CVE-2024-50175: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: media: qcom: camss: Remove use_count guard in stop_streaming The use_count check was introduced so that multiple concurrent Raw Data Interfaces RDIs could be driven by different virtual channels VCs on the CSIPHY input driving the video pipeline. This is an invalid use of use_count though as use_count pertains to the number of times a video entity has been opened by user-space not the number of active streams. If use_count and stream-on count don't agree then stop_streaming() will break as is currently the case and has become apparent when using CAMSS with libcamera's released softisp 0.3. The use of use_count like this is a bit hacky and right now breaks regular usage of CAMSS for a single stream case. Stopping qcam results in the splat below, and then it cannot be started again and any attempts to do so fails with -EBUSY. [ 1265.509831] WARNING: CPU: 5 PID: 919 at drivers/media/common/videobuf2/videobuf2-core.c:2183 __vb2_queue_cancel+0x230/0x2c8 [videobuf2_common] ... [ 1265.510630] Call trace: [ 1265.510636] __vb2_queue_cancel+0x230/0x2c8 [videobuf2_common] [ 1265.510648] vb2_core_streamoff+0x24/0xcc [videobuf2_common] [ 1265.510660] vb2_ioctl_streamoff+0x5c/0xa8 [videobuf2_v4l2] [ 1265.510673] v4l_streamoff+0x24/0x30 [videodev] [ 1265.510707] __video_do_ioctl+0x190/0x3f4 [videodev] [ 1265.510732] video_usercopy+0x304/0x8c4 [videodev] [ 1265.510757] video_ioctl2+0x18/0x34 [videodev] [ 1265.510782] v4l2_ioctl+0x40/0x60 [videodev] ... [ 1265.510944] videobuf2_common: driver bug: stop_streaming operation is leaving buffer 0 in active state [ 1265.511175] videobuf2_common: driver bug: stop_streaming operation is leaving buffer 1 in active state [ 1265.511398] videobuf2_common: driver bug: stop_streaming operation is leaving buffer 2 in active st One CAMSS specific way to handle multiple VCs on the same RDI might be: - Reference count each pipeline enable for CSIPHY, CSID, VFE and RDIx. - The video buffers are already associated with msm_vfeN_rdiX so release video buffers when told to do so by stop_streaming. - Only release the power-domains for the CSIPHY, CSID and VFE when their internal refcounts drop. Either way refusing to release video buffers based on use_count is erroneous and should be reverted. The silicon enabling code for selecting VCs is perfectly fine. Its a "known missing feature" that concurrent VCs won't work with CAMSS right now. Initial testing with this code didn't show an error but, SoftISP and "real" usage with Google Hangouts breaks the upstream code pretty quickly, we need to do a partial revert and take another pass at VCs. This commit partially reverts commit 89013969e232 ("media: camss: sm8250: Pipeline starting and stopping for multiple virtual channels")
AI Analysis
Technical Summary
CVE-2024-50175 is a vulnerability identified in the Linux kernel's media subsystem, specifically within the Qualcomm Camera Subsystem (CAMSS) driver. The issue arises from an improper use of the use_count variable in the stop_streaming() function. The use_count was originally intended to track the number of times a video entity has been opened by user-space applications, but it was incorrectly used to manage the number of active video streams. This misuse leads to a mismatch between use_count and the actual stream-on count, causing stop_streaming() to malfunction. The consequence is that when stopping the camera streaming, the driver leaves video buffers in an active state and fails to release resources properly. This results in the inability to restart the camera stream, with subsequent attempts failing with an -EBUSY (device busy) error. The problem is particularly evident when using CAMSS with libcamera's SoftISP 0.3 and has been observed to break real-world applications like Google Hangouts. The root cause is the erroneous refusal to release video buffers based on use_count, which should be reverted. The vulnerability stems from a partial revert of a previous commit that attempted to support multiple virtual channels (VCs) on the same Raw Data Interface (RDI). The fix involves implementing proper reference counting for pipeline components (CSIPHY, CSID, VFE, and RDIx) and ensuring video buffers are released correctly when stop_streaming is called. This vulnerability does not appear to be exploitable for remote code execution or privilege escalation but causes denial of service (DoS) by rendering camera streaming unusable until a system reboot or driver reload. No known exploits are reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability primarily impacts systems relying on the affected Linux kernel versions with Qualcomm CAMSS drivers, particularly those using video capture or streaming functionalities such as in embedded devices, IoT, mobile devices, or video conferencing systems. The inability to stop and restart camera streams can cause