CVE-2025-38486 (GCVE-0-2025-38486)
Vulnerability from cvelistv5
Published
2025-07-28 11:21
Modified
2025-07-28 11:21
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: soundwire: Revert "soundwire: qcom: Add set_channel_map api support" This reverts commit 7796c97df6b1b2206681a07f3c80f6023a6593d5. This patch broke Dragonboard 845c (sdm845). I see: Unexpected kernel BRK exception at EL1 Internal error: BRK handler: 00000000f20003e8 [#1] SMP pc : qcom_swrm_set_channel_map+0x7c/0x80 [soundwire_qcom] lr : snd_soc_dai_set_channel_map+0x34/0x78 Call trace: qcom_swrm_set_channel_map+0x7c/0x80 [soundwire_qcom] (P) sdm845_dai_init+0x18c/0x2e0 [snd_soc_sdm845] snd_soc_link_init+0x28/0x6c snd_soc_bind_card+0x5f4/0xb0c snd_soc_register_card+0x148/0x1a4 devm_snd_soc_register_card+0x50/0xb0 sdm845_snd_platform_probe+0x124/0x148 [snd_soc_sdm845] platform_probe+0x6c/0xd0 really_probe+0xc0/0x2a4 __driver_probe_device+0x7c/0x130 driver_probe_device+0x40/0x118 __device_attach_driver+0xc4/0x108 bus_for_each_drv+0x8c/0xf0 __device_attach+0xa4/0x198 device_initial_probe+0x18/0x28 bus_probe_device+0xb8/0xbc deferred_probe_work_func+0xac/0xfc process_one_work+0x244/0x658 worker_thread+0x1b4/0x360 kthread+0x148/0x228 ret_from_fork+0x10/0x20 Kernel panic - not syncing: BRK handler: Fatal exception Dan has also reported following issues with the original patch https://lore.kernel.org/all/33fe8fe7-719a-405a-9ed2-d9f816ce1d57@sabinyo.mountain/ Bug #1: The zeroeth element of ctrl->pconfig[] is supposed to be unused. We start counting at 1. However this code sets ctrl->pconfig[0].ch_mask = 128. Bug #2: There are SLIM_MAX_TX_PORTS (16) elements in tx_ch[] array but only QCOM_SDW_MAX_PORTS + 1 (15) in the ctrl->pconfig[] array so it corrupts memory like Yongqin Liu pointed out. Bug 3: Like Jie Gan pointed out, it erases all the tx information with the rx information.
References
Impacted products
Vendor Product Version
Linux Linux Version: 7796c97df6b1b2206681a07f3c80f6023a6593d5
Version: 7796c97df6b1b2206681a07f3c80f6023a6593d5
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/soundwire/qcom.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "207cea8b72fcbdf4e6db178e54186ed4f1514b3c",
              "status": "affected",
              "version": "7796c97df6b1b2206681a07f3c80f6023a6593d5",
              "versionType": "git"
            },
            {
              "lessThan": "834bce6a715ae9a9c4dce7892454a19adf22b013",
              "status": "affected",
              "version": "7796c97df6b1b2206681a07f3c80f6023a6593d5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/soundwire/qcom.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.15"
            },
            {
              "lessThan": "6.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.8",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoundwire: Revert \"soundwire: qcom: Add set_channel_map api support\"\n\nThis reverts commit 7796c97df6b1b2206681a07f3c80f6023a6593d5.