CVE-2025-40165

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: nxp: imx8-isi: m2m: Fix streaming cleanup on release<br /> <br /> If streamon/streamoff calls are imbalanced, such as when exiting an<br /> application with Ctrl+C when streaming, the m2m usage_count will never<br /> reach zero and the ISI channel won&amp;#39;t be freed. Besides from that, if the<br /> input line width is more than 2K, it will trigger a WARN_ON():<br /> <br /> [ 59.222120] ------------[ cut here ]------------<br /> [ 59.226758] WARNING: drivers/media/platform/nxp/imx8-isi/imx8-isi-hw.c:631 at mxc_isi_channel_chain+0xa4/0x120, CPU#4: v4l2-ctl/654<br /> [ 59.238569] Modules linked in: ap1302<br /> [ 59.242231] CPU: 4 UID: 0 PID: 654 Comm: v4l2-ctl Not tainted 6.16.0-rc4-next-20250704-06511-gff0e002d480a-dirty #258 PREEMPT<br /> [ 59.253597] Hardware name: NXP i.MX95 15X15 board (DT)<br /> [ 59.258720] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> [ 59.265669] pc : mxc_isi_channel_chain+0xa4/0x120<br /> [ 59.270358] lr : mxc_isi_channel_chain+0x44/0x120<br /> [ 59.275047] sp : ffff8000848c3b40<br /> [ 59.278348] x29: ffff8000848c3b40 x28: ffff0000859b4c98 x27: ffff800081939f00<br /> [ 59.285472] x26: 000000000000000a x25: ffff0000859b4cb8 x24: 0000000000000001<br /> [ 59.292597] x23: ffff0000816f4760 x22: ffff0000816f4258 x21: ffff000084ceb780<br /> [ 59.299720] x20: ffff000084342ff8 x19: ffff000084340000 x18: 0000000000000000<br /> [ 59.306845] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffdb369e1c<br /> [ 59.313969] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000<br /> [ 59.321093] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000<br /> [ 59.328217] x8 : ffff8000848c3d48 x7 : ffff800081930b30 x6 : ffff800081930b30<br /> [ 59.335340] x5 : ffff0000859b6000 x4 : ffff80008193ae80 x3 : ffff800081022420<br /> [ 59.342464] x2 : ffff0000852f6900 x1 : 0000000000000001 x0 : ffff000084341000<br /> [ 59.349590] Call trace:<br /> [ 59.352025] mxc_isi_channel_chain+0xa4/0x120 (P)<br /> [ 59.356722] mxc_isi_m2m_streamon+0x160/0x20c<br /> [ 59.361072] v4l_streamon+0x24/0x30<br /> [ 59.364556] __video_do_ioctl+0x40c/0x4a0<br /> [ 59.368560] video_usercopy+0x2bc/0x690<br /> [ 59.372382] video_ioctl2+0x18/0x24<br /> [ 59.375857] v4l2_ioctl+0x40/0x60<br /> [ 59.379168] __arm64_sys_ioctl+0xac/0x104<br /> [ 59.383172] invoke_syscall+0x48/0x104<br /> [ 59.386916] el0_svc_common.constprop.0+0xc0/0xe0<br /> [ 59.391613] do_el0_svc+0x1c/0x28<br /> [ 59.394915] el0_svc+0x34/0xf4<br /> [ 59.397966] el0t_64_sync_handler+0xa0/0xe4<br /> [ 59.402143] el0t_64_sync+0x198/0x19c<br /> [ 59.405801] ---[ end trace 0000000000000000 ]---<br /> <br /> Address this issue by moving the streaming preparation and cleanup to<br /> the vb2 .prepare_streaming() and .unprepare_streaming() operations. This<br /> also simplifies the driver by allowing direct usage of the<br /> v4l2_m2m_ioctl_streamon() and v4l2_m2m_ioctl_streamoff() helpers.