CVE-2024-26876 - Linux Kernel Local Crash via adv7511 HDMI Bridge IRQ Timing Bug

---

In early 2024, a subtle but serious issue was discovered in the Linux kernel’s adv7511 HDMI bridge driver. The bug, now tracked as CVE-2024-26876, could let a malicious or simply unlucky hardware state crash the kernel by triggering interrupts before critical driver data is set up. Let’s break down how this happened, what exactly was fixed, and how you might see (and avoid) problems if you’re maintaining embedded Linux devices or developing drivers.

What is adv7511 & Why Does it Matter?

The adv7511 is a popular HDMI transmitter chip, commonly used in ARM-based SoCs (System on Chips) to send video signals to external displays. The Linux kernel offers a DRM (Direct Rendering Manager) bridge driver for this chip, which handles HDMI setup and support—including the often-overlooked CEC (Consumer Electronics Control) messaging.

What Went Wrong?

The kernel boots, discovers the adv7511, and starts its driver (adv7511_probe). If there just *happens* to be a pending or spurious interrupt (IRQ) from the chip—before a critical internal initialization routine is done—the IRQ handler may execute, and the code will access uninitialized memory.

This causes a fatal “Oops”: a kernel panic, crash, and almost certainly some debugging headaches.

Debug Output Example

Unable to handle kernel read from unreadable memory at virtual address 00000000000003d5
Internal error: Oops: 96000004 [#1] PREEMPT_RT SMP
Call trace:
 cec_received_msg_ts+x48/x990 [cec]
 adv7511_cec_irq_process+x1cc/x308 [adv7511]
 adv7511_irq_process+xd8/x120 [adv7511]
 adv7511_irq_handler+x1c/x30 [adv7511]
 irq_thread_fn+x30/xa
 irq_thread+x14c/x238
 kthread+x190/x1a8

The Root Cause

- The error path passes through cec_received_msg_ts, where it expects CEC subsystem (cec_adap_ops, etc) to be ready.

Simplified Vulnerable Sequence

// In adv7511_probe()
request_threaded_irq(..., adv7511_irq_handler, ...); // Register IRQ early

// Later in probe:
adv7511_cec_init(adv7511); // <-- This should happen BEFORE IRQ is enabled!

If an IRQ happens between those two calls, the code in the IRQ handler uses uninitialized CEC state. Crash.

The Patch: Moving IRQ Registration

The flaw was straightforward to fix, once found. In the patched code, IRQ registration is simply moved to the end of the probe function—after the CEC and everything else is fully ready.

Fixed Code Pattern

// ... other initializations
ret = adv7511_cec_init(adv7511);
if (ret)
    return ret; // Abort on CEC init failure

// Only now enable interrupts, after the hardware & software state are ready!
ret = devm_request_threaded_irq(dev, irq, NULL, adv7511_irq_handler, IRQF_ONESHOT, "adv7511", adv7511);
if (ret)
    return ret;

Is This Privilege-Escalation?

No—CVE-2024-26876 cannot be triggered by ordinary userspace programs. It depends on a hardware signal (interrupt) arriving at an unlucky time during driver initialization.

Could It Be Abused?

If you had physical control of hardware lines, you *could* force an IRQ during kernel boot to cause a denial-of-service by crashing the system repeatedly. There is *no code execution* or security breach, just forced crashes.

References and Original Resources

- Upstream Linux Patch Commit
- CVE-2024-26876 at MITRE
- Linux Kernel Documentation (DRM Bridge Drivers)

Mitigation

- Use a kernel version at or after this upstream patch.
- If you maintain a custom tree using adv7511, “backport” the fix: move the IRQ registration to the end of adv7511_probe after calling adv7511_cec_init.

Summary Table

| Impact | Local Crash, Denial of Service |
|-------------------|---------------------------------------|
| Trigger | Adv7511 IRQ during driver probe |
| Privilege Needed | None (physical condition only) |
| Fixed In | Linux mainline, early 2024 commit |

Final Thoughts

This is a classic example of “timing bugs” in driver development. Never enable asynchronous events (interrupts, workqueues, etc.) until all shared state is fully initialized! The Linux kernel is robust but, as you see here, losing a race against hardware can bring it down.

If you ship devices with adv7511, check your trees—kernel oopses like this are insidious and hard to debug in the field.


*Exclusive analysis by an embedded Linux engineer. If you have questions on patching or custom DRM drivers, leave a comment below!*

Timeline

Published on: 04/17/2024 11:15:09 UTC
Last modified on: 03/03/2025 17:47:59 UTC