\n\nThis patch broke Dragonboard 845c (sdm845). I see:\n\n    Unexpected kernel BRK exception at EL1\n    Internal error: BRK handler: 00000000f20003e8 [#1]  SMP\n    pc : qcom_swrm_set_channel_map+0x7c/0x80 [soundwire_qcom]\n    lr : snd_soc_dai_set_channel_map+0x34/0x78\n    Call trace:\n     qcom_swrm_set_channel_map+0x7c/0x80 [soundwire_qcom] (P)\n     sdm845_dai_init+0x18c/0x2e0 [snd_soc_sdm845]\n     snd_soc_link_init+0x28/0x6c\n     snd_soc_bind_card+0x5f4/0xb0c\n     snd_soc_register_card+0x148/0x1a4\n     devm_snd_soc_register_card+0x50/0xb0\n     sdm845_snd_platform_probe+0x124/0x148 [snd_soc_sdm845]\n     platform_probe+0x6c/0xd0\n     really_probe+0xc0/0x2a4\n     __driver_probe_device+0x7c/0x130\n     driver_probe_device+0x40/0x118\n     __device_attach_driver+0xc4/0x108\n     bus_for_each_drv+0x8c/0xf0\n     __device_attach+0xa4/0x198\n     device_initial_probe+0x18/0x28\n     bus_probe_device+0xb8/0xbc\n     deferred_probe_work_func+0xac/0xfc\n     process_one_work+0x244/0x658\n     worker_thread+0x1b4/0x360\n     kthread+0x148/0x228\n     ret_from_fork+0x10/0x20\n    Kernel panic - not syncing: BRK handler: Fatal exception\n\nDan has also reported following issues with the original patch\nhttps://lore.kernel.org/all/33fe8fe7-719a-405a-9ed2-d9f816ce1d57@sabinyo.mountain/\n\nBug #1:\nThe zeroeth element of ctrl-\u003epconfig[] is supposed to be unused.  We\nstart counting at 1.  However this code sets ctrl-\u003epconfig[0].ch_mask = 128.\n\nBug #2:\nThere are SLIM_MAX_TX_PORTS (16) elements in tx_ch[] array but only\nQCOM_SDW_MAX_PORTS + 1 (15) in the ctrl-\u003epconfig[] array so it corrupts\nmemory like Yongqin Liu pointed out.\n\nBug 3:\nLike Jie Gan pointed out, it erases all the tx information with the rx\ninformation."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T11:21:50.349Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/207cea8b72fcbdf4e6db178e54186ed4f1514b3c"
        },
        {
          "url": "https://git.kernel.org/stable/c/834bce6a715ae9a9c4dce7892454a19adf22b013"
        }
      ],
      "title": "soundwire: Revert \"soundwire: qcom: Add set_channel_map api support\"",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38486",
    "datePublished": "2025-07-28T11:21:50.349Z",
    "dateReserved": "2025-04-16T04:51:24.021Z",
    "dateUpdated": "2025-07-28T11:21:50.349Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-38486\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-07-28T12:15:30.600\",\"lastModified\":\"2025-07-29T14:14:29.590\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsoundwire: Revert \\\"soundwire: qcom: Add set_channel_map api support\\\"\\n\\nThis reverts commit 7796c97df6b1b2206681a07f3c80f6023a6593d5.\\n\\nThis patch broke Dragonboard 845c (sdm845). I see:\\n\\n    Unexpected kernel BRK exception at EL1\\n    Internal error: BRK handler: 00000000f20003e8 [#1]  SMP\\n    pc : qcom_swrm_set_channel_map+0x7c/0x80 [soundwire_qcom]\\n    lr : snd_soc_dai_set_channel_map+0x34/0x78\\n    Call trace:\\n     qcom_swrm_set_channel_map+0x7c/0x80 [soundwire_qcom] (P)\\n     sdm845_dai_init+0x18c/0x2e0 [snd_soc_sdm845]\\n     snd_soc_link_init+0x28/0x6c\\n     snd_soc_bind_card+0x5f4/0xb0c\\n     snd_soc_register_card+0x148/0x1a4\\n     devm_snd_soc_register_card+0x50/0xb0\\n     sdm845_snd_platform_probe+0x124/0x148 [snd_soc_sdm845]\\n     platform_probe+0x6c/0xd0\\n     really_probe+0xc0/0x2a4\\n     __driver_probe_device+0x7c/0x130\\n     