service disruptions in critical applications like remote collaboration tools, telemedicine, security surveillance, and multimedia processing. Organizations using video conferencing platforms that depend on libcamera or similar frameworks on Linux devices may experience degraded user experience or complete failure of video input. This can lead to operational downtime, reduced productivity, and potential loss of business continuity. While the vulnerability does not directly compromise confidentiality or integrity, the denial of service effect can indirectly affect availability of services. Additionally, embedded systems in industrial or automotive sectors using Qualcomm camera pipelines could face operational issues, impacting safety or monitoring capabilities. The impact is more pronounced in environments where Linux-based video capture is integral to business processes or security monitoring.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Apply the latest Linux kernel patches that revert the improper use_count handling in the CAMSS driver as soon as they become available from trusted sources or Linux distributions. 2) Where immediate patching is not feasible, consider disabling or avoiding the use of multiple virtual channels on the same RDI in CAMSS to prevent triggering the faulty stop_streaming behavior. 3) Monitor system logs for warnings related to videobuf2_common and stop_streaming failures to detect potential impact. 4) For critical systems, implement fallback mechanisms such as restarting the affected video service or the entire system to recover from the busy state. 5) Engage with hardware and software vendors to confirm updated driver support and compatibility with patched kernels. 6) Test video streaming workflows thoroughly after patching to ensure stability, especially in applications relying on libcamera and SoftISP. 7) Maintain inventory of devices using Qualcomm CAMSS drivers and prioritize patching based on criticality. These steps go beyond generic advice by focusing on the specific driver and pipeline components affected and emphasizing operational monitoring and vendor coordination.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2024-50175: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: media: qcom: camss: Remove use_count guard in stop_streaming The use_count check was introduced so that multiple concurrent Raw Data Interfaces RDIs could be driven by different virtual channels VCs on the CSIPHY input driving the video pipeline. This is an invalid use of use_count though as use_count pertains to the number of times a video entity has been opened by user-space not the number of active streams. If use_count and stream-on count don't agree then stop_streaming() will break as is currently the case and has become apparent when using CAMSS with libcamera's released softisp 0.3. The use of use_count like this is a bit hacky and right now breaks regular usage of CAMSS for a single stream case. Stopping qcam results in the splat below, and then it cannot be started again and any attempts to do so fails with -EBUSY. [ 1265.509831] WARNING: CPU: 5 PID: 919 at drivers/media/common/videobuf2/videobuf2-core.c:2183 __vb2_queue_cancel+0x230/0x2c8 [videobuf2_common] ... [ 1265.510630] Call trace: [ 1265.510636] __vb2_queue_cancel+0x230/0x2c8 [videobuf2_common] [ 1265.510648] vb2_core_streamoff+0x24/0xcc [videobuf2_common] [ 1265.510660] vb2_ioctl_streamoff+0x5c/0xa8 [videobuf2_v4l2] [ 1265.510673] v4l_streamoff+0x24/0x30 [videodev] [ 1265.510707] __video_do_ioctl+0x190/0x3f4 [videodev] [ 1265.510732] video_usercopy+0x304/0x8c4 [videodev] [ 1265.510757] video_ioctl2+0x18/0x34 [videodev] [ 1265.510782] v4l2_ioctl+0x40/0x60 [videodev] ... [ 1265.510944] videobuf2_common: driver bug: stop_streaming operation is leaving buffer 0 in active state [ 1265.511175] videobuf2_common: driver bug: stop_streaming operation is leaving buffer 1 in active state [ 1265.511398] videobuf2_common: driver bug: stop_streaming operation is leaving buffer 2 in active st One CAMSS specific way to handle multiple VCs on the same RDI might be: - Reference count each pipeline enable for CSIPHY, CSID, VFE and RDIx. - The video buffers are already associated with msm_vfeN_rdiX so release video buffers when told to do so by stop_streaming. - Only release the power-domains for the CSIPHY, CSID and VFE when their internal refcounts drop. Either way refusing to release video buffers based on use_count is erroneous and should be reverted. The silicon enabling code for selecting VCs is perfectly fine. Its a "known missing feature" that concurrent VCs won't work with CAMSS right now. Initial testing with this code didn't show an error but, SoftISP and "real" usage with Google Hangouts breaks the upstream code pretty quickly, we need to do a partial revert and take another pass at VCs. This commit partially reverts commit 89013969e232 ("media: camss: sm8250: Pipeline starting and stopping for multiple virtual channels")
