201] v4l2ioctl+0xa4/0xc0 [ 881.291525] _arm64sysioctl+0xe8/0x110 [ 881.295543] invokesyscall+0x68/0x190 [ 881.299303] el0svccommon.constprop.0+0x88/0x170 [ 881.304105] doel0svc+0x4c/0xf0 [ 881.307430] el0svc+0x4c/0xa0 [ 881.310494] el0t64synchandler+0xbc/0x140 [ 881.314773] el0t64sync+0x190/0x194 [ 881.318450] Code: d50323bf d65f03c0 91008263 f9800071 (885f7c60) [ 881.324551] ---[ end trace 0000000000000000 ]--- [ 881.329173] note: yavta[1271] exited with preemptcount 1 A different r ---truncated---