ghsa-j2pq-pqhm-96pq
Vulnerability from github
Published
2025-07-28 12:30
Modified
2025-07-28 12:30
Details

In the Linux kernel, the following vulnerability has been resolved:

soundwire: Revert "soundwire: qcom: Add set_channel_map api support"

This reverts commit 7796c97df6b1b2206681a07f3c80f6023a6593d5.

This patch broke Dragonboard 845c (sdm845). I see:

Unexpected kernel BRK exception at EL1
Internal error: BRK handler: 00000000f20003e8 [#1]  SMP
pc : qcom_swrm_set_channel_map+0x7c/0x80 [soundwire_qcom]
lr : snd_soc_dai_set_channel_map+0x34/0x78
Call trace:
 qcom_swrm_set_channel_map+0x7c/0x80 [soundwire_qcom] (P)
 sdm845_dai_init+0x18c/0x2e0 [snd_soc_sdm845]
 snd_soc_link_init+0x28/0x6c
 snd_soc_bind_card+0x5f4/0xb0c
 snd_soc_register_card+0x148/0x1a4
 devm_snd_soc_register_card+0x50/0xb0
 sdm845_snd_platform_probe+0x124/0x148 [snd_soc_sdm845]
 platform_probe+0x6c/0xd0
 really_probe+0xc0/0x2a4
 __driver_probe_device+0x7c/0x130
 driver_probe_device+0x40/0x118
 __device_attach_driver+0xc4/0x108
 bus_for_each_drv+0x8c/0xf0
 __device_attach+0xa4/0x198
 device_initial_probe+0x18/0x28
 bus_probe_device+0xb8/0xbc
 deferred_probe_work_func+0xac/0xfc
 process_one_work+0x244/0x658
 worker_thread+0x1b4/0x360
 kthread+0x148/0x228
 ret_from_fork+0x10/0x20
Kernel panic - not syncing: BRK handler: Fatal exception

Dan has also reported following issues with the original patch https://lore.kernel.org/all/33fe8fe7-719a-405a-9ed2-d9f816ce1d57@sabinyo.mountain/

Bug #1: The zeroeth element of ctrl->pconfig[] is supposed to be unused. We start counting at 1. However this code sets ctrl->pconfig[0].ch_mask = 128.

Bug #2: There are SLIM_MAX_TX_PORTS (16) elements in tx_ch[] array but only QCOM_SDW_MAX_PORTS + 1 (15) in the ctrl->pconfig[] array so it corrupts memory like Yongqin Liu pointed out.

Bug 3: Like Jie Gan pointed out, it erases all the tx information with the rx information.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-38486"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-28T12:15:30Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoundwire: Revert \"soundwire: qcom: Add set_channel_map api support\"\n\nThis reverts commit 7796c97df6b1b2206681a07f3c80f6023a6593d5.\n\nThis patch broke Dragonboard 845c (sdm845). I see:\n\n    Unexpected kernel BRK exception at EL1\n    Internal error: BRK handler: 00000000f20003e8 [#1]  SMP\n    pc : qcom_swrm_set_channel_map+0x7c/0x80 [soundwire_qcom]\n    lr : snd_soc_dai_set_channel_map+0x34/0x78\n    Call trace:\n     qcom_swrm_set_channel_map+0x7c/0x80 [soundwire_qcom] (P)\n     sdm845_dai_init+0x18c/0x2e0 [snd_soc_sdm845]\n     snd_soc_link_init+0x28/0x6c\n     snd_soc_bind_card+0x5f4/0xb0c\n     snd_soc_register_card+0x148/0x1a4\n     devm_snd_soc_register_card+0x50/0xb0\n     sdm845_snd_platform_probe+0x124/0x148 [snd_soc_sdm845]\n     platform_probe+0x6c/0xd0\n     really_probe+0xc0/0x2a4\n     __driver_probe_device+0x7c/0x130\n     driver_probe_device+0x40/0x118\n     __device_attach_driver+0xc4/0x108\n     bus_for_each_drv+0x8c/0xf0\n     __device_attach+0xa4/0x198\n     device_initial_probe+0x18/0x28\n     bus_probe_device+0xb8/0xbc\n     deferred_probe_work_func+0xac/0xfc\n     process_one_work+0x244/0x658\n     worker_thread+0x1b4/0x360\n     kthread+0x148/0x228\n     ret_from_fork+0x10/0x20\n    Kernel panic - not syncing: BRK handler: Fatal exception\n\nDan has also reported following issues with the original patch\nhttps://lore.kernel.org/all/33fe8fe7-719a-405a-9ed2-d9f816ce1d57@sabinyo.mountain/\n\nBug #1:\nThe zeroeth element of ctrl-\u003epconfig[] is supposed to be unused.  We\nstart counting at 1.  However this code sets ctrl-\u003epconfig[0].ch_mask = 128.\n\nBug #2:\nThere are SLIM_MAX_TX_PORTS (16) elements in tx_ch[] array but only\nQCOM_SDW_MAX_PORTS + 1 (15) in the ctrl-\u003epconfig[] array so it corrupts\nmemory like Yongqin Liu pointed out.\n\nBug 3:\nLike Jie Gan pointed out, it erases all the tx information with the rx\ninformation.",
  "id": "GHSA-j2pq-pqhm-96pq",
  "modified": "2025-07-28T12:30:35Z",
  "published": "2025-07-28T12:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38486"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/207cea8b72fcbdf4e6db178e54186ed4f1514b3c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/834bce6a715ae9a9c4dce7892454a19adf22b013"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.