AI-Powered Analysis
Technical Analysis
CVE-2024-50175 is a vulnerability identified in the Linux kernel's media subsystem, specifically within the Qualcomm Camera Subsystem (CAMSS) driver. The issue arises from an improper use of the use_count variable in the stop_streaming() function. The use_count was originally intended to track the number of times a video entity has been opened by user-space applications, but it was incorrectly used to manage the number of active video streams. This misuse leads to a mismatch between use_count and the actual stream-on count, causing stop_streaming() to malfunction. The consequence is that when stopping the camera streaming, the driver leaves video buffers in an active state and fails to release resources properly. This results in the inability to restart the camera stream, with subsequent attempts failing with an -EBUSY (device busy) error. The problem is particularly evident when using CAMSS with libcamera's SoftISP 0.3 and has been observed to break real-world applications like Google Hangouts. The root cause is the erroneous refusal to release video buffers based on use_count, which should be reverted. The vulnerability stems from a partial revert of a previous commit that attempted to support multiple virtual channels (VCs) on the same Raw Data Interface (RDI). The fix involves implementing proper reference counting for pipeline components (CSIPHY, CSID, VFE, and RDIx) and ensuring video buffers are released correctly when stop_streaming is called. This vulnerability does not appear to be exploitable for remote code execution or privilege escalation but causes denial of service (DoS) by rendering camera streaming unusable until a system reboot or driver reload. No known exploits are reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability primarily impacts systems relying on the affected Linux kernel versions with Qualcomm CAMSS drivers, particularly those using video capture or streaming functionalities such as in embedded devices, IoT, mobile devices, or video conferencing systems. The inability to stop and restart camera streams can cause service disruptions in critical applications like remote collaboration tools, telemedicine, security surveillance, and multimedia processing. Organizations using video conferencing platforms that depend on libcamera or similar frameworks on Linux devices may experience degraded user experience or complete failure of video input. This can lead to operational downtime, reduced productivity, and potential loss of business continuity. While the vulnerability does not directly compromise confidentiality or integrity, the denial of service effect can indirectly affect availability of services. Additionally, embedded systems in industrial or automotive sectors using Qualcomm camera pipelines could face operational issues, impacting safety or monitoring capabilities. The impact is more pronounced in environments where Linux-based video capture is integral to business processes or security monitoring.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Apply the latest Linux kernel patches that revert the improper use_count handling in the CAMSS driver as soon as they become available from trusted sources or Linux distributions. 2) Where immediate patching is not feasible, consider disabling or avoiding the use of multiple virtual channels on the same RDI in CAMSS to prevent triggering the faulty stop_streaming behavior. 3) Monitor system logs for warnings related to videobuf2_common and stop_streaming failures to detect potential impact. 4) For critical systems, implement fallback mechanisms such as restarting the affected video service or the entire system to recover from the busy state. 5) Engage with hardware and software vendors to confirm updated driver support and compatibility with patched kernels. 6) Test video streaming workflows thoroughly after patching to ensure stability, especially in applications relying on libcamera and SoftISP. 7) Maintain inventory of devices using Qualcomm CAMSS drivers and prioritize patching based on criticality. These steps go beyond generic advice by focusing on the specific driver and pipeline components affected and emphasizing operational monitoring and vendor coordination.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-10-21T19:36:19.963Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9825c4522896dcbe01ab
Added to database: 5/21/2025, 9:08:53 AM
Last enriched: 6/28/2025, 6:11:05 PM
Last updated: 8/1/2025, 7:12:36 PM
Views: 12
Related Threats
CVE-2025-50610: n/a
HighCVE-2025-50609: n/a
HighCVE-2025-50608: n/a
HighCVE-2025-55194: CWE-248: Uncaught Exception in Part-DB Part-DB-server
MediumCVE-2025-55197: CWE-400: Uncontrolled Resource Consumption in py-pdf pypdf
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.