APPLIED: [SRU][J/F][PATCH 0/1] CVE-2024-38611

Stefan Bader stefan.bader at canonical.com
Wed Sep 25 11:28:54 UTC 2024 

On 18.09.24 07:56, Hui Wang wrote:
> [Impact]
> 
> Using __exit for the remove function results in the remove callback
> being discarded with CONFIG_VIDEO_ET8EK8=y. When such a device gets
> unbound (e.g. using sysfs or hotplug), the driver is just removed
> without the cleanup being performed. This results in resource leaks. Fix
> it by compiling in the remove callback unconditionally.
> 
> 
> [Backport]
> 
> This backport adjusts context due to 2 conflict, the 1st one is
> the return type of et8ek8_remove(), in J and F, the return type is int
> while in original commit the return type is void, here I kept the
> return type to int; the other one is probe function type, in the J and
> F, it is probe_new, in the original commit, it is probe, here I kept
> probe_new since it is unrelevant to this CVE case.
> 
> If we want to change the return type to void for et8ek8_remove(), we
> need to backport 1 patches which will impact all i2c drivers:
> ed5c2f5fd10d ("i2c: Make remove callback return void")
> 
> If we want to change the probe_new to probe, we need to backport 2
> commits which will impact all i2c drivers:
> 03c835f498b5 ("i2c: Switch .probe() to not take an id parameter")
> aaeb31c00e61 ("media: Switch i2c drivers back to use .probe()")
> 
> 
> [Fix]
> 
> Noble:  Already fixed
> Jammy:  Backported from mainline v6.10-rc1, see explanation in [Backport]
> Focal:  Backported from mainline v6.10-rc1, see explanation in [Backport]
> Bionic: sent to the -esm
> Xenial: Not affected
> Trusty: Not affected
> 
> [Test Case]
> 
> Compile and boot test.
> 
> 
> [Where problems could occur]
> 
> The change is on v4l2/media driver, if there is regression, it could
> impact media driver. But the likely of regression is very low, the
> change is straightforward and simple.
> 
> Uwe Kleine-König (1):
>    media: i2c: et8ek8: Don't strip remove function when driver is builtin
> 
>   drivers/media/i2c/et8ek8/et8ek8_driver.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 

Applied to jammy,focal:linux/master-next. Thanks.

-Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240925/79fe17cc/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240925/79fe17cc/attachment-0001.sig>

More information about the kernel-team mailing list