driver_probe_device+0x40/0x118\\n     __device_attach_driver+0xc4/0x108\\n     bus_for_each_drv+0x8c/0xf0\\n     __device_attach+0xa4/0x198\\n     device_initial_probe+0x18/0x28\\n     bus_probe_device+0xb8/0xbc\\n     deferred_probe_work_func+0xac/0xfc\\n     process_one_work+0x244/0x658\\n     worker_thread+0x1b4/0x360\\n     kthread+0x148/0x228\\n     ret_from_fork+0x10/0x20\\n    Kernel panic - not syncing: BRK handler: Fatal exception\\n\\nDan has also reported following issues with the original patch\\nhttps://lore.kernel.org/all/33fe8fe7-719a-405a-9ed2-d9f816ce1d57@sabinyo.mountain/\\n\\nBug #1:\\nThe zeroeth element of ctrl-\u003epconfig[] is supposed to be unused.  We\\nstart counting at 1.  However this code sets ctrl-\u003epconfig[0].ch_mask = 128.\\n\\nBug #2:\\nThere are SLIM_MAX_TX_PORTS (16) elements in tx_ch[] array but only\\nQCOM_SDW_MAX_PORTS + 1 (15) in the ctrl-\u003epconfig[] array so it corrupts\\nmemory like Yongqin Liu pointed out.\\n\\nBug 3:\\nLike Jie Gan pointed out, it erases all the tx information with the rx\\ninformation.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: soundwire: Revertir \\\"soundwire: qcom: A\u00f1adir compatibilidad con la API set_channel_map\\\". Esto revierte el commit 7796c97df6b1b2206681a07f3c80f6023a6593d5. Este parche interrumpi\u00f3 la versi\u00f3n Dragonboard 845c (sdm845). Veo: Excepci\u00f3n BRK de kernel inesperada en EL1 Error interno: BRK handler: 00000000f20003e8 [#1] SMP pc : qcom_swrm_set_channel_map+0x7c/0x80 [soundwire_qcom] lr : snd_soc_dai_set_channel_map+0x34/0x78 Call trace: qcom_swrm_set_channel_map+0x7c/0x80 [soundwire_qcom] (P) sdm845_dai_init+0x18c/0x2e0 [snd_soc_sdm845] snd_soc_link_init+0x28/0x6c snd_soc_bind_card+0x5f4/0xb0c snd_soc_register_card+0x148/0x1a4 devm_snd_soc_register_card+0x50/0xb0 sdm845_snd_platform_probe+0x124/0x148 [snd_soc_sdm845] platform_probe+0x6c/0xd0 really_probe+0xc0/0x2a4 __driver_probe_device+0x7c/0x130 driver_probe_device+0x40/0x118 __device_attach_driver+0xc4/0x108 bus_for_each_drv+0x8c/0xf0 __device_attach+0xa4/0x198 device_initial_probe+0x18/0x28 bus_probe_device+0xb8/0xbc deferred_probe_work_func+0xac/0xfc process_one_work+0x244/0x658 worker_thread+0x1b4/0x360 kthread+0x148/0x228 ret_from_fork+0x10/0x20 Kernel panic - not syncing: BRK handler: Fatal exception Dan has also reported following issues with the original patch https://lore.kernel.org/all/33fe8fe7-719a-405a-9ed2-d9f816ce1d57@sabinyo.mountain/ Bug #1: se supone que el elemento cero de ctrl-\u0026gt;pconfig[] no se utiliza. Empezamos a contar desde 1. Sin embargo, este c\u00f3digo establece ctrl-\u0026gt;pconfig[0].ch_mask = 128. Error n.\u00b0 2: Hay elementos SLIM_MAX_TX_PORTS (16) en la matriz tx_ch[], pero solo QCOM_SDW_MAX_PORTS + 1 (15) en la matriz ctrl-\u0026gt;pconfig[], por lo que corrompe la memoria, como se\u00f1al\u00f3 Yongqin Liu. Error 3: Como se\u00f1al\u00f3 Jie Gan, borra toda la informaci\u00f3n de la transmisi\u00f3n junto con la de la recepci\u00f3n.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/207cea8b72fcbdf4e6db178e54186ed4f1514b3c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/834bce6a715ae9a9c4dce7892454a19adf22b013\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.