Tomi Valkeinen

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A issue in the Linux kernel has been identified, specifically in the media: i2c: ds90ub9x3 module. The `ub913` and `ub953` drivers call `fwnode handle put(priv->sd.fwnode)` as part of their remove process. If the driver is removed multiple times, it can lead to a put "overflow", potentially causing memory corruption or a crash. This problem is a result of leftover code from a previous commit that modified the `sd.fwnode` but failed to remove the unnecessary `fwnode handle put()` calls. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions up to 6.1.82 Linux kernel versions up to 6.6.22 Linux kernel versions up to 6.7.10 **Description** The issue arises from the driver requesting interrupts as IRQF SHARED, allowing interrupt handlers to be called at any time. If an interrupt occurs while the ISP is powered down, the SoC will hang due to the driver attempting to access ISP registers. This can be reproduced by enabling CONFIG DEBUG SHIRQ and unloading the driver. The problem is resolved by adding a new field, `irqs enabled`, which prevents the interrupt handler from executing when the ISP is not operational. **Recommendations** Upgrade to a version later than 6.1.82 to mitigate the risk for Linux kernel version 6.1. Upgrade to a version later than 6.6.22 to mitigate the risk for Linux kernel version 6.6. Upgrade to a version later than 6.7.10 to mitigate the risk for Linux kernel version 6.7. As a temporary workaround, consider disabling the interrupt handler when the ISP is not operational until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A null pointer dereference crash has been observed rarely on TI platforms using sii9022 bridge. The issue occurs due to a probing race condition in the sii902x driver. When tidss probes but is deferred as sii902x is still missing, and sii902x starts probing and enters sii902x init(), it calls drm bridge add() before setting up the i2c part, leading to a crash when sii902x bridge get edid() tries to use the i2c to read the edid. **Recommendations** To resolve the issue, move the drm bridge add() to the end of the sii902x init(), which is also at the very end of sii902x probe(). This ensures that the sii902x bridge is ready from DRM's perspective only after the i2c part has been set up, preventing the null pointer dereference crash.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue arises from the `rkisp1 isp stop()` and `rkisp1 csi disable()` functions in the Linux kernel, where the driver masks interrupts and then proceeds with the stop procedure, assuming the interrupt handler is not running. However, the interrupt handler can already be running, leading to the ISP being disabled while it handles a captured frame. This causes two issues: the ISP could be powered off while the interrupt handler is accessing registers, leading to board lockup, and the interrupt handler code and the code that disables streaming might conflict. The first issue can be seen with a suitable delay in the interrupt handler, leading to board lockup. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.5.0-rc2+ **Description** The vulnerability is related to the lt8912b driver in the Linux kernel, which causes a crash on bridge detach due to a NULL pointer dereference. The driver's bridge detach function calls drm connector unregister() and drm connector cleanup(), but these functions should only be called for connectors explicitly registered with drm connector register(), which is not the case in lt8912b. This results in a kernel crash. **Recommendations** To resolve the issue, update the Linux kernel to a version that includes the fix for the vulnerability. Specifically, versions prior to 6.5.0-rc2+ are affected, so updating to 6.5.0-rc2+ or later will resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability, other than updating to 6.5.0-rc2+